1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00
Commit Graph

74593 Commits

Author SHA1 Message Date
Daan De Meyer
039af94fb5 test: Rename INTERACTIVE_DEBUG to TEST_SHELL
(cherry picked from commit 33f400a9e0)
2024-08-15 14:04:41 +01:00
Daan De Meyer
52897cf6a4 docs: Update upgrade commands in HACKING.md
- Add the required options to make the package managers non interactive
- Use apt-get instead of apt
- Remove --reinstall from apt-get command so we only install newer packages
- Add --needed to pacman command so we only install newer packages

(cherry picked from commit 5f5b6fa901)
2024-08-15 14:04:41 +01:00
Daan De Meyer
ea52a7cdc4 mkosi: Drop locale tmpfiles snippet
Not required anymore as we don't do /usr only anymore and the symlink
will be created by the debian systemd package.

(cherry picked from commit 63bafef12b)
2024-08-15 14:04:41 +01:00
Yu Watanabe
c0d45f8ec6 journal: set flushed flag even if we fail to open runtime journals
As at this stage, a persistent journal file has been already opened, and
saved seqnum has been reset, and any later journal entries will be stored
to the file. Hence we should not open the runtime journal file by
server_system_journal_open() again.

(cherry picked from commit b55027efe4)
2024-08-15 14:04:41 +01:00
Yu Watanabe
8d5806b1e2 journal: comment the default value in journald.conf
(cherry picked from commit 0d113f8e70)
2024-08-15 14:04:41 +01:00
Yu Watanabe
837c219e2d journal: do not rotate journal when MaxRetentionSec= is set
The setting is about vacuuming archived journal files. It is not
necessary to rotate the current journal. Note, journal file rotation is
controlled by MaxFileSec=.

Fixes #31315.

(cherry picked from commit b63c18db03)
2024-08-15 14:04:41 +01:00
Yu Watanabe
0195db6e91 resolve: refuse invalid service without type field
Fixes Fixes #33935.

(cherry picked from commit b48ab08732)
2024-08-15 14:04:41 +01:00
Yu Watanabe
90b1b2a500 systemctl: refuse --capsule=foo with --system
Fixes the following assertion:
===
systemctl --capsule=hoge --system reboot
Assertion 'runtime_scope == RUNTIME_SCOPE_USER' failed at src/shared/bus-util.c:479, function bus_connect_transport(). Aborting.
Aborted (core dumped)
===

Follow-up for 56cb74c3cd.

(cherry picked from commit bcf982223c)
2024-08-15 14:04:41 +01:00
Luca Boccassi
38caeac768 base-filesystem: do not attempt to create a /lib64 -> /usr/lib/<tuple> symlink
In multi-arch distributions (debian and derivatives) multiarch tuples under
/usr/lib are used, such as /usr/lib/x86_64-linux-gnu/ but the /lib64 symlink
should never point there, it should always point to /usr/lib64, as that's
how they are set up by distribution-specific tools.

https://packages.debian.org/bookworm/amd64/libc6-i386/filelist
https://packages.debian.org/bookworm/mipsel/libc6-mips64/filelist
https://salsa.debian.org/md/usrmerge/-/blob/master/convert-usrmerge?ref_type=heads#L295
https://salsa.debian.org/md/usrmerge/-/blob/master/convert-usrmerge?ref_type=heads#L517
http://bugs.debian.org/1076491

Fixes https://github.com/systemd/systemd/issues/33919

(cherry picked from commit b75c13731e)
2024-08-15 14:04:41 +01:00
Daan De Meyer
2925fc2c6f meson: Use -fstrict-flex-arrays=3
Let's explicitly pass the value to -fstrict-flex-arrays. This does
not change behavior but it does (selfishly) make my error not bug
out with an error saying -fstrict-flex-arrays does not exist.

(cherry picked from commit ad723ca3e5)
2024-08-15 14:04:41 +01:00
Mike Yuan
c3ede0cfe7 core/execute-serialize: use serialize_item_escaped() for external paths
Otherwise, read_stripped_line() would spuriously drop trailing spaces.

Fixes #33924

(cherry picked from commit 9be46b1da8)
2024-08-15 14:04:41 +01:00
Mike Yuan
8beae81123 core/execute-serialize: drop extraneous '=' in ip-{in,e}gress serialization
(cherry picked from commit f0fdd13c2f)
2024-08-15 14:04:41 +01:00
Yu Watanabe
ce940b62ac man/net-naming-scheme: mention that NAMING_BRIDGE_MULTIFUNCTION_SLOT is reverted
Follow-up for af7417ac7b.
Closes #33596.

(cherry picked from commit 1c0130e8dc)
2024-08-15 14:04:41 +01:00
Yu Watanabe
ab4e1faca6 man: extend explanation for ConfigureWithoutCarrier= in systemd.network(5)
Prompted by #33702.

(cherry picked from commit 347c8822d1)
2024-08-15 14:04:41 +01:00
Daniel P. Berrangé
037510812f man/systemd-detect-virt: list known CVM technologies
Add a section which lists the known confidential virtual machine
technologies.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit a8fb5d21fd)
2024-08-15 14:04:41 +01:00
Daniel P. Berrangé
7a6d4cdc48 confidential-virt: add detection for s390x target
The s390x platform provides confidential VMs using the "Secure Execution"
technology, which is also referred to as "Protected Virtualization" or
just "prot virt" in Linux / QEMU.

This can be detected through a simple sysfs attribute.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 6c35e0a51c)
2024-08-15 14:04:41 +01:00
Daniel P. Berrangé
a1359ac940 confidential-virt: split caching of CVM detection into separate method
We have different impls of detect_confidential_virtualization per
architecture. The detection is cached in the x86_64 impl, and as we
add support for more targets, we want to use caching for all. It thus
makes sense to split caching out into an architecture independent
method.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 1c4bd7adcc)
2024-08-15 14:04:41 +01:00
Frantisek Sumsal
86d89f4a10 test: don't use /skipped for subtests
Since, at least the old framework, checks for the presence of the file
at the end and marks the whole test as skipped if it exists.

Resolves: systemd/systemd-centos-ci#728
(cherry picked from commit 4d1fbe53c1)
2024-08-15 14:04:41 +01:00
Ronan Pigott
f5376fea7d resolved: don't treat conn reset as packet loss
tcp reset / icmp port-unreachable are markedly different conditions than
packet loss. It doesn't make much sense to retry in this case. It's
actually not clear if there is any benefit at all retrying tcp
connections, which were presumably already retried as necessary by the
tcp stack.

(cherry picked from commit ddd710a355)
2024-08-15 14:04:41 +01:00
Yu Watanabe
11c15905cd import: check overflow
Fixes CID#1548022 and CID#1548075.

(cherry picked from commit f7012a93a7)
2024-08-15 14:04:41 +01:00
Frantisek Sumsal
2e2371c5b5 test: attempt to install sshd-session from multiple places
On Fedora the sshd-session binary is under /usr/libexec/openssh/ so
cover this path as well in the old framework.

Follow-up for aaa7b36bd1.

(cherry picked from commit ce2344bbee)
2024-08-15 14:04:41 +01:00
Daan De Meyer
913ef12103 mkosi: Beef up testuser a bit
Give it a password and add it to some common groups.

(cherry picked from commit 3fe25d4530)
2024-08-15 14:04:41 +01:00
Michal Sekletar
1a3d8368bc socket: fix socket activation of stopped services with pinned FD store
(cherry picked from commit 941a12dcba)
2024-08-15 14:04:41 +01:00
Daan De Meyer
091c4820c4 exec-credential: Skip duplicate credentials in load_credential_glob()
We document that when multiple credentials of the same name are found,
we use the first one found so let's actually implement that behavior.

(cherry picked from commit 3de13e6148)
2024-08-15 14:04:41 +01:00
Daan De Meyer
ee85ef4ffa exec-credential: Log if we skip duplicate credential
(cherry picked from commit 590348e2bf)
2024-08-15 14:04:41 +01:00
Daan De Meyer
181ee8b30d Drop EEXIST handling in load_credential_glob()
Credentials are written to a temporary file and renamed to the
destination with renameat() which will replace existing files so
EEXIST should not happen so drop the handling for EEXIST.

(cherry picked from commit 2c2ed3272b)
2024-08-15 14:04:41 +01:00
Daan De Meyer
f1d4e79eff cgroup-util: Don't try to open pidfd for kernel threads
The kernel might start returning -EINVAL when trying to open pidfd's
for kernel threads so let's not try to open pidfd's for kernel threads.

(cherry picked from commit ead48ec35c)
2024-08-15 14:04:41 +01:00
Daan De Meyer
f2edebce25 log: Fix size calculation for number of iovecs
Each log context field can expand to up to three iovecs (key, value
and newline) so let's fix the size calculation to take this into
account.

(cherry picked from commit fc83ff3f55)
2024-08-15 14:04:41 +01:00
Daan De Meyer
4fd349953e execute: Drop log level to unit log level in exec_spawn()
All messages logged from exec_spawn() are attributed to the unit
and as such we should set the log level to the unit's max log level
for the duration of the function.

(cherry picked from commit 7881f485c9)
2024-08-15 14:04:41 +01:00
Dan Nicholson
b5448c16f8 firstboot: fix root params with creds and prompting disabled
Remove an early return that prevents --prompt-root-password or
--prompt-root-shell and systemd.firstboot=off using credentials. In that case,
arg_prompt_root_password and arg_prompt_root_shell will be false, but the
prompt helpers still need to be called to read the credentials. Furthermore, if
only the root shell has been set, don't overwrite the root password.

(cherry picked from commit 35bc4c3424)
2024-08-15 14:04:41 +01:00
Dan Nicholson
847dd914d0 firstboot: handle missing root password entries
If /etc/passwd and/or /etc/shadow exist but don't have an existing root entry,
one needs to be added. Previously this only worked if the files didn't exist.

(cherry picked from commit 2319154a6b)
2024-08-15 14:04:41 +01:00
Yu Watanabe
cab78ad49f man: suggest to enable global IPv6Forwarding= setting to make IPv6 packets forwarded
Closes #33414.

(cherry picked from commit 175cdefd33)
2024-08-15 14:04:41 +01:00
Dan Nicholson
21d270d38f firstboot: create locked and empty root passwords consistently
Although locked and empty passwords in /etc/passwd are treated the same, in all
other cases the entry is configured to read the password from /etc/shadow.

(cherry picked from commit 5088de9daa)
2024-08-15 14:04:41 +01:00
Dan Nicholson
fdf270a89e test: extend firstboot testing
Several features were not being tested or weren't being evaluated thoroughly.

(cherry picked from commit 38688bbc8f)
2024-08-15 14:04:41 +01:00
Yu Watanabe
166b704a41 network: mention that IPv4 ACD is enabled by default for 169.254.0.0/16
Prompted by #33824.

(cherry picked from commit dd87ad8e19)
2024-08-15 14:04:40 +01:00
Yu Watanabe
ad861b6ae6 network: request non-NULL SSID when a wlan interface is configured as station
To avoid conflicts with user .network file for the wlan interface with Bond=.
See https://github.com/systemd/systemd/issues/19832#issuecomment-857661200.

(cherry picked from commit e2becab085)
2024-08-15 14:04:40 +01:00
Luca Boccassi
c12c122e2a efi: fix link to legacy EFI handover protocol
(cherry picked from commit 4d6ab7e844)
2024-08-15 14:04:40 +01:00
Luca Boccassi
84111f8916 stub: allocate and zero enough space in legacy x86 handover protocol
A PE image's memory footprint might be larger than its file size due
to uninitialized memory sections. Normally all PE headers should be
parsed to check the actual required size, but the legacy EFI handover
protocol is only used for x86 Linux bzImages, so we know only the last
section will require extra memory. Use SizeOfImage from the PE header
and if it is larger than the file size, allocate and zero extra memory
before using it.

Fixes https://github.com/systemd/systemd/issues/33816

(cherry picked from commit 19812661f1)
2024-08-15 14:04:40 +01:00
Yu Watanabe
0d98178abb network: call link_handle_bound_by_list() before trying to reconfigure interface
Otherwise, when an interface gained its carrier, the interface may not
have matching .network file yet, then link_reconfigure_impl() returns
zero, and link_handle_bound_by_list() is skipped.

Fixes #33837.

(cherry picked from commit 36b8ad085c)
2024-08-15 14:04:40 +01:00
Ivan Shapovalov
1cdeda986a Revert "network/ndisc: ignore most fields of RA header when lifetime is zero"
This reverts commit ffef01acdd.

Similar to 2d393b1b6d ("network: IPv6 Compliance: Router Advertisement
Processing, Reachable Time [v6LC.2.2.15]"),

Extract from: https://www.ietf.org/rfc/rfc4861.html#section-4.2, p.21,
first paragraph:

    The Router Lifetime applies only to
    the router's usefulness as a default router; it
    does not apply to information contained in other
    message fields or options.

So it does not make sense to prevent DHCPv6 when Router Lifetime is 0.

Fixes #33357.

(cherry picked from commit 7767896d12)
2024-08-15 14:04:40 +01:00
Daniel P. Berrangé
812fc38b91 Fix detection of TDX confidential VM on Azure platform
The original CVM detection logic for TDX assumes that the guest can see
the standard TDX CPUID leaf. This was true in Azure when this code was
originally written, however, current Azure now blocks that leaf in the
paravisor. Instead it is required to use the same Azure specific CPUID
leaf that is used for SEV-SNP detection, which reports the VM isolation
type.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 9d7be044ca)
2024-08-15 14:04:40 +01:00
Yu Watanabe
9468a6ea47 network: do not bring down bound interfaces immediately
Even if a timespan specified to IgnoreCarrierLoss= for an interface,
when the carrier of the interface lost, bound interfaces might be bring
down immediately.

Let's also postpone bringing down bound interfaces with the specified
timespan.

(cherry picked from commit e8eaed0240)
2024-08-15 13:08:37 +01:00
Arian van Putten
f23fe35c9f document how TimeoutStartSec= affects notify-reload (#33653)
* document how TimeoutStartSec=  affects notify-reload

(cherry picked from commit a55d1b29a4)
2024-08-15 13:08:37 +01:00
Yu Watanabe
233ae5056f nspawn: remove macvlan interfaces before network namespace died
This is similar to what we do for veth interfaces in remove_veth_links().

When a container rebooted, macvlan interfaces created by the previous
boot may still exist in the kernel, and that causes -EADDRINUSE after
reboot.

Hopefully fixes #680.

(cherry picked from commit 1bfa47418e)
2024-08-15 13:08:37 +01:00
Daan De Meyer
3d90344e94 cgroup-util: Ignore kernel threads in cg_kill_items()
Similar to the implementation of cgroup.kill in the kernel, let's
skip kernel threads in cg_kill_items() as trying to kill kernel
threads as an unprivileged process will fail with EPERM and doesn't
do anything when running privileged.

(cherry picked from commit 0fbb569de1)
2024-08-15 13:08:37 +01:00
Daan De Meyer
1cb21b2cb1 kernel-install: Try some more initrd variants in 90-loaderentry.install
On CentOS/Fedora, dracut is configured to write the initrd to
/boot/initramfs-$KERNEL_VERSION...img so let's check for that as well
if no initrds were supplied.

(cherry picked from commit b56920e36c)
2024-08-15 13:08:37 +01:00
Daan De Meyer
c386327fc8 kernel-install: Only read cmdline from /proc/cmdline when not in container
If we're running from within a container, we're very likely not going
to want to use the kernel command line from /proc/cmdline, so let's add
a check to see if we're running from a container to decide whether we'll
use the kernel command line from /proc/cmdline.

(cherry picked from commit 35c01ec59e)
2024-08-15 13:08:37 +01:00
Daan De Meyer
852be5a77f test: Don't mount build sources into image when running non-interactively
(cherry picked from commit 578ee05155)
2024-08-15 13:08:37 +01:00
Nick Cao
31d806d4ed network: Fixup Table when L3MasterDevice is set on routing policy rule
(cherry picked from commit 615af2c77d)
2024-08-15 13:08:37 +01:00
Nick Cao
fb44ee8908 man: network: move note about L3MasterDevice to the correct section
(cherry picked from commit 034b7dfc08)
2024-08-15 13:08:37 +01:00