IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
have ambient caps: yes
Capabilities:cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
Failed to drop auxiliary groups list: Operation not permitted
Failed to change group ID: Operation not permitted
Capabilities:cap_dac_override,cap_net_raw=ep
Capabilities:cap_dac_override=ep
Successfully forked off '(getambient)' as PID 12505.
Skipping PR_SET_MM, as we don't have privileges.
Ambient capability cap_linux_immutable requested but missing from bounding set, suppressing automatically.
Assertion 'x < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)' failed at src/test/test-capability.c:273, function test_capability_get_ambient(). Aborting.
(getambient) terminated by signal ABRT.
src/test/test-capability.c:258: Assertion failed: expected "r" to succeed, but got error: Protocol error
Partially fixes#35552
(cherry picked from commit 058a07635f3ff70cc99943dcf4f2a079bc9c28b9)
(cherry picked from commit d80ab6aed678ed89327d86ced9fedd24b5baccd3)
TEST-75-RESOLVED fails on Ubuntu autopkgtest due to this warning from
knot:
notice: config, policy 'auto_rollover_nsec3' depends on default nsec3-salt-length=8, since version 3.5 the default becomes 0
Explicitly set nsec3-salt-length=8 to silence.
(cherry picked from commit 59e5108fb4e61957cb40bb15ac7966d085d13af2)
(cherry picked from commit 1b945fb1a727f85be9230e43d2fdaf78d2567946)
I forgot to do this before tagging. Let's still do this, for two reasons:
- packagers can easily include the patch if they haven't built yet,
- doing the bump reduces the chances of somebody doing an off-by-one bump
for the next release.
This tmpfiles.d wants to write to sysfs, which is read-only in containers,
so systemd-tmpfiles --create fails in TEST-22-TMPFILES when ran in nspawn
if the selinux policy package is instealled. Mask it, as it's not our
config file, we don't need it in the test.
(cherry picked from commit 6fd3496cfd0d28808b5489ee87f826c2130f5f0b)
Add the `arm_fadvise64_64` syscall to the allow_list, in addition
to the existing `fadvise64` and `fadvise64_64` syscalls, as this is
the syscall actually defined for `arm` architecture. Adding it fixes
the syscall being rejected in arm32 containers.
Fixes#35194
(cherry picked from commit 7fd70a532681c0ea4cd6ff04d1a7950dae3efc8c)
We usually want to use "extended booleans" for cases like this, i.e.
that "off", "no" and "0" can be used interchangably for turning
something off.
(cherry picked from commit 62f3e2f84aa3413081fc1c1e1c3074fc9aeedbc9)
Otherwise the root inode will typically have what mkdtemp sets up, which
is something like 0700, which is weird and somewhat broken when trying
to look into containers from unpriv users.
(cherry picked from commit c18a1024643809c8f28799900af4e6202623f934)
When registering we condition this on "arg_register". Let's do the same
when unregistering, otherwise we might end up trying to unregister a
machine we never registered.
(cherry picked from commit 0790f4e45f2f8c094bf929aa1fcaf4c7e9dbb001)
When determining the poll events to wait for we need to take the queue
of pending messages that carry fds into account. Otherwise we might end
up not waking up if such an fd-carrying message is enqueued
asynchronously (i.e. not from a dispatch callback).
(cherry picked from commit 7b4b3a8f7b76f266438fafb225b7980db68a276e)
This page contains many short example codes. I do not think we should
add SPDX-License-Identifier for all codes.
Closes#35356.
(cherry picked from commit 6046cc3660810efcc6fe50b1c850ea642218245b)
This partially reverts the commit 405be62f05d76f1845f347737b5972158c79dd3e
"tree-wide: refuse enumerated device with ID_PROCESSING=1".
Otherwise, when systemd-udev-trigger.service is (re)started just before
daemon-reexec, which can be easily happen on systemd package update, then
udev database files for many devices may have ID_PROCESSING=1 property,
thus devices may not be enumerated on daemon-reexec. That causes many
units especially mount units being deactivated after daemon-reexec.
Fixes#35329.
(cherry picked from commit c4fc22c4defc5983e53f4ce048e15ea7d31e6a75)
Similar to c5ecf0949460dd0bf3211db128a385ce6375252e, but for io event source.
Fixes#35322.
(cherry picked from commit 5b2926d9414f4333153ebe0bf169e1dd76129119)
Otherwise, the ioctl() may fail with EBUSY.
Follow-up for b4b66b26620bfaf5818c95d5cffafd85207694e7.
Hopefully fixes#35243.
(cherry picked from commit b76730f3fe0e824db001b38c8ea848302be786ee)
Those are historical names, but there is nothing wrong with them. The files on
/ (/fastboot, /forcefsck, and /forcequotacheck) are problematic because they
require a modification of the root file system. But the commandline params work
fine. They have the obvious advantage compared to our "modern" option that they
are much easier to type without looking up the spelling in the docs. Undeprecate
them to avoid unnecessary churn.
(cherry picked from commit 5598454a3f8fc13257e0313d999e6ac9684082e1)
Outside of userns the concept makes no sense, there cannot be users
mapped from further outside.
(cherry picked from commit e412fc5e042b8f642bcba42f5c175124583e05ae)
In the --help text we really should use the official spelling, just like
in the man page.
(cherry picked from commit cc6baba7200bd8171b6beff446b4009dad5c4230)
Without this change, the fd is closed twice on failure.
Fixes a bug introduced by dff9808a628c31b7ecb1f1aba8fdc3be06ce8372.
Fixes#35288.
(cherry picked from commit d99198819caeff6f40a0a520364e59b8a0cbaa4f)
"nsenter -a" doesn't migrate the specified process into the target
cgroup (it really should). Thus the cgroup will remain in a cgroup
that is (due to cgroup ns) outside our visibility. The kernel will
report the cgroup path of such cgroups as starting with "/../". Detect
that and print a reasonably error message instead of trying to resolve
that.
(cherry picked from commit f6793bbcf0e3f0a6daa77add96183b88d5ec2117)
Currently, get_fixed_user() employs USER_CREDS_SUPPRESS_PLACEHOLDER,
meaning home path is set to NULL if it's empty or root. However,
the path is also used for applying WorkingDirectory=~, and we'd
spuriously use the invoking user's home as fallback even if
User= is changed in that case.
Let's instead delegate such suppression to build_environment(),
so that home is proper initialized for usage at other steps.
shell doesn't actually suffer from such problem, but it's changed
too for consistency.
Alternative to #34789
(cherry picked from commit b718b86e1b8477f58461f3c456c944abb1428c0f)
systemd-sysext has the same check, but it was forgotten for confexts.
Needed to activate confexts from the ESP in the initrd.
(cherry picked from commit fe077a1a582a43a6378ff29452a373cc7d393764)
```
$ systemd-cryptenroll /dev/vda3
SLOT TYPE
0 password
$ systemd-cryptenroll --wipe-slot 1 /dev/vda3
Failed to wipe slot 1, continuing: No such file or directory
```
(cherry picked from commit 2b251491debf9cab695f5f34da9908ca46f085fe)
"systemctl status systemd-logind" otherwise looks a bit weird, since the
tasks and the fdstore lines are so close to each other but formatted
quite differently when it comes to coloring.
(cherry picked from commit 54646b1ca95373dfa3ebe5d6e7e27deeed9e77b0)
We use the $WATCHDOG_USEC variable for two very closely uses: as part of
the sd_watchdog_enabled() protocol for implementing service watchdogs.
And as part of the protocol between the service manager and
systemd-shutdown across the PID 1 execve() transition during shutdown.
Apparently some exitrds tools got confused by the latter use. Let's
address that by setting $WATCHDOG_PID to 1, in accordance to the
sd_watchdog_enabled() protocol to make clear this is only intended for
PID 1 and nothing else.
Replaces: #35135
(cherry picked from commit 4b20ae9a0e914e61d6bac095e5fc9664510ac03e)
Also remove the systemd-measure dependency from the mkosi target as
mkosi doesn't invoke systemd-measure itself.
(cherry picked from commit 1a077e05fbcbfffe548ef39f45e4f2ca1399715d)
libnvme 1.11 appears to require a kernel built with NVME TLS
kconfigs, and fails hard if it is not, as the expected
privileged keyring '.nvme' is not present. We cannot just
create it from userspace, as privileged keyrings can only
be created by the kernel itself (those starting with '.').
Skip the test if the library exactly matches this version.
https://github.com/linux-nvme/nvme-cli/issues/2573
Fixes https://github.com/systemd/systemd/issues/35130
(cherry picked from commit 893aa45886ef84b1827445dc438e410ad89fbbbf)
Follow-up for efedb6b0f3cff37950112fd37cb750c16d599bc7.
Closes#35116.
(cherry picked from commit 985ea98e7f90c92fcc0b8441fafb190353d2feb8)
Really rewritten from scratch.
