1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Commit Graph

39406 Commits

Author SHA1 Message Date
Frantisek Sumsal
5a2114b60e test: improve testsuite configuration documentation 2019-03-16 18:59:07 +01:00
Frantisek Sumsal
b43c2c01e9 test: allow overriding of the KVM detection using TEST_NO_KVM
By default the run_qemu() function enables KVM automatically
if it detects the /dev/kvm char device and if the machine is not
already a KVM one. Let's add a TEST_NO_KVM env variable to suppress
this detection.
2019-03-16 18:59:07 +01:00
Frantisek Sumsal
c81a46b904 test: introduce INTERACTIVE_DEBUG
Make the interactive debugging of (particularly QEMU) machines less
painful, by replacing the default vt220 TERM with linux one, and
by not shutting down the machine after running the test itself.
2019-03-16 18:59:01 +01:00
Zbigniew Jędrzejewski-Szmek
bcaabf481d fuzz-calendarspec: actually run the second part of the fuzzer
https://github.com/systemd/systemd/pull/11975#issuecomment-473467475
2019-03-16 18:13:17 +01:00
Frantisek Sumsal
6d67286fc3 test: unify indentation 2019-03-16 15:49:43 +01:00
Lennart Poettering
d449d63a0d
Merge pull request #11975 from keszybz/fuzzer-fixes-n
Fixes for a few fuzzer issues
2019-03-15 17:34:37 +01:00
Lennart Poettering
95658673a0
Merge pull request #12016 from yuwata/fix-two-memleaks-found-by-oss-fuzz
Fix two memleaks found by oss fuzz
2019-03-15 17:33:48 +01:00
Lennart Poettering
4209f6619d
Merge pull request #12015 from keszybz/fix-tests-in-rawhide
Fix compilation and tests in Fedora rawhide
2019-03-15 17:33:20 +01:00
Lennart Poettering
f0e3650de1 man: clarify that /run/media/system/ is where mounts are placed by default
Prompted by the discussions on: https://github.com/systemd/systemd/issues/11982#issuecomment-472781806
2019-03-15 16:37:17 +01:00
Yu Watanabe
50969cff60 network: clear previous assignment
Prompted by oss-fuzz#13719.
2019-03-16 00:12:25 +09:00
Yu Watanabe
c7a67ba5eb fuzz: add testcase for oss-fuzz#13691 2019-03-15 23:54:30 +09:00
Yu Watanabe
1d0c1146ea nspawn: fix memleak
Fixes oss-fuzz#13691.
2019-03-15 23:53:05 +09:00
Yu Watanabe
5ba40bb2cc fuzz: add a testcase for oss-fuzz#13719 2019-03-15 23:47:41 +09:00
Zbigniew Jędrzejewski-Szmek
7acf581a58 Handle or voidify all calls to close_all_fds()
In activate, it is important that we close the fds. In other cases, meh.
2019-03-15 15:46:41 +01:00
Zbigniew Jędrzejewski-Szmek
054d871d41 test-execute: block /sys not /proc
As explained in the previous commit, blocking /proc can cause us
to go into a long loop or fail the test.
2019-03-15 15:46:41 +01:00
Zbigniew Jędrzejewski-Szmek
6a461d1f59 basic/fd-util: refuse "infinite" loop in close_all_fds()
I had a test machine with ulimit -n set to 1073741816 through pam
("session required pam_limits.so set_all", which copies the limits from PID 1,
left over from testing of #10921).

test-execute would "hang" and then fail with a timeout when running
exec-inaccessiblepaths-proc.service. It turns out that the problem was in
close_all_fds(), which would go to the fallback path of doing close()
1073741813 times. Let's just fail if we hit this case. This only matters
for cases where both /proc is inaccessible, and the *soft* limit has been
raised.

  (gdb) bt
  #0  0x00007f7e2e73fdc8 in close () from target:/lib64/libc.so.6
  #1  0x00007f7e2e42cdfd in close_nointr ()
     from target:/home/zbyszek/src/systemd-work3/build-rawhide/src/shared/libsystemd-shared-241.so
  #2  0x00007f7e2e42d525 in close_all_fds ()
     from target:/home/zbyszek/src/systemd-work3/build-rawhide/src/shared/libsystemd-shared-241.so
  #3  0x0000000000426e53 in exec_child ()
  #4  0x0000000000429578 in exec_spawn ()
  #5  0x00000000004ce1ab in service_spawn ()
  #6  0x00000000004cff77 in service_enter_start ()
  #7  0x00000000004d028f in service_enter_start_pre ()
  #8  0x00000000004d16f2 in service_start ()
  #9  0x00000000004568f4 in unit_start ()
  #10 0x0000000000416987 in test ()
  #11 0x0000000000417632 in test_exec_inaccessiblepaths ()
  #12 0x0000000000419362 in run_tests ()
  #13 0x0000000000419632 in main ()
2019-03-15 15:46:41 +01:00
Zbigniew Jędrzejewski-Szmek
9efb96315a test-execute: allow filtering test cases by pattern
When debugging failure in one of the cases, it's annoying to have to wade
through the output from all the other cases. Let's allow picking select
cases.
2019-03-15 15:46:41 +01:00
Zbigniew Jędrzejewski-Szmek
67fb5f338f seccomp: allow shmat to be a separate syscall on architectures which use a multiplexer
After
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0d6040d46817,
those syscalls have their separate numbers and we can block them.
But glibc might still use the old ones. So let's just do a best-effort
block and not assume anything about how effective it is.
2019-03-15 15:46:41 +01:00
Yu Watanabe
5f07d640ca network: clear previous assignment
Fixes oss-fuzz#13719.
2019-03-15 23:44:51 +09:00
Lennart Poettering
a3fc6b55ac nspawn: mask out CAP_NET_ADMIN again if settings file turns off private networking
Fixes: #11755
2019-03-15 15:42:21 +01:00
Lennart Poettering
3d6c367510 man: document the various new options nspawn learnt 2019-03-15 15:42:21 +01:00
Lennart Poettering
bd4b15f274 nspawn: use right constant for shifting for uint64_t caps 2019-03-15 15:42:20 +01:00
Lennart Poettering
de40a3037a nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.

Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:

1. Support for "masking" files and directories. This functionatly is now
   also available via the new --inaccesible= cmdline command, and
   Inaccessible= in .nspawn files.

2. Support for mounting arbitrary file systems. (not exposed through
   nspawn cmdline nor .nspawn files, because probably not a good idea)

3. Ability to configure the console settings for a container. This
   functionality is now also available on the nspawn cmdline in the new
   --console= switch (not added to .nspawn for now, as it is something
   specific to the invocation really, not a property of the container)

4. Console width/height configuration. Not exposed through
   .nspawn/cmdline, but this may be controlled through $COLUMNS and
   $LINES like in most other UNIX tools.

5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
   the cmdline, since containers likely have different user tables, and
   the existing --user= switch appears to be the better option)

6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
   OCI)

7. Creation of additional devices nodes in /dev. Most likely not a good
   idea, hence not exposed in .nspawn/cmdline. There's already --bind=
   to achieve the same, which is the better alternative.

8. Explicit syscall filters. This is not a good idea, due to the skewed
   arch support, hence not exposed through .nspawn/cmdline.

9. Configuration of some sysctls on a whitelist. Questionnable, not
   supported in .nspawn/cmdline for now.

10. Configuration of all 5 types of capabilities. Not a useful concept,
    since the kernel will reduce the caps on execve() anyway. Not
    exposed through .nspawn/cmdline as this is not very useful hence.

Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.

Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.

There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2019-03-15 15:41:28 +01:00
Lennart Poettering
5ef4cb7ad0 nspawn: (void)ify more stuff 2019-03-15 15:33:09 +01:00
Lennart Poettering
61b4443361 nspawn: refactor setuid code a bit
Let's separate out the raw uid_t/gid_t handling from the username
handling. This is useful later on.

Also, let's use the right gid_t type for group types wherever
appropriate.
2019-03-15 15:33:09 +01:00
Lennart Poettering
5211445eae capability: let's protect against the kernel eventually doing more than 64 caps
Everyone will be in trouble then (as quite widely caps are store in
64bit fields). But let's protect ourselves at least to the point that we
ignore all higher caps for now.
2019-03-15 15:33:09 +01:00
Lennart Poettering
248dd94171 capability: deal with libcap being older than kernel 2019-03-15 15:33:09 +01:00
Lennart Poettering
c8a79aa812 capability: add a way to get a uint64_t with all caps set 2019-03-15 15:33:09 +01:00
Lennart Poettering
9a2c59119c capability: keep CAP_SETPCAP while dropping bounding caps
The kernel only allows dropping bounding caps as long as we have
CAP_SETPCAP. Hence, let's keep that before dropping the bounding caps,
and afterwards drop them too.
2019-03-15 15:33:09 +01:00
Zbigniew Jędrzejewski-Szmek
e55bdf9b6c seccomp: shm{get,at,dt} now have their own numbers everywhere
E.g. on i686:

(previously)
arch x86: SCMP_SYS(mmap) = 90
arch x86: SCMP_SYS(mmap2) = 192
arch x86: SCMP_SYS(shmat) = -221
arch x86: SCMP_SYS(shmat) = -221
arch x86: SCMP_SYS(shmdt) = -222

(now)
arch x86: SCMP_SYS(mmap) = 90
arch x86: SCMP_SYS(mmap2) = 192
arch x86: SCMP_SYS(shmat) = 397
arch x86: SCMP_SYS(shmat) = 397
arch x86: SCMP_SYS(shmdt) = 398

The relevant commit seems to be
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0d6040d46817.
2019-03-15 15:28:43 +01:00
Zbigniew Jędrzejewski-Szmek
a75fcef8fb shared/bootspec: avoid signed-unsigned comparison
../src/shared/bootspec.c: In function ‘find_sections’:
../src/shared/bootspec.c:425:23: warning: comparison of integer expressions of different signedness: ‘ssize_t’ {aka ‘int’} and ‘uint32_t’ {aka ‘unsigned int’} [-Wsign-compare]
  425 |                 if (n != size)
      |                       ^~
2019-03-15 15:28:43 +01:00
Lennart Poettering
75910ed9f4
Merge pull request #12012 from keszybz/generator-man-docs
Generator and documentation improvements
2019-03-15 14:45:00 +01:00
Zbigniew Jędrzejewski-Szmek
d323a99001 man: reorder and add examples to systemd-analyze(1)
The number of verbs supported by systemd-analyze has grown quite a bit, and the
man page has become an unreadable wall of text. Let's put each verb in a
separate subsection, grouping similar verbs together, and add a lot of examples
to guide the user.
2019-03-15 13:55:24 +01:00
Zbigniew Jędrzejewski-Szmek
827f62c3f2 man,units: document what user "default.target" is a bit 2019-03-15 13:55:24 +01:00
Yu Watanabe
8cc6727a5a test: add a testcase for device plugged -> dead -> plugged bug 2019-03-15 21:16:58 +09:00
Lennart Poettering
9bbd37845c
Merge pull request #11988 from keszybz/test-binaries-installation
Install more requires binaries for tests
2019-03-15 13:06:11 +01:00
Lennart Poettering
1aac9f5dee
Merge pull request #12009 from mrc0mmand/bump-partition-size-for-TEST-02-CRYPTSETUP
test: fix LUKS2 support
2019-03-15 13:01:24 +01:00
Yu Watanabe
c6e892bc0e core: add Manager::honor_device_enumeration flag
When system manager is started first time or after switching root,
then the udev's device tag data do not exist yet.
So, let's not honor the enumeration results.

Fixes #11997.
2019-03-15 19:47:43 +09:00
Zbigniew Jędrzejewski-Szmek
dea4bef0a2
Merge pull request #11658 from yuwata/systemd-id128
id128: several cleanups
2019-03-15 11:18:28 +01:00
Yu Watanabe
49052946c9 core: use TAKE_PTR() at few more places 2019-03-15 19:01:12 +09:00
Yu Watanabe
87a19bfedc core: use _cleanup_free_ attribute and free_and_replace() macro in method_switch_root() 2019-03-15 18:59:31 +09:00
Yu Watanabe
58a6c57b75 bash-completion: add systemd-id128 support 2019-03-15 18:54:53 +09:00
Yu Watanabe
8efb042e0c sd-id128: split the logic obtaining invocation ID from sd_id128_get_invocation() 2019-03-15 18:53:23 +09:00
Yu Watanabe
9363e2f499 id128: no command accepts additional arguments 2019-03-15 18:53:23 +09:00
Zbigniew Jędrzejewski-Szmek
2fffb93b32 analyze: reword explanation in critical-chain header
Let's try to make it a bit clearer.
2019-03-15 10:17:46 +01:00
Frantisek Sumsal
5b69d297c1 test: use PBKDF2 instead of Argon2 in cryptsetup...
to reduce memory requirements for volume manipulation. Also,
to further improve the test performance, reduce number of PBKDF
iterations to 1000 (allowed minimum).
2019-03-15 10:05:33 +01:00
Zbigniew Jędrzejewski-Szmek
9c5ac5ebba man: tell generator writers to provide authorship and source information
Our generators always put a comment who generated the file, but we didn't
recommend it to others.

Let's also strengthen the advice to use SourcePath=.
2019-03-15 08:19:07 +01:00
Zbigniew Jędrzejewski-Szmek
00068caf36 fstab-generator: do not print double header
$ /run/systemd/generator/dev-mapper-fedora_krowka\x2dswap.swap
  # Automatically generated by systemd-fstab-generator

  # Automatically generated by systemd-fstab-generator

  [Unit]
  ...
2019-03-15 08:04:54 +01:00
Frantisek Sumsal
32983312ed test: bump the second partition size to 50MB
10MB is not enough for a LUKS2 partition.
2019-03-15 06:12:23 +01:00
Zbigniew Jędrzejewski-Szmek
de04bbdce1 tree-wide: spell "lifecycle" without hyphen everywhere
We had 10 instances of unhyphentated spelling, and 4 of the hyphenated one.
Consistency trumps ispell.
2019-03-14 22:47:44 +01:00