From e8cc280d45091673cf5d0b7d21fbfa641212b5dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 7 Nov 2023 16:27:34 +0100 Subject: [PATCH 01/29] Version 255~rc1 - See https://raw.githubusercontent.com/systemd/systemd/v255-rc1/NEWS - All the files and services related to pcrs are moved to -udev subpackage. This includes the new systemd-pcrlock binary. --- ...-PollLimit-settings-to-.socket-units.patch | 243 ------------------ ...map-extend-variant-match-bonus-again.patch | 50 ---- ...cy_keymap-fix-empty-variant-matching.patch | 58 ----- ...rd-model-map-correct-sk-qwerty-entry.patch | 25 -- ...ap-try-matching-with-layout-order-re.patch | 117 --------- ...-new-PollLimitIntervalSec-PollLimitB.patch | 80 ------ 0003-ci-add-test-for-poll-limit.patch | 79 ------ ...2b05ec5195d1f8f8fbff8a2dfcbf23d0b7aa.patch | 94 ------- sources | 2 +- split-files.py | 2 +- systemd.spec | 126 ++++----- 11 files changed, 51 insertions(+), 825 deletions(-) delete mode 100644 0001-core-add-new-PollLimit-settings-to-.socket-units.patch delete mode 100644 0001-find_legacy_keymap-extend-variant-match-bonus-again.patch delete mode 100644 0001-find_legacy_keymap-fix-empty-variant-matching.patch delete mode 100644 0001-keyboard-model-map-correct-sk-qwerty-entry.patch delete mode 100644 0002-find_legacy_keymap-try-matching-with-layout-order-re.patch delete mode 100644 0002-man-document-the-new-PollLimitIntervalSec-PollLimitB.patch delete mode 100644 0003-ci-add-test-for-poll-limit.patch delete mode 100644 631d2b05ec5195d1f8f8fbff8a2dfcbf23d0b7aa.patch diff --git a/0001-core-add-new-PollLimit-settings-to-.socket-units.patch b/0001-core-add-new-PollLimit-settings-to-.socket-units.patch deleted file mode 100644 index 351f413..0000000 --- a/0001-core-add-new-PollLimit-settings-to-.socket-units.patch +++ /dev/null @@ -1,243 +0,0 @@ -From df25afd2cf5527fe1bb542bb146fef1be8d9a489 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Sat, 9 Sep 2023 14:46:32 +0200 -Subject: [PATCH 1/3] core: add new "PollLimit" settings to .socket units - -This adds a new "PollLimit" pair of settings to .socket units, very -similar to existing "TriggerLimit" logic. The differences are: - -* PollLimit focusses on the polling on the sockets, and pauses that - temporarily if a ratelimit on that is reached. TriggerLimit otoh - focusses on the triggering effect of socket units, and stops - triggering once the ratelimit is hit. - -* While the trigger limit being hit is an action that causes the socket - unit to fail the polling limit being reached will just temporarily - disable polling on the socket fd, and it is resumed once the ratelimit - interval is over. - -* When a socket unit operates on multiple socket fds (e,g, ListenStream= - on both some ipv6 and an ipv4 address or so). Then the PollLimit will - be specific to each fd, while the trigger limit is specific to the - whole unit. - -Implementation-wise this is mostly a wrapper around sd-event's -sd_event_source_set_ratelimit(), which exposes the desired behaviour -directly. - -Usecase for all of this: socket services which when overloaded with -connections should just slow down reception of it, but not fail -persistently. - -(cherry picked from commit 2bec84e7a5bf3687ae65205753ba3d8067cf2f0e) ---- - man/org.freedesktop.systemd1.xml | 12 ++++++++++ - src/core/dbus-socket.c | 8 +++++++ - src/core/load-fragment-gperf.gperf.in | 2 ++ - src/core/socket.c | 32 +++++++++++++++++++-------- - src/core/socket.h | 2 ++ - src/shared/bus-unit-util.c | 10 +++++---- - 6 files changed, 53 insertions(+), 13 deletions(-) - -diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml -index 56906e2f3b..0557dc2379 100644 ---- a/man/org.freedesktop.systemd1.xml -+++ b/man/org.freedesktop.systemd1.xml -@@ -4727,6 +4727,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { - readonly t TriggerLimitIntervalUSec = ...; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly u TriggerLimitBurst = ...; -+ @org.freedesktop.DBus.Property.EmitsChangedSignal("const") -+ readonly t PollLimitIntervalUSec = ...; -+ @org.freedesktop.DBus.Property.EmitsChangedSignal("const") -+ readonly u PollLimitBurst = ...; - readonly u UID = ...; - readonly u GID = ...; - @org.freedesktop.DBus.Property.EmitsChangedSignal("invalidates") -@@ -5961,6 +5965,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { - - - -+ -+ -+ -+ - - - -@@ -6497,6 +6505,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { - - - -+ PollLimitIntervalUSec/PollLimitBurst properties configure the -+ polling limit for the socket unit. Expects a time in µs, resp. an unsigned integer. If either is set to -+ zero the limiting feature is turned off. -+ - - Properties - -diff --git a/src/core/dbus-socket.c b/src/core/dbus-socket.c -index 09a3a9502b..04552b7c60 100644 ---- a/src/core/dbus-socket.c -+++ b/src/core/dbus-socket.c -@@ -129,6 +129,8 @@ const sd_bus_vtable bus_socket_vtable[] = { - SD_BUS_PROPERTY("SocketProtocol", "i", bus_property_get_int, offsetof(Socket, socket_protocol), SD_BUS_VTABLE_PROPERTY_CONST), - SD_BUS_PROPERTY("TriggerLimitIntervalUSec", "t", bus_property_get_usec, offsetof(Socket, trigger_limit.interval), SD_BUS_VTABLE_PROPERTY_CONST), - SD_BUS_PROPERTY("TriggerLimitBurst", "u", bus_property_get_unsigned, offsetof(Socket, trigger_limit.burst), SD_BUS_VTABLE_PROPERTY_CONST), -+ SD_BUS_PROPERTY("PollLimitIntervalUSec", "t", bus_property_get_usec, offsetof(Socket, poll_limit_interval), SD_BUS_VTABLE_PROPERTY_CONST), -+ SD_BUS_PROPERTY("PollLimitBurst", "u", bus_property_get_unsigned, offsetof(Socket, poll_limit_burst), SD_BUS_VTABLE_PROPERTY_CONST), - SD_BUS_PROPERTY("UID", "u", bus_property_get_uid, offsetof(Unit, ref_uid), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE), - SD_BUS_PROPERTY("GID", "u", bus_property_get_gid, offsetof(Unit, ref_gid), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE), - BUS_EXEC_COMMAND_LIST_VTABLE("ExecStartPre", offsetof(Socket, exec_command[SOCKET_EXEC_START_PRE]), SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION), -@@ -248,6 +250,9 @@ static int bus_socket_set_transient_property( - if (streq(name, "TriggerLimitBurst")) - return bus_set_transient_unsigned(u, name, &s->trigger_limit.burst, message, flags, error); - -+ if (streq(name, "PollLimitBurst")) -+ return bus_set_transient_unsigned(u, name, &s->poll_limit_burst, message, flags, error); -+ - if (streq(name, "SocketMode")) - return bus_set_transient_mode_t(u, name, &s->socket_mode, message, flags, error); - -@@ -275,6 +280,9 @@ static int bus_socket_set_transient_property( - if (streq(name, "TriggerLimitIntervalUSec")) - return bus_set_transient_usec(u, name, &s->trigger_limit.interval, message, flags, error); - -+ if (streq(name, "PollLimitIntervalUSec")) -+ return bus_set_transient_usec(u, name, &s->poll_limit_interval, message, flags, error); -+ - if (streq(name, "SmackLabel")) - return bus_set_transient_string(u, name, &s->smack, message, flags, error); - -diff --git a/src/core/load-fragment-gperf.gperf.in b/src/core/load-fragment-gperf.gperf.in -index b66adf2811..0d1ee9c231 100644 ---- a/src/core/load-fragment-gperf.gperf.in -+++ b/src/core/load-fragment-gperf.gperf.in -@@ -507,6 +507,8 @@ Socket.FileDescriptorName, config_parse_fdname, - Socket.Service, config_parse_socket_service, 0, 0 - Socket.TriggerLimitIntervalSec, config_parse_sec, 0, offsetof(Socket, trigger_limit.interval) - Socket.TriggerLimitBurst, config_parse_unsigned, 0, offsetof(Socket, trigger_limit.burst) -+Socket.PollLimitIntervalSec, config_parse_sec, 0, offsetof(Socket, poll_limit_interval) -+Socket.PollLimitBurst, config_parse_unsigned, 0, offsetof(Socket, poll_limit_burst) - {% if ENABLE_SMACK %} - Socket.SmackLabel, config_parse_unit_string_printf, 0, offsetof(Socket, smack) - Socket.SmackLabelIPIn, config_parse_unit_string_printf, 0, offsetof(Socket, smack_ip_in) -diff --git a/src/core/socket.c b/src/core/socket.c -index 75034ac357..dc18744f54 100644 ---- a/src/core/socket.c -+++ b/src/core/socket.c -@@ -101,6 +101,9 @@ static void socket_init(Unit *u) { - - s->trigger_limit.interval = USEC_INFINITY; - s->trigger_limit.burst = UINT_MAX; -+ -+ s->poll_limit_interval = USEC_INFINITY; -+ s->poll_limit_burst = UINT_MAX; - } - - static void socket_unwatch_control_pid(Socket *s) { -@@ -310,17 +313,20 @@ static int socket_add_extras(Socket *s) { - * off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to - * process whatever is queued in one go, and thus should normally never have to be started frequently. This is - * different for Accept=yes where each connection is processed by a new service instance, and thus frequent -- * service starts are typical. */ -+ * service starts are typical. -+ * -+ * For the poll limit we follow a similar rule, but use 3/4th of the trigger limit parameters, to -+ * trigger this earlier. */ - - if (s->trigger_limit.interval == USEC_INFINITY) - s->trigger_limit.interval = 2 * USEC_PER_SEC; -+ if (s->trigger_limit.burst == UINT_MAX) -+ s->trigger_limit.burst = s->accept ? 200 : 20; - -- if (s->trigger_limit.burst == UINT_MAX) { -- if (s->accept) -- s->trigger_limit.burst = 200; -- else -- s->trigger_limit.burst = 20; -- } -+ if (s->poll_limit_interval == USEC_INFINITY) -+ s->poll_limit_interval = 2 * USEC_PER_SEC; -+ if (s->poll_limit_burst == UINT_MAX) -+ s->poll_limit_burst = s->accept ? 150 : 15; - - if (have_non_accept_socket(s)) { - -@@ -770,9 +776,13 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) { - - fprintf(f, - "%sTriggerLimitIntervalSec: %s\n" -- "%sTriggerLimitBurst: %u\n", -+ "%sTriggerLimitBurst: %u\n" -+ "%sPollLimitIntervalSec: %s\n" -+ "%sPollLimitBurst: %u\n", - prefix, FORMAT_TIMESPAN(s->trigger_limit.interval, USEC_PER_SEC), -- prefix, s->trigger_limit.burst); -+ prefix, s->trigger_limit.burst, -+ prefix, FORMAT_TIMESPAN(s->poll_limit_interval, USEC_PER_SEC), -+ prefix, s->poll_limit_burst); - - str = ip_protocol_to_name(s->socket_protocol); - if (str) -@@ -1765,6 +1775,10 @@ static int socket_watch_fds(Socket *s) { - - (void) sd_event_source_set_description(p->event_source, "socket-port-io"); - } -+ -+ r = sd_event_source_set_ratelimit(p->event_source, s->poll_limit_interval, s->poll_limit_burst); -+ if (r < 0) -+ log_unit_debug_errno(UNIT(s), r, "Failed to set poll limit on I/O event source, ignoring: %m"); - } - - return 0; -diff --git a/src/core/socket.h b/src/core/socket.h -index 191d27f46d..b03a291e4a 100644 ---- a/src/core/socket.h -+++ b/src/core/socket.h -@@ -158,6 +158,8 @@ struct Socket { - char *fdname; - - RateLimit trigger_limit; -+ usec_t poll_limit_interval; -+ unsigned poll_limit_burst; - }; - - SocketPeer *socket_peer_ref(SocketPeer *p); -diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c -index e7b44cc39b..9f0f37488d 100644 ---- a/src/shared/bus-unit-util.c -+++ b/src/shared/bus-unit-util.c -@@ -2170,10 +2170,10 @@ static int bus_append_path_property(sd_bus_message *m, const char *field, const - return 1; - } - -- if (streq(field, "TriggerLimitBurst")) -+ if (STR_IN_SET(field, "TriggerLimitBurst", "PollLimitBurst")) - return bus_append_safe_atou(m, field, eq); - -- if (streq(field, "TriggerLimitIntervalSec")) -+ if (STR_IN_SET(field, "TriggerLimitIntervalSec", "PollLimitIntervalSec")) - return bus_append_parse_sec_rename(m, field, eq); - - return 0; -@@ -2382,7 +2382,8 @@ static int bus_append_socket_property(sd_bus_message *m, const char *field, cons - "MaxConnections", - "MaxConnectionsPerSource", - "KeepAliveProbes", -- "TriggerLimitBurst")) -+ "TriggerLimitBurst", -+ "PollLimitBurst")) - return bus_append_safe_atou(m, field, eq); - - if (STR_IN_SET(field, "SocketMode", -@@ -2397,7 +2398,8 @@ static int bus_append_socket_property(sd_bus_message *m, const char *field, cons - "KeepAliveTimeSec", - "KeepAliveIntervalSec", - "DeferAcceptSec", -- "TriggerLimitIntervalSec")) -+ "TriggerLimitIntervalSec", -+ "PollLimitIntervalSec")) - return bus_append_parse_sec_rename(m, field, eq); - - if (STR_IN_SET(field, "ReceiveBuffer", diff --git a/0001-find_legacy_keymap-extend-variant-match-bonus-again.patch b/0001-find_legacy_keymap-extend-variant-match-bonus-again.patch deleted file mode 100644 index 02f6fc0..0000000 --- a/0001-find_legacy_keymap-extend-variant-match-bonus-again.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 537c00c984910f417a2f2d4aad997f822060d4d1 Mon Sep 17 00:00:00 2001 -From: Adam Williamson -Date: Tue, 19 Sep 2023 16:06:26 -0700 -Subject: [PATCH] find_legacy_keymap: extend variant match bonus again - -If the column is "-" and the X context variant specifer only -contains commas, we should also give the match bonus. The variant -string is supposed to be a comma-separated list as long as the -list of layouts, so it's quite natural for consumers to be written -in such a way that they pass a string only containing commas if -there are multiple layouts and no variants. anaconda is a real -world case that does this. - -Signed-off-by: Adam Williamson ---- - src/locale/localed-util.c | 2 +- - src/locale/test-localed-util.c | 7 +++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/locale/localed-util.c b/src/locale/localed-util.c -index eba13a2ac3..9b6949e14d 100644 ---- a/src/locale/localed-util.c -+++ b/src/locale/localed-util.c -@@ -839,7 +839,7 @@ int find_legacy_keymap(const X11Context *xc, char **ret) { - if (isempty(xc->model) || streq_ptr(xc->model, a[2])) { - matching++; - -- if (streq_ptr(xc->variant, a[3]) || (isempty(xc->variant) && streq(a[3], "-"))) { -+ if (streq_ptr(xc->variant, a[3]) || ((isempty(xc->variant) || streq_skip_trailing_chars(xc->variant, "", ",")) && streq(a[3], "-"))) { - matching++; - - if (streq_ptr(xc->options, a[4])) -diff --git a/src/locale/test-localed-util.c b/src/locale/test-localed-util.c -index f702ff29b0..e92c178a98 100644 ---- a/src/locale/test-localed-util.c -+++ b/src/locale/test-localed-util.c -@@ -185,6 +185,13 @@ TEST(x11_convert_to_vconsole) { - assert_se(streq(vc.keymap, "bg_bds-utf8")); - vc_context_clear(&vc); - -+ /* same, but with variant specified as "," */ -+ log_info("/* test with variant as ',', desired match second (bg,us:) */"); -+ assert_se(free_and_strdup(&xc.variant, ",") >= 0); -+ assert_se(x11_convert_to_vconsole(&xc, &vc) >= 0); -+ assert_se(streq(vc.keymap, "bg_bds-utf8")); -+ vc_context_clear(&vc); -+ - log_info("/* test with old mapping (fr:latin9) */"); - assert_se(free_and_strdup(&xc.layout, "fr") >= 0); - assert_se(free_and_strdup(&xc.variant, "latin9") >= 0); diff --git a/0001-find_legacy_keymap-fix-empty-variant-matching.patch b/0001-find_legacy_keymap-fix-empty-variant-matching.patch deleted file mode 100644 index c15a017..0000000 --- a/0001-find_legacy_keymap-fix-empty-variant-matching.patch +++ /dev/null @@ -1,58 +0,0 @@ -From a30ae31351ffa701ca860779495d4f52db4c462c Mon Sep 17 00:00:00 2001 -From: Adam Williamson -Date: Fri, 15 Sep 2023 15:35:36 -0700 -Subject: [PATCH 1/2] find_legacy_keymap: fix empty variant matching - -We should give a match bonus if the X context variant is empty -and the xvariant column in kbd-model-map is "-" (which means -none). Currently, we don't, which means that if you call this -on a context with layouts bg,us and no variant, you get the -console layout bg_pho-utf8 instead of bg_bds-utf8 (because both -score the same, and the bg_pho-utf8 row comes first). You should -get bg_bds-utf8 in this case. - -Signed-off-by: Adam Williamson ---- - src/locale/localed-util.c | 2 +- - src/locale/test-localed-util.c | 12 ++++++++++++ - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/src/locale/localed-util.c b/src/locale/localed-util.c -index 02fac9786b..6a05b50a31 100644 ---- a/src/locale/localed-util.c -+++ b/src/locale/localed-util.c -@@ -825,7 +825,7 @@ int find_legacy_keymap(const X11Context *xc, char **ret) { - if (isempty(xc->model) || streq_ptr(xc->model, a[2])) { - matching++; - -- if (streq_ptr(xc->variant, a[3])) { -+ if (streq_ptr(xc->variant, a[3]) || (isempty(xc->variant) && streq(a[3], "-"))) { - matching++; - - if (streq_ptr(xc->options, a[4])) -diff --git a/src/locale/test-localed-util.c b/src/locale/test-localed-util.c -index cb66dffd48..a19d80a967 100644 ---- a/src/locale/test-localed-util.c -+++ b/src/locale/test-localed-util.c -@@ -173,6 +173,18 @@ TEST(x11_convert_to_vconsole) { - assert_se(streq(vc.keymap, "es-dvorak")); - vc_context_clear(&vc); - -+ /* es no-variant test is not very good as the desired match -+ comes first in the list so will win if both candidates score -+ the same. in this case the desired match comes second so will -+ not win unless we correctly give the no-variant match a bonus -+ */ -+ log_info("/* test without variant, desired match second (bg,us:) */"); -+ assert_se(free_and_strdup(&xc.layout, "bg,us") >= 0); -+ assert_se(free_and_strdup(&xc.variant, NULL) >= 0); -+ assert_se(x11_convert_to_vconsole(&xc, &vc) >= 0); -+ assert_se(streq(vc.keymap, "bg_bds-utf8")); -+ vc_context_clear(&vc); -+ - log_info("/* test with old mapping (fr:latin9) */"); - assert_se(free_and_strdup(&xc.layout, "fr") >= 0); - assert_se(free_and_strdup(&xc.variant, "latin9") >= 0); --- -2.41.0 - diff --git a/0001-keyboard-model-map-correct-sk-qwerty-entry.patch b/0001-keyboard-model-map-correct-sk-qwerty-entry.patch deleted file mode 100644 index f6a042a..0000000 --- a/0001-keyboard-model-map-correct-sk-qwerty-entry.patch +++ /dev/null @@ -1,25 +0,0 @@ -From ca831de1704f4e28241df513aa89ac465a7c8ab2 Mon Sep 17 00:00:00 2001 -From: Adam Williamson -Date: Wed, 20 Sep 2023 15:14:31 -0700 -Subject: [PATCH] keyboard-model-map: correct sk-qwerty entry - -qwerty here is a variant, not an option. - -Signed-off-by: Adam Williamson ---- - src/locale/kbd-model-map | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/locale/kbd-model-map b/src/locale/kbd-model-map -index a145e13ecd..279d1a36d8 100644 ---- a/src/locale/kbd-model-map -+++ b/src/locale/kbd-model-map -@@ -52,7 +52,7 @@ es es pc105 - terminate:ctrl_alt_bksp - ro-cedilla ro pc105 cedilla terminate:ctrl_alt_bksp - ie ie pc105 - terminate:ctrl_alt_bksp - et ee pc105 - terminate:ctrl_alt_bksp --sk-qwerty sk pc105 - terminate:ctrl_alt_bksp,qwerty -+sk-qwerty sk pc105 qwerty terminate:ctrl_alt_bksp - sk-qwertz sk pc105 - terminate:ctrl_alt_bksp - fr-latin9 fr pc105 latin9 terminate:ctrl_alt_bksp - fr_CH-latin1 ch pc105 fr terminate:ctrl_alt_bksp diff --git a/0002-find_legacy_keymap-try-matching-with-layout-order-re.patch b/0002-find_legacy_keymap-try-matching-with-layout-order-re.patch deleted file mode 100644 index d0eb7d0..0000000 --- a/0002-find_legacy_keymap-try-matching-with-layout-order-re.patch +++ /dev/null @@ -1,117 +0,0 @@ -From cf649cc21bf997b90606db664d74726fcaf002de Mon Sep 17 00:00:00 2001 -From: Adam Williamson -Date: Fri, 15 Sep 2023 16:02:29 -0700 -Subject: [PATCH 2/2] find_legacy_keymap: try matching with layout order - reversed - -The lines in kbd-model-map date back to ye olde times (RH's old -system-config-keyboard), and I think predate this bug: - -https://bugzilla.redhat.com/show_bug.cgi?id=1039185 - -where we got strong feedback that, for 'switched' layout setups -like Russian, US English should be the *first* layout and the -native layout the *second* one. This is how anaconda and, as of -recently, gnome-initial-setup configure such cases - but that -means, if we try to use localed to convert these configurations -using kbd-model-map, we get the wrong result (we get "us" as the -console layout). See also: - -https://bugzilla.redhat.com/show_bug.cgi?id=1912609 - -where we first noticed this wasn't working right, but sadly, we -'fixed' it with a not-really-correct bodge in anaconda instead -of doing it properly. - -Signed-off-by: Adam Williamson ---- - src/locale/localed-util.c | 44 ++++++++++++++++++++++------------ - src/locale/test-localed-util.c | 5 +++- - 2 files changed, 33 insertions(+), 16 deletions(-) - -diff --git a/src/locale/localed-util.c b/src/locale/localed-util.c -index 6a05b50a31..eba13a2ac3 100644 ---- a/src/locale/localed-util.c -+++ b/src/locale/localed-util.c -@@ -803,21 +803,35 @@ int find_legacy_keymap(const X11Context *xc, char **ret) { - /* If we got an exact match, this is the best */ - matching = 10; - else { -- /* We have multiple X layouts, look for an -- * entry that matches our key with everything -- * but the first layout stripped off. */ -- if (startswith_comma(xc->layout, a[1])) -- matching = 5; -+ /* see if we get an exact match with the order reversed */ -+ _cleanup_strv_free_ char **b = NULL; -+ _cleanup_free_ char *c = NULL; -+ r = strv_split_full(&b, a[1], ",", 0); -+ if (r < 0) -+ return r; -+ strv_reverse(b); -+ c = strv_join(b, ","); -+ if (!c) -+ return log_oom(); -+ if (streq(xc->layout, c)) -+ matching = 9; - else { -- _cleanup_free_ char *x = NULL; -- -- /* If that didn't work, strip off the -- * other layouts from the entry, too */ -- x = strdupcspn(a[1], ","); -- if (!x) -- return -ENOMEM; -- if (startswith_comma(xc->layout, x)) -- matching = 1; -+ /* We have multiple X layouts, look for an -+ * entry that matches our key with everything -+ * but the first layout stripped off. */ -+ if (startswith_comma(xc->layout, a[1])) -+ matching = 5; -+ else { -+ _cleanup_free_ char *x = NULL; -+ -+ /* If that didn't work, strip off the -+ * other layouts from the entry, too */ -+ x = strdupcspn(a[1], ","); -+ if (!x) -+ return -ENOMEM; -+ if (startswith_comma(xc->layout, x)) -+ matching = 1; -+ } - } - } - -@@ -848,7 +862,7 @@ int find_legacy_keymap(const X11Context *xc, char **ret) { - } - } - -- if (best_matching < 10 && !isempty(xc->layout)) { -+ if (best_matching < 9 && !isempty(xc->layout)) { - _cleanup_free_ char *l = NULL, *v = NULL, *converted = NULL; - - /* The best match is only the first part of the X11 -diff --git a/src/locale/test-localed-util.c b/src/locale/test-localed-util.c -index a19d80a967..f702ff29b0 100644 ---- a/src/locale/test-localed-util.c -+++ b/src/locale/test-localed-util.c -@@ -192,11 +192,14 @@ TEST(x11_convert_to_vconsole) { - assert_se(streq(vc.keymap, "fr-latin9")); - vc_context_clear(&vc); - -+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1039185 */ -+ /* us,ru is the x config users want, but they still want ru -+ as the console layout in this case */ - log_info("/* test with a compound mapping (us,ru:) */"); - assert_se(free_and_strdup(&xc.layout, "us,ru") >= 0); - assert_se(free_and_strdup(&xc.variant, NULL) >= 0); - assert_se(x11_convert_to_vconsole(&xc, &vc) >= 0); -- assert_se(streq(vc.keymap, "us")); -+ assert_se(streq(vc.keymap, "ru")); - vc_context_clear(&vc); - - log_info("/* test with a compound mapping (ru,us:) */"); --- -2.41.0 - diff --git a/0002-man-document-the-new-PollLimitIntervalSec-PollLimitB.patch b/0002-man-document-the-new-PollLimitIntervalSec-PollLimitB.patch deleted file mode 100644 index e2e80e9..0000000 --- a/0002-man-document-the-new-PollLimitIntervalSec-PollLimitB.patch +++ /dev/null @@ -1,80 +0,0 @@ -From f6b09a2ed646f0a0b54605d4c19a898ab2bbf192 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 18 Sep 2023 17:51:49 +0200 -Subject: [PATCH 2/3] man: document the new - PollLimitIntervalSec=/PollLimitBurst= settings - -(cherry picked from commit 9373fce68de183a615d44fe100dcf22e3c9b8c3e) ---- - man/systemd.socket.xml | 58 ++++++++++++++++++++++++++++++++++-------- - 1 file changed, 47 insertions(+), 11 deletions(-) - -diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml -index 45555302f1..462978d438 100644 ---- a/man/systemd.socket.xml -+++ b/man/systemd.socket.xml -@@ -830,17 +830,53 @@ - TriggerLimitIntervalSec= - TriggerLimitBurst= - -- Configures a limit on how often this socket unit may be activated within a specific time -- interval. The TriggerLimitIntervalSec= may be used to configure the length of the time -- interval in the usual time units us, ms, s, -- min, h, … and defaults to 2s (See -- systemd.time7 for details on -- the various time units understood). The TriggerLimitBurst= setting takes a positive integer -- value and specifies the number of permitted activations per time interval, and defaults to 200 for -- Accept=yes sockets (thus by default permitting 200 activations per 2s), and 20 otherwise (20 -- activations per 2s). Set either to 0 to disable any form of trigger rate limiting. If the limit is hit, the -- socket unit is placed into a failure mode, and will not be connectible anymore until restarted. Note that this -- limit is enforced before the service activation is enqueued. -+ Configures a limit on how often this socket unit may be activated within a specific -+ time interval. The TriggerLimitIntervalSec= setting may be used to configure the -+ length of the time interval in the usual time units us, ms, -+ s, min, h, … and defaults to 2s (See -+ systemd.time7 for -+ details on the various time units understood). The TriggerLimitBurst= setting -+ takes a positive integer value and specifies the number of permitted activations per time interval, -+ and defaults to 200 for Accept=yes sockets (thus by default permitting 200 -+ activations per 2s), and 20 otherwise (20 activations per 2s). Set either to 0 to disable any form of -+ trigger rate limiting. -+ -+ If the limit is hit, the socket unit is placed into a failure mode, and will not be connectible -+ anymore until restarted. Note that this limit is enforced before the service activation is -+ enqueued. -+ -+ Compare with PollLimitIntervalSec=/PollLimitBurst= -+ described below, which implements a temporary slowdown if a socket unit is flooded with incoming -+ traffic, as opposed to the permanent failure state -+ TriggerLimitIntervalSec=/TriggerLimitBurst= results in. -+ -+ -+ -+ -+ PollLimitIntervalSec= -+ PollLimitBurst= -+ -+ Configures a limit on how often polling events on the file descriptors backing this -+ socket unit will be considered. This pair of settings is similar to -+ TriggerLimitIntervalSec=/TriggerLimitBurst= but instead of -+ putting a (fatal) limit on the activation frequency puts a (transient) limit on the polling -+ frequency. The expected parameter syntax and range are identical to that of the aforementioned -+ options, and can be disabled the same way. -+ -+ If the polling limit is hit polling is temporarily disabled on it until the specified time -+ window passes. The polling limit hence slows down connection attempts if hit, but unlike the trigger -+ limit won't cause permanent failures. It's the recommended mechanism to deal with DoS attempts -+ through packet flooding. -+ -+ The polling limit is enforced per file descriptor to listen on, as opposed to the trigger limit -+ which is enforced for the entire socket unit. This distinction matters for socket units that listen -+ on multiple file descriptors (i.e. have multiple ListenXYZ= stanzas). -+ -+ These setting defaults to 150 (in case of Accept=yes) and 15 (otherwise) -+ polling events per 2s. This is considerably lower than the default values for the trigger limit (see -+ above) and means that the polling limit should typically ensure the trigger limit is never hit, -+ unless one of them is reconfigured or disabled. -+ - - - diff --git a/0003-ci-add-test-for-poll-limit.patch b/0003-ci-add-test-for-poll-limit.patch deleted file mode 100644 index 33e2178..0000000 --- a/0003-ci-add-test-for-poll-limit.patch +++ /dev/null @@ -1,79 +0,0 @@ -From ae92a9714744bbf92fe69ffe276a668b031a6d26 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 18 Sep 2023 18:05:27 +0200 -Subject: [PATCH 3/3] ci: add test for poll limit - -(cherry picked from commit 065e478a4a8cc8e41a6e87756c081396f253e853) ---- - test/TEST-07-PID1/test.sh | 2 ++ - test/units/testsuite-07.poll-limit.sh | 48 +++++++++++++++++++++++++++ - 2 files changed, 50 insertions(+) - create mode 100755 test/units/testsuite-07.poll-limit.sh - -diff --git a/test/TEST-07-PID1/test.sh b/test/TEST-07-PID1/test.sh -index 1c3d7137fe..d0e35d870f 100755 ---- a/test/TEST-07-PID1/test.sh -+++ b/test/TEST-07-PID1/test.sh -@@ -32,6 +32,8 @@ Alias=issue2730-alias.mount - EOF - "${SYSTEMCTL:?}" enable --root="$workspace" issue2730.mount - ln -svrf "$workspace/etc/systemd/system/issue2730.mount" "$workspace/etc/systemd/system/issue2730-alias.mount" -+ -+ image_install logger - } - - do_test "$@" -diff --git a/test/units/testsuite-07.poll-limit.sh b/test/units/testsuite-07.poll-limit.sh -new file mode 100755 -index 0000000000..480d7ee8df ---- /dev/null -+++ b/test/units/testsuite-07.poll-limit.sh -@@ -0,0 +1,48 @@ -+#!/usr/bin/env bash -+# SPDX-License-Identifier: LGPL-2.1-or-later -+set -eux -+set -o pipefail -+ -+systemd-analyze log-level debug -+ -+cat > /run/systemd/system/floodme@.service < /run/systemd/system/floodme.socket < -Date: Wed, 26 Jul 2023 09:02:04 +0200 -Subject: [PATCH] rpm: add %systemd_postun_with_reload and - %systemd_user_postun_with_reload - -For some units, the package would like to issue a reload. The machinery was -already in place since c9615f73521986b3607b852c139036d58973043c: - - systemctl reload-or-restart --marked - - Enqueues restart jobs for all units that have the 'needs-restart' - mark, and reload jobs for units that have the 'needs-reload' mark. - When a unit marked for reload does not support reload, restart will - be queued. - -The new macros allow a reload to be issued instead of a restart. - -Based on the discussion on fedora-devel: -https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/IJSUGIEJNYZZRE53FF4YFUEBRHRAVIXR/ - -Tested using dummy package https://github.com/keszybz/rpm-test-reload. ---- - src/rpm/macros.systemd.in | 16 ++++++++++++++++ - src/rpm/systemd-update-helper.in | 22 ++++++++++++++++++++++ - 2 files changed, 38 insertions(+) - -diff --git a/src/rpm/macros.systemd.in b/src/rpm/macros.systemd.in -index c07541c7286c..f05553f557e9 100644 ---- a/src/rpm/macros.systemd.in -+++ b/src/rpm/macros.systemd.in -@@ -101,6 +101,22 @@ if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \ - fi \ - %{nil} - -+%systemd_postun_with_reload() \ -+%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_postun_with_reload}} \ -+if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \ -+ # Package upgrade, not uninstall \ -+ {{SYSTEMD_UPDATE_HELPER_PATH}} mark-reload-system-units %{?*} || : \ -+fi \ -+%{nil} -+ -+%systemd_user_postun_with_reload() \ -+%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_postun_with_reload}} \ -+if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \ -+ # Package upgrade, not uninstall \ -+ {{SYSTEMD_UPDATE_HELPER_PATH}} mark-reload-user-units %{?*} || : \ -+fi \ -+%{nil} -+ - %udev_hwdb_update() %{nil} - - %udev_rules_update() %{nil} -diff --git a/src/rpm/systemd-update-helper.in b/src/rpm/systemd-update-helper.in -index c623a5ea1722..c81e16c3d3ff 100755 ---- a/src/rpm/systemd-update-helper.in -+++ b/src/rpm/systemd-update-helper.in -@@ -47,6 +47,15 @@ case "$command" in - wait - ;; - -+ mark-reload-system-units) -+ [ -d /run/systemd/system ] || exit 0 -+ -+ for unit in "$@"; do -+ systemctl set-property "$unit" Markers=+needs-reload & -+ done -+ wait -+ ;; -+ - mark-restart-user-units) - [ -d /run/systemd/system ] || exit 0 - -@@ -60,6 +69,19 @@ case "$command" in - wait - ;; - -+ mark-reload-user-units) -+ [ -d /run/systemd/system ] || exit 0 -+ -+ users=$(systemctl list-units 'user@*' --legend=no | sed -n -r 's/.*user@([0-9]+).service.*/\1/p') -+ for user in $users; do -+ for unit in "$@"; do -+ SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT_SEC}}s \ -+ systemctl --user -M "$user@" set-property "$unit" Markers=+needs-reload & -+ done -+ done -+ wait -+ ;; -+ - system-reload-restart|system-reload|system-restart) - if [ -n "$*" ]; then - echo "Unexpected arguments for '$command': $*" diff --git a/sources b/sources index 1482dea..fdd7cac 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-254.5.tar.gz) = 8e9b4f802c4da2a0dea6028df78d20de5d96802d8f614d0392e89dea605cdd8d9c1724ce3ea382378d582402646f8bea2ffcd55a84262461721ee3f691105b7a +SHA512 (systemd-255-rc1.tar.gz) = 3a92f59af54e0f4988304daa9d1d186554cd07f5ebc95ab17d2d6c1cb37caf7b329e8eca67eb7349aed2f425341ef2b79e2469156a26b6e2436b900b2136f824 diff --git a/split-files.py b/split-files.py index 6ab2832..cd309cc 100644 --- a/split-files.py +++ b/split-files.py @@ -150,7 +150,7 @@ for file in files(buildroot): integritytab| remount-fs| /initrd| - systemd-pcrphase| + systemd-pcr| systemd-measure| /boot$| /kernel/| diff --git a/systemd.spec b/systemd.spec index b2d550a..3473ec4 100644 --- a/systemd.spec +++ b/systemd.spec @@ -35,7 +35,7 @@ Name: systemd Url: https://systemd.io %if %{without inplace} -Version: 254.5 +Version: 255~rc1 %else # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') @@ -104,21 +104,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # https://bugzilla.redhat.com/show_bug.cgi?id=2164404 Patch0001: https://github.com/systemd/systemd/pull/26494.patch -# Backport of patches that allow reloading of units -Patch0002: https://github.com/systemd/systemd/pull/28521/commits/631d2b05ec5195d1f8f8fbff8a2dfcbf23d0b7aa.patch - -# Backport of improvements to console keyboard layout guessing -# https://github.com/systemd/systemd/pull/29215 -# https://bugzilla.redhat.com/show_bug.cgi?id=1912609 -Patch0003: 0001-find_legacy_keymap-fix-empty-variant-matching.patch -Patch0004: 0002-find_legacy_keymap-try-matching-with-layout-order-re.patch -Patch0005: 0001-find_legacy_keymap-extend-variant-match-bonus-again.patch -Patch0006: 0001-keyboard-model-map-correct-sk-qwerty-entry.patch - -# Requested as an alternative to https://fedoraproject.org/wiki/Changes/Drop_Sshd_Socket -Patch0010: 0001-core-add-new-PollLimit-settings-to-.socket-units.patch -Patch0011: 0002-man-document-the-new-PollLimitIntervalSec-PollLimitB.patch -Patch0012: 0003-ci-add-test-for-poll-limit.patch # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 @@ -128,7 +113,7 @@ Patch0490: use-bfq-scheduler.patch Patch0491: fedora-use-system-auth-in-pam-systemd-user.patch %ifarch %{ix86} x86_64 aarch64 -%global have_gnu_efi 1 +%global want_bootloader 1 %endif BuildRequires: gcc @@ -204,6 +189,9 @@ BuildRequires: python3dist(pytest-flakes) %endif BuildRequires: python3dist(pytest) BuildRequires: python3dist(zstd) +%if 0%{?want_bootloader} +BuildRequires: python3dist(pyelftools) +%endif # gzip and lzma are provided by the stdlib BuildRequires: firewalld-filesystem BuildRequires: libseccomp-devel @@ -408,7 +396,7 @@ This package also provides systemd-timesyncd, a network time protocol daemon. It also contains tools to manage encrypted home areas and secrets bound to the machine, and to create or grow partitions and make file systems automatically. -%if 0%{?have_gnu_efi} +%if 0%{?want_bootloader} %package ukify Summary: Tool to build Unified Kernel Images Requires: %{name} = %{version}-%{release} @@ -576,16 +564,6 @@ package and is meant for use in exitrds. %prep %autosetup -n %{?commit:%{name}%[%stable?"-stable":""]-%{commit}}%{!?commit:%{name}%[%stable?"-stable":""]-%{version_no_tilde}} -p1 -%generate_buildrequires -%if 0%{?have_gnu_efi} -if grep -q gnu-efi meson_options.txt; then - echo 'gnu-efi' - echo 'gnu-efi-devel' -else - echo 'python3dist(pyelftools)' -fi -%endif - %build %global ntpvendor %(source /etc/os-release; echo ${ID}) %{!?ntpvendor: echo 'NTP vendor zone is not set!'; exit 1} @@ -599,44 +577,44 @@ CONFIGURE_OPTS=( -Duser-path=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin -Dservice-watchdog= -Ddev-kvm-mode=0666 - -Dkmod=true - -Dxkbcommon=true - -Dblkid=true - -Dfdisk=true - -Dseccomp=true + -Dkmod=enabled + -Dxkbcommon=enabled + -Dblkid=enabled + -Dfdisk=enabled + -Dseccomp=enabled -Dima=true - -Dselinux=true - -Dbpf-framework=%[0%{?have_bpf}?"true":"false"] - -Dapparmor=false - -Dpolkit=true - -Dxz=%[%{with xz}?"true":"false"] - -Dzlib=%[%{with zlib}?"true":"false"] - -Dbzip2=%[%{with bzip2}?"true":"false"] - -Dlz4=%[%{with lz4}?"true":"false"] - -Dzstd=%[%{with zstd}?"true":"false"] - -Dpam=true - -Dacl=true + -Dselinux=enabled + -Dbpf-framework=%[0%{?have_bpf}?"enabled":"disabled"] + -Dapparmor=disabled + -Dpolkit=enabled + -Dxz=%[%{with xz}?"enabled":"disabled"] + -Dzlib=%[%{with zlib}?"enabled":"disabled"] + -Dbzip2=%[%{with bzip2}?"enabled":"disabled"] + -Dlz4=%[%{with lz4}?"enabled":"disabled"] + -Dzstd=%[%{with zstd}?"enabled":"disabled"] + -Dpam=enabled + -Dacl=enabled -Dsmack=true - -Dopenssl=true + -Dopenssl=enabled -Dcryptolib=openssl - -Dp11kit=true - -Dgcrypt=false - -Daudit=true - -Delfutils=true - -Dlibcryptsetup=%[%{with bootstrap}?"false":"true"] - -Delfutils=true - -Dpwquality=true - -Dqrencode=%[%{defined rhel}?"false":"true"] - -Dgnutls=%[%{with gnutls}?"true":"false"] - -Dmicrohttpd=true - -Dlibidn2=true + -Dp11kit=enabled + -Dgcrypt=disabled + -Daudit=enabled + -Delfutils=enabled + -Dlibcryptsetup=%[%{with bootstrap}?"disabled":"enabled"] + -Delfutils=enabled + -Dpwquality=enabled + -Dqrencode=%[%{defined rhel}?"disabled":"enabled"] + -Dgnutls=%[%{with gnutls}?"enabled":"disabled"] + -Dmicrohttpd=enabled + -Dlibidn2=enabled -Dlibiptc=false - -Dlibcurl=true - -Dlibfido2=true - -Dxenctrl=%[0%{?have_xen}?"true":"false"] + -Dlibcurl=enabled + -Dlibfido2=enabled + -Dxenctrl=%[0%{?have_xen}?"enabled":"disabled"] -Defi=true -Dtpm=true - -Dtpm2=true + -Dtpm2=enabled -Dhwdb=true -Dsysusers=true -Dstandalone-binaries=true @@ -653,7 +631,7 @@ CONFIGURE_OPTS=( -Dsplit-bin=true -Db_lto=%[%{with lto}?"true":"false"] -Db_ndebug=false - -Dman=true + -Dman=enabled -Dversion-tag=%{version}-%{release} # https://bugzilla.redhat.com/show_bug.cgi?id=1906010 -Dshared-lib-tag=%{version_no_tilde}-%{release} @@ -690,21 +668,15 @@ CONFIGURE_OPTS=( -Dsystemd-network-uid=192 -Dsystemd-resolve-uid=193 # -Dsystemd-timesync-uid=, not set yet -) -if grep gnu-efi meson_options.txt; then - CONFIGURE_OPTS+=( -Dgnu-efi=%[%{?have_gnu_efi}?"true":"false"] ) -else - # For now, let's build the bootloader in the same places where we - # built with gnu-efi. Later on, we might want to extend coverage, but - # considering that that support is untested, let's not do this now. - # Note, ukify requires bootloader, let's also explicitly enable/disable it - # here for https://github.com/systemd/systemd/pull/24175. - CONFIGURE_OPTS+=( - -Dbootloader=%[%{?have_gnu_efi}?"true":"false"] - -Dukify=%[%{?have_gnu_efi}?"true":"false"] - ) -fi + # For now, let's build the bootloader in the same places where we + # built with gnu-efi. Later on, we might want to extend coverage, but + # considering that that support is untested, let's not do this now. + # Note, ukify requires bootloader, let's also explicitly enable/disable it + # here for https://github.com/systemd/systemd/pull/24175. + -Dbootloader=%[%{?want_bootloader}?"enabled":"disabled"] + -Dukify=%[%{?want_bootloader}?"enabled":"disabled"] +) %if %{without lto} %global _lto_cflags %nil @@ -994,7 +966,7 @@ systemctl --no-reload preset systemd-oomd.service &>/dev/null || : # a different package version. systemctl --no-reload preset systemd-journald-audit.socket &>/dev/null || : -%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-homed.service systemd-timesyncd.service %{?have_gnu_efi:systemd-boot-update.service} systemd-portabled.service systemd-pstore.service remote-cryptsetup.target +%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-homed.service systemd-timesyncd.service %{?want_bootloader:systemd-boot-update.service} systemd-portabled.service systemd-pstore.service remote-cryptsetup.target %post udev # Move old stuff around in /var/lib @@ -1172,7 +1144,7 @@ fi %files udev -f .file-list-udev -%if 0%{?have_gnu_efi} +%if 0%{?want_bootloader} %files ukify -f .file-list-ukify %files boot-unsigned -f .file-list-boot %endif From 5cae6af05feca642414f9bd678f16a161265f7ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 7 Nov 2023 17:45:57 +0100 Subject: [PATCH 02/29] Move oomd to systemd-udev It is really only useful on "full" machines, either VMs or bare metal, so it should be in systemd-udev. --- split-files.py | 7 ++++--- systemd.spec | 17 +++-------------- 2 files changed, 7 insertions(+), 17 deletions(-) diff --git a/split-files.py b/split-files.py index cd309cc..83f1f46 100644 --- a/split-files.py +++ b/split-files.py @@ -116,6 +116,9 @@ for file in files(buildroot): elif '.so.' in n: o = o_libs + elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X): + o = o_oomd_defaults + elif re.search(r'''udev(?!\.pc)| hwdb| bootctl| @@ -160,6 +163,7 @@ for file in files(buildroot): sysctl| coredump| homed|home1| + oomd| portabled|portable1 ''', n, re.X): # coredumpctl, homectl, portablectl are included in the main package because # they can be used to interact with remote daemons. Also, the user could be @@ -179,9 +183,6 @@ for file in files(buildroot): ''', n, re.X): # resolvectl and nss-resolve are in the main package. o = o_resolve - elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X): - o = o_oomd_defaults - else: o = o_main diff --git a/systemd.spec b/systemd.spec index 3473ec4..8a40760 100644 --- a/systemd.spec +++ b/systemd.spec @@ -500,7 +500,7 @@ resolver, as well as an LLMNR and MulticastDNS resolver and responder. %package oomd-defaults Summary: Configuration files for systemd-oomd -Requires: %{name} = %{version}-%{release} +Requires: %{name}-udev = %{version}-%{release} License: LGPL-2.1-or-later BuildArch: noarch @@ -871,13 +871,6 @@ systemd-machine-id-setup &>/dev/null || : # this would make things worse, increasing the number of warnings we get # about needed daemon-reload. -oomd_state=$(systemctl is-active systemd-oomd 2>/dev/null || :) - -# Work-around for #1931034. Remove after F34 is released. -if [ "$oomd_state" == "active" ]; then - systemctl stop -q systemd-oomd 2>/dev/null || : -fi - systemctl daemon-reexec &>/dev/null || { # systemd v239 had bug #9553 in D-Bus authentication of the private socket, # which was later fixed in v240 by #9625. @@ -898,10 +891,6 @@ systemctl daemon-reexec &>/dev/null || { fi } -if [ "$oomd_state" == "active" ]; then - systemctl start -q systemd-oomd 2>/dev/null || : -fi - [ $1 -eq 1 ] || exit 0 # create /var/log/journal only on initial installation, @@ -928,7 +917,7 @@ if [ $1 -eq 1 ]; then systemd-tmpfiles --create &>/dev/null || : fi -%systemd_postun_with_restart systemd-timedated.service systemd-hostnamed.service systemd-journald.service systemd-localed.service systemd-userdbd.service systemd-oomd.service +%systemd_postun_with_restart systemd-timedated.service systemd-hostnamed.service systemd-journald.service systemd-localed.service systemd-userdbd.service # FIXME: systemd-logind.service is excluded (https://github.com/systemd/systemd/pull/17558) @@ -966,7 +955,7 @@ systemctl --no-reload preset systemd-oomd.service &>/dev/null || : # a different package version. systemctl --no-reload preset systemd-journald-audit.socket &>/dev/null || : -%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-homed.service systemd-timesyncd.service %{?want_bootloader:systemd-boot-update.service} systemd-portabled.service systemd-pstore.service remote-cryptsetup.target +%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-homed.service %{?want_bootloader:systemd-boot-update.service} systemd-oomd.service systemd-portabled.service systemd-pstore.service systemd-timesyncd.service remote-cryptsetup.target %post udev # Move old stuff around in /var/lib From 1c98102f5df560bfa33abc4cd62ef9882ec15cc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 7 Nov 2023 18:41:08 +0100 Subject: [PATCH 03/29] Also build systemd-vmspawn --- ...7ea76e72ed89a5d86ec9b78ca8f89a989258.patch | 182 ++++++++++++++++++ ...d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch | 24 +++ split-files.py | 1 + systemd.spec | 7 +- 4 files changed, 212 insertions(+), 2 deletions(-) create mode 100644 30247ea76e72ed89a5d86ec9b78ca8f89a989258.patch create mode 100644 6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch diff --git a/30247ea76e72ed89a5d86ec9b78ca8f89a989258.patch b/30247ea76e72ed89a5d86ec9b78ca8f89a989258.patch new file mode 100644 index 0000000..e31a37a --- /dev/null +++ b/30247ea76e72ed89a5d86ec9b78ca8f89a989258.patch @@ -0,0 +1,182 @@ +From 30247ea76e72ed89a5d86ec9b78ca8f89a989258 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 7 Nov 2023 21:36:46 +0100 +Subject: [PATCH] man: many fixes systemd-vmspawn(1) + +- version information +- indentation and missing tags +- mkosi and qemu don't need root +--- + man/systemctl.xml | 8 +-- + man/systemd-vmspawn.xml | 118 +++++++++++++++++++++++----------------- + 2 files changed, 72 insertions(+), 54 deletions(-) + +diff --git a/man/systemd-vmspawn.xml b/man/systemd-vmspawn.xml +index bf3aaf028eafe..4ca6f1a74fd2f 100644 +--- a/man/systemd-vmspawn.xml ++++ b/man/systemd-vmspawn.xml +@@ -44,59 +44,73 @@ + The following options are understood: + + +- Image Options ++ Image Options + +- +- +- +- ++ ++ ++ ++ + +- Root file system disk image (or device node) for the virtual machine. +- +- ++ Root file system disk image (or device node) for the virtual machine. ++ ++ ++ ++ ++ + + + +- Host Configuration ++ Host Configuration ++ ++ ++ ++ SMP ++ ++ Configures the number of CPUs to start the virtual machine with. ++ Defaults to 1. ++ ++ ++ ++ ++ ++ ++ MEM ++ ++ Configures the amount of memory to start the virtual machine with. ++ Defaults to 2G. + +- +- +- SMP ++ ++ ++ + +- Configures the number of CPUs to start the virtual machine with. +- Defaults to 1. +- ++ ++ + +- +- MEM ++ Configures whether to use KVM. If the option is not specified KVM support will be ++ detected automatically. If true, KVM is always used, and if false, KVM is never used. + +- Configures the amount of memory to start the virtual machine with. +- Defaults to 2G. +- ++ ++ + +- +- ++ ++ + +- Configure whether to use KVM. +- If the option is not specified KVM support will be detected automatically. +- If yes is specified KVM is always used, and vice versa if no is set KVM is never used. +- ++ Start QEMU in graphical mode. + +- +- ++ ++ + +- Start QEMU in graphical mode. +- ++ ++ + +- +- ++ Configures whether to search for firmware which supports secure boot. If the option ++ is not specified, the first firmware which is detected will be used. If true, then the first ++ firmware with secure boot support will be selected. If false, then the first firmware without ++ secure boot will be selected. + +- Configure whether to search for firmware which supports secure boot. +- If the option is not specified the first firmware which is detected will be used. +- If the option is set to yes then the first firmware with secure boot support will be selected. +- If no is specified then the first firmware without secure boot will be selected. +- +- ++ ++ ++ + + + +@@ -116,19 +130,21 @@ + use C-style escaping (i.e. \n to embed a newline, or \x00 to + embed a NUL byte). Note that the invoking shell might already apply unescaping + once, hence this might require double escaping!. +- ++ ++ + + + +- +- Other ++ ++ ++ Other + +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ + + + +@@ -139,8 +155,10 @@ + + Run an Arch Linux VM image generated by mkosi + +- # mkosi -d arch -p systemd -p linux --autologin -o image.raw -f build +- # systemd-vmspawn --image=image.raw ++ ++$ mkosi -d arch -p systemd -p linux --autologin -o image.raw -f build ++$ systemd-vmspawn --image=image.raw ++ + + + +@@ -155,7 +173,7 @@ + See Also + + systemd1, +- mkosi1, ++ mkosi1 + + + diff --git a/6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch b/6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch new file mode 100644 index 0000000..a204f81 --- /dev/null +++ b/6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch @@ -0,0 +1,24 @@ +From 6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 7 Nov 2023 18:54:38 +0100 +Subject: [PATCH] vmspawn: shorted --help output to fit in 80 columns + +I think that "SB" is good enough here, the option name shows the unabbreviated +name. +--- + src/vmspawn/vmspawn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c +index ab137df0a7155..00166b2f7a40f 100644 +--- a/src/vmspawn/vmspawn.c ++++ b/src/vmspawn/vmspawn.c +@@ -68,7 +68,7 @@ static int help(void) { + " --qemu-mem=MEM Configure guest's RAM size\n" + " --qemu-kvm= Configure whether to use KVM or not\n" + " --qemu-gui Start QEMU in graphical mode\n" +- " --secure-boot= Configure whether to search for firmware which supports Secure Boot\n\n" ++ " --secure-boot= Configure searching for firmware with SB support\n\n" + "%3$sCredentials:%4$s\n" + " --set-credential=ID:VALUE\n" + " Pass a credential with literal value to container.\n" diff --git a/split-files.py b/split-files.py index 83f1f46..0f1260e 100644 --- a/split-files.py +++ b/split-files.py @@ -93,6 +93,7 @@ for file in files(buildroot): elif re.search(r'''mymachines| machinectl| systemd-nspawn| + systemd-vmspawn| import-pubring.gpg| systemd-(machined|import|pull)| /machine.slice| diff --git a/systemd.spec b/systemd.spec index 8a40760..0dd7068 100644 --- a/systemd.spec +++ b/systemd.spec @@ -104,6 +104,8 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # https://bugzilla.redhat.com/show_bug.cgi?id=2164404 Patch0001: https://github.com/systemd/systemd/pull/26494.patch +Patch0002: https://github.com/systemd/systemd/pull/29913/commits/6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch +Patch0003: https://github.com/systemd/systemd/pull/29913/commits/30247ea76e72ed89a5d86ec9b78ca8f89a989258.patch # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 @@ -451,8 +453,8 @@ License: LGPL-2.1-or-later %description container Systemd tools to spawn and manage containers and virtual machines. -This package contains systemd-nspawn, machinectl, systemd-machined, and -systemd-importd. +This package contains systemd-nspawn, systemd-vmspawn, machinectl, +systemd-machined, and systemd-importd. %package journal-remote # Name is the same as in Debian @@ -607,6 +609,7 @@ CONFIGURE_OPTS=( -Dqrencode=%[%{defined rhel}?"disabled":"enabled"] -Dgnutls=%[%{with gnutls}?"enabled":"disabled"] -Dmicrohttpd=enabled + -Dvmspawn=true -Dlibidn2=enabled -Dlibiptc=false -Dlibcurl=enabled From 10915ad981e2a81075daa7988065a7852fa55a90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 8 Nov 2023 16:20:57 +0100 Subject: [PATCH 04/29] Add Conflicts with older dracut which doesn't have required patches --- systemd.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/systemd.spec b/systemd.spec index 0dd7068..afb44b4 100644 --- a/systemd.spec +++ b/systemd.spec @@ -102,6 +102,7 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # Work-around for dracut issue: run generators directly when we are in initrd # https://bugzilla.redhat.com/show_bug.cgi?id=2164404 +# Drop when dracut-060 is available. Patch0001: https://github.com/systemd/systemd/pull/26494.patch Patch0002: https://github.com/systemd/systemd/pull/29913/commits/6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch @@ -247,6 +248,9 @@ Conflicts: initscripts < 9.56.1 %if 0%{?fedora} Conflicts: fedora-release < 23-0.12 %endif +# Make sure that dracut supports systemd-executor and the renames done for v255 +Conflicts: dracut < dracut-059-16 + Obsoletes: timedatex < 0.6-3 Provides: timedatex = 0.6-3 Conflicts: %{name}-standalone-repart < %{version}-%{release}^ From fdfc8c33c8fd11940b24d0dc129cd373cee29f79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 8 Nov 2023 17:02:18 +0100 Subject: [PATCH 05/29] Fix dracut version [skip changelog] --- systemd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index afb44b4..be8e4c9 100644 --- a/systemd.spec +++ b/systemd.spec @@ -249,7 +249,7 @@ Conflicts: initscripts < 9.56.1 Conflicts: fedora-release < 23-0.12 %endif # Make sure that dracut supports systemd-executor and the renames done for v255 -Conflicts: dracut < dracut-059-16 +Conflicts: dracut < 059-16 Obsoletes: timedatex < 0.6-3 Provides: timedatex = 0.6-3 From 82517d01b5404a5e9a4a1da0000200fc0fafce61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 14 Nov 2023 22:57:07 +0100 Subject: [PATCH 06/29] rpminspect: disable udev rules check https://github.com/rpminspect/rpminspect/issues/1294#issuecomment-1808737198 [skip changelog] --- rpminspect.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rpminspect.yaml b/rpminspect.yaml index 7261213..6318820 100644 --- a/rpminspect.yaml +++ b/rpminspect.yaml @@ -13,7 +13,12 @@ badfuncs: changedfiles: exclude_path: .* -# completely disabled inspections: +# completely disable inspections: inspections: # we know about our patches, no need to report anything patches: off + + # this inspection uses `udevadm` which comes from this package + # disable so we do not check udev rules with a possibly outdated version + # of the command + udevrules: off From 92eed01493a5ffa83c8f9064e1ffaecbe6940b37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 15 Nov 2023 18:26:36 +0100 Subject: [PATCH 07/29] Version 255~rc2 - See See https://raw.githubusercontent.com/systemd/systemd/v255-rc2/NEWS --- ...7ea76e72ed89a5d86ec9b78ca8f89a989258.patch | 182 ------------------ ...d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch | 24 --- sources | 2 +- systemd.spec | 4 +- 4 files changed, 2 insertions(+), 210 deletions(-) delete mode 100644 30247ea76e72ed89a5d86ec9b78ca8f89a989258.patch delete mode 100644 6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch diff --git a/30247ea76e72ed89a5d86ec9b78ca8f89a989258.patch b/30247ea76e72ed89a5d86ec9b78ca8f89a989258.patch deleted file mode 100644 index e31a37a..0000000 --- a/30247ea76e72ed89a5d86ec9b78ca8f89a989258.patch +++ /dev/null @@ -1,182 +0,0 @@ -From 30247ea76e72ed89a5d86ec9b78ca8f89a989258 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 7 Nov 2023 21:36:46 +0100 -Subject: [PATCH] man: many fixes systemd-vmspawn(1) - -- version information -- indentation and missing tags -- mkosi and qemu don't need root ---- - man/systemctl.xml | 8 +-- - man/systemd-vmspawn.xml | 118 +++++++++++++++++++++++----------------- - 2 files changed, 72 insertions(+), 54 deletions(-) - -diff --git a/man/systemd-vmspawn.xml b/man/systemd-vmspawn.xml -index bf3aaf028eafe..4ca6f1a74fd2f 100644 ---- a/man/systemd-vmspawn.xml -+++ b/man/systemd-vmspawn.xml -@@ -44,59 +44,73 @@ - The following options are understood: - - -- Image Options -+ Image Options - -- -- -- -- -+ -+ -+ -+ - -- Root file system disk image (or device node) for the virtual machine. -- -- -+ Root file system disk image (or device node) for the virtual machine. -+ -+ -+ -+ -+ - - - -- Host Configuration -+ Host Configuration -+ -+ -+ -+ SMP -+ -+ Configures the number of CPUs to start the virtual machine with. -+ Defaults to 1. -+ -+ -+ -+ -+ -+ -+ MEM -+ -+ Configures the amount of memory to start the virtual machine with. -+ Defaults to 2G. - -- -- -- SMP -+ -+ -+ - -- Configures the number of CPUs to start the virtual machine with. -- Defaults to 1. -- -+ -+ - -- -- MEM -+ Configures whether to use KVM. If the option is not specified KVM support will be -+ detected automatically. If true, KVM is always used, and if false, KVM is never used. - -- Configures the amount of memory to start the virtual machine with. -- Defaults to 2G. -- -+ -+ - -- -- -+ -+ - -- Configure whether to use KVM. -- If the option is not specified KVM support will be detected automatically. -- If yes is specified KVM is always used, and vice versa if no is set KVM is never used. -- -+ Start QEMU in graphical mode. - -- -- -+ -+ - -- Start QEMU in graphical mode. -- -+ -+ - -- -- -+ Configures whether to search for firmware which supports secure boot. If the option -+ is not specified, the first firmware which is detected will be used. If true, then the first -+ firmware with secure boot support will be selected. If false, then the first firmware without -+ secure boot will be selected. - -- Configure whether to search for firmware which supports secure boot. -- If the option is not specified the first firmware which is detected will be used. -- If the option is set to yes then the first firmware with secure boot support will be selected. -- If no is specified then the first firmware without secure boot will be selected. -- -- -+ -+ -+ - - - -@@ -116,19 +130,21 @@ - use C-style escaping (i.e. \n to embed a newline, or \x00 to - embed a NUL byte). Note that the invoking shell might already apply unescaping - once, hence this might require double escaping!. -- -+ -+ - - - -- -- Other -+ -+ -+ Other - -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ - - - -@@ -139,8 +155,10 @@ - - Run an Arch Linux VM image generated by mkosi - -- # mkosi -d arch -p systemd -p linux --autologin -o image.raw -f build -- # systemd-vmspawn --image=image.raw -+ -+$ mkosi -d arch -p systemd -p linux --autologin -o image.raw -f build -+$ systemd-vmspawn --image=image.raw -+ - - - -@@ -155,7 +173,7 @@ - See Also - - systemd1, -- mkosi1, -+ mkosi1 - - - diff --git a/6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch b/6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch deleted file mode 100644 index a204f81..0000000 --- a/6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 7 Nov 2023 18:54:38 +0100 -Subject: [PATCH] vmspawn: shorted --help output to fit in 80 columns - -I think that "SB" is good enough here, the option name shows the unabbreviated -name. ---- - src/vmspawn/vmspawn.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c -index ab137df0a7155..00166b2f7a40f 100644 ---- a/src/vmspawn/vmspawn.c -+++ b/src/vmspawn/vmspawn.c -@@ -68,7 +68,7 @@ static int help(void) { - " --qemu-mem=MEM Configure guest's RAM size\n" - " --qemu-kvm= Configure whether to use KVM or not\n" - " --qemu-gui Start QEMU in graphical mode\n" -- " --secure-boot= Configure whether to search for firmware which supports Secure Boot\n\n" -+ " --secure-boot= Configure searching for firmware with SB support\n\n" - "%3$sCredentials:%4$s\n" - " --set-credential=ID:VALUE\n" - " Pass a credential with literal value to container.\n" diff --git a/sources b/sources index fdd7cac..5e6bcd1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-255-rc1.tar.gz) = 3a92f59af54e0f4988304daa9d1d186554cd07f5ebc95ab17d2d6c1cb37caf7b329e8eca67eb7349aed2f425341ef2b79e2469156a26b6e2436b900b2136f824 +SHA512 (systemd-255-rc2.tar.gz) = f33c6868efcbe05a7a4703136bb84243e5a6889c7740d77535eb9f19bb46c209e6f797533351fcf66d1c5d4b83e20ca436bfcb625e26b729bfadca795207ec56 diff --git a/systemd.spec b/systemd.spec index be8e4c9..7ccc47b 100644 --- a/systemd.spec +++ b/systemd.spec @@ -35,7 +35,7 @@ Name: systemd Url: https://systemd.io %if %{without inplace} -Version: 255~rc1 +Version: 255~rc2 %else # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') @@ -105,8 +105,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # Drop when dracut-060 is available. Patch0001: https://github.com/systemd/systemd/pull/26494.patch -Patch0002: https://github.com/systemd/systemd/pull/29913/commits/6527d175cda8c2e1feceb26eb7e3ec111ddc6ae4.patch -Patch0003: https://github.com/systemd/systemd/pull/29913/commits/30247ea76e72ed89a5d86ec9b78ca8f89a989258.patch # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 From f93a1346f0f7d1bece6599be35e3187a3b495ca0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 23 Nov 2023 00:38:44 +0100 Subject: [PATCH 08/29] Add systemd-networkd-defaults subpackage --- ...always-install-network-example-files.patch | 42 +++++++++++++++++++ split-files.py | 9 +++- systemd.spec | 16 +++++++ 3 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 0001-meson-always-install-network-example-files.patch diff --git a/0001-meson-always-install-network-example-files.patch b/0001-meson-always-install-network-example-files.patch new file mode 100644 index 0000000..de84bf7 --- /dev/null +++ b/0001-meson-always-install-network-example-files.patch @@ -0,0 +1,42 @@ +From 518d40b992abca8de5b9136e88748783200535da Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 23 Nov 2023 00:06:29 +0100 +Subject: [PATCH] meson: always install network example files + +I started working on integrating this in the Fedora package and realized that +the example files should be installed regardless of the renamed files when +default-network=true is used. This is because the renamed files become part of +a different package, and we want to have the other files which are used as +documentation in the main package anyway. +--- + network/meson.build | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/network/meson.build b/network/meson.build +index 4f17f7385e..2a472f4f51 100644 +--- a/network/meson.build ++++ b/network/meson.build +@@ -18,6 +18,10 @@ if conf.get('ENABLE_NETWORKD') == 1 + '80-wifi-station.network.example', + ) + ++ install_data( ++ example_network_files, ++ install_dir : networkdir) ++ + if get_option('default-network') + foreach f : example_network_files + install_data( +@@ -25,12 +29,7 @@ if conf.get('ENABLE_NETWORKD') == 1 + rename : fs.replace_suffix(fs.name(f), ''), + install_dir : networkdir) + endforeach +- else +- install_data( +- example_network_files, +- install_dir : networkdir) + endif +- + endif + + install_data('99-default.link', diff --git a/split-files.py b/split-files.py index 0f1260e..c6e3cb7 100644 --- a/split-files.py +++ b/split-files.py @@ -24,6 +24,7 @@ o_rpm_macros = open('.file-list-rpm-macros', 'w') o_devel = open('.file-list-devel', 'w') o_container = open('.file-list-container', 'w') o_networkd = open('.file-list-networkd', 'w') +o_networkd_defaults = open('.file-list-networkd-defaults', 'w') o_oomd_defaults = open('.file-list-oomd-defaults', 'w') o_remote = open('.file-list-remote', 'w') o_resolve = open('.file-list-resolve', 'w') @@ -103,7 +104,13 @@ for file in files(buildroot): ''', n, re.X): o = o_container - elif re.search(r'''/usr/lib/systemd/network/80-| + # .network.example files go into systemd-networkd, and the matching files + # without .example go into systemd-networkd-defaults + elif (re.search(r'''/usr/lib/systemd/network/.*\.network$''', n) + and os.path.exists(f'./{n}.example')): + o = o_networkd_defaults + + elif re.search(r'''/usr/lib/systemd/network/.*\.network| networkd| networkctl| org.freedesktop.network1| diff --git a/systemd.spec b/systemd.spec index 7ccc47b..df45e91 100644 --- a/systemd.spec +++ b/systemd.spec @@ -105,6 +105,8 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # Drop when dracut-060 is available. Patch0001: https://github.com/systemd/systemd/pull/26494.patch +Patch0002: 0001-meson-always-install-network-example-files.patch + # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 @@ -489,6 +491,17 @@ systemd-networkd is a system service that manages networks. It detects and configures network devices as they appear, as well as creating virtual network devices. +%package networkd-defaults +Summary: Configure network interfaces with networkd by default +Requires: %{name}-networkd = %{version}-%{release} +License: MIT-0 +BuildArch: noarch + +%description networkd-defaults +This package contains a set of config files for systemd-networkd that cause it +to configure network interfaces by default. Note that systemd-networkd needs to +enabled for this to have any effect. + %package resolved Summary: Network Name Resolution manager Requires: %{name}%{_isa} = %{version}-%{release} @@ -625,6 +638,7 @@ CONFIGURE_OPTS=( -Dstandalone-binaries=true -Ddefault-kill-user-processes=false -Dfirst-boot-full-preset=true + -Ddefault-network=true -Dtests=unsafe -Dinstall-tests=true -Dtty-gid=5 @@ -1150,6 +1164,8 @@ fi %files networkd -f .file-list-networkd +%files networkd-defaults -f .file-list-networkd-defaults + %files oomd-defaults -f .file-list-oomd-defaults %files tests -f .file-list-tests From f071684b2e6f709185305083a5eac0cd4255714d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 22 Nov 2023 23:47:30 +0100 Subject: [PATCH 09/29] Version 255~rc3 --- sources | 2 +- systemd.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 5e6bcd1..b931cf6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-255-rc2.tar.gz) = f33c6868efcbe05a7a4703136bb84243e5a6889c7740d77535eb9f19bb46c209e6f797533351fcf66d1c5d4b83e20ca436bfcb625e26b729bfadca795207ec56 +SHA512 (systemd-255-rc3.tar.gz) = f46eb9264fb03868926d1abaa4a90af41ac4b2c7770756b87b2f212cd40f3e0c044679d523cbea3078362b12c4a1ee50d73dbe2639980d55c394db9d1a587b6d diff --git a/systemd.spec b/systemd.spec index df45e91..beea696 100644 --- a/systemd.spec +++ b/systemd.spec @@ -35,7 +35,7 @@ Name: systemd Url: https://systemd.io %if %{without inplace} -Version: 255~rc2 +Version: 255~rc3 %else # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') From f216cc8c799544a9074eed84de9795d824857d93 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Thu, 23 Nov 2023 20:19:16 +0000 Subject: [PATCH 10/29] de-dupe LICENSE.LGPL2.1 in licenses The LICENSE.LGPL2.1 file is installed into the same systemd license directory for both the base systemd and -libs. Because the base systemd requires the -libs sub package it's a duplicate and will always be there, it shouldn't cause an issue but it seems in some cases the duplication into the same directory causes issues with ostree so remove it from the base systemd package as it will always be there due to the hard dep on the -libs subpackage. --- systemd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index beea696..607e0ea 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1119,7 +1119,7 @@ fi %doc %{_pkgdocdir} %exclude %{_pkgdocdir}/LICENSE* # Only the licenses texts for the licenses in License line are included. -%license LICENSE.GPL2 LICENSE.LGPL2.1 +%license LICENSE.GPL2 %license LICENSES/MIT.txt %ghost %dir %attr(0755,-,-) /etc/systemd/system/basic.target.wants %ghost %dir %attr(0755,-,-) /etc/systemd/system/bluetooth.target.wants From 8ff2a6f2d902f404fedd78854dfbbe8f521fb981 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Wed, 29 Nov 2023 10:42:54 -0800 Subject: [PATCH 11/29] Backport #30197 to fix vconsole startup (RHBZ #2251394) --- ...art-rate-limit-for-systemd-vconsole-.patch | 45 +++++++++++++++++++ systemd.spec | 5 +++ 2 files changed, 50 insertions(+) create mode 100644 0001-units-disable-start-rate-limit-for-systemd-vconsole-.patch diff --git a/0001-units-disable-start-rate-limit-for-systemd-vconsole-.patch b/0001-units-disable-start-rate-limit-for-systemd-vconsole-.patch new file mode 100644 index 0000000..1c8d79a --- /dev/null +++ b/0001-units-disable-start-rate-limit-for-systemd-vconsole-.patch @@ -0,0 +1,45 @@ +From 4704176795c167d49f87dfea79193913e6c6d939 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sat, 25 Nov 2023 13:27:17 +0100 +Subject: [PATCH] units: disable start rate limit for + systemd-vconsole-setup.service + +The unit will be started or restarted a few times during boot, but but it has +StartLimitBurst = DefaultStartLimitBurst = 5, which means that the fifth +restart will already fail. On my laptop, I have exactly 4 restarts, so I don't +hit the limit, but on a slightly different system we will easily hit the limit. +In https://bugzilla.redhat.com/show_bug.cgi?id=2251394, there are five reloads +and we hit the limit. + +Since 6ef512c0bb7aeb2000588d7d05e23b4681da8657 we propagate the start counter +over switch-root and daemon reloads, so it's easier to hit the limit during +boot. + +In principle there might be systems with lots of vtcon devices, so let's just +allow the unit to be restarted without a limit. + +Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251394. +--- + units/systemd-vconsole-setup.service.in | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/units/systemd-vconsole-setup.service.in b/units/systemd-vconsole-setup.service.in +index 3475d456bc..c6c5bc9130 100644 +--- a/units/systemd-vconsole-setup.service.in ++++ b/units/systemd-vconsole-setup.service.in +@@ -17,6 +17,12 @@ DefaultDependencies=no + Before=sysinit.target + Before=initrd-switch-root.target shutdown.target + ++# This unit will be restarted by udev whenever a new vtcon device appears or is ++# triggered. Usually that happens just a handful of times during boot, but some ++# systems may have hundreds or thousands of serial consoles connected, so let's ++# just disable the limit altogether. ++StartLimitIntervalSec=0 ++ + [Service] + Type=oneshot + # This service will be restarted by udev whenever a new vtcon device appears. +-- +2.43.0 + diff --git a/systemd.spec b/systemd.spec index 607e0ea..34e2bfe 100644 --- a/systemd.spec +++ b/systemd.spec @@ -107,6 +107,11 @@ Patch0001: https://github.com/systemd/systemd/pull/26494.patch Patch0002: 0001-meson-always-install-network-example-files.patch +# https://github.com/systemd/systemd/pull/30197 +# https://bugzilla.redhat.com/show_bug.cgi?id=2251394 +# Drop vconsole restart limit to prevent it sometimes failing on boot +Patch0003: 0001-units-disable-start-rate-limit-for-systemd-vconsole-.patch + # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 From f41ff634cbc300de8ffb881385da2e10f5c0807c Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Fri, 1 Dec 2023 09:10:38 -0800 Subject: [PATCH 12/29] Backport PRs #30170 and #30266 to fix BPF denials (RHBZ #2250930) --- ...se-bpf-outer-map-fd-in-systemd-execu.patch | 31 +++++++ ...ter_map_fd-to-sd-executor-only-if-Re.patch | 47 ++++++++++ ...redundant-check-when-serializing-FDs.patch | 92 +++++++++++++++++++ ...ple-of-tests-for-RestrictFileSystems.patch | 89 ++++++++++++++++++ systemd.spec | 11 +++ 5 files changed, 270 insertions(+) create mode 100644 0001-Make-sure-we-close-bpf-outer-map-fd-in-systemd-execu.patch create mode 100644 0001-core-pass-bpf_outer_map_fd-to-sd-executor-only-if-Re.patch create mode 100644 0002-core-remove-redundant-check-when-serializing-FDs.patch create mode 100644 0003-test-add-a-couple-of-tests-for-RestrictFileSystems.patch diff --git a/0001-Make-sure-we-close-bpf-outer-map-fd-in-systemd-execu.patch b/0001-Make-sure-we-close-bpf-outer-map-fd-in-systemd-execu.patch new file mode 100644 index 0000000..5388c6a --- /dev/null +++ b/0001-Make-sure-we-close-bpf-outer-map-fd-in-systemd-execu.patch @@ -0,0 +1,31 @@ +From ef90e8f9db911626c8f5c18c49cf6fe445afdefb Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 30 Nov 2023 11:01:14 +0100 +Subject: [PATCH] Make sure we close bpf outer map fd in systemd-executor + +Not doing so leaks it into the child service and causes selinux +denials. +--- + src/core/execute-serialize.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c +index 56c4f4da8a..6c19cd42a2 100644 +--- a/src/core/execute-serialize.c ++++ b/src/core/execute-serialize.c +@@ -1625,6 +1625,12 @@ static int exec_parameters_deserialize(ExecParameters *p, FILE *f, FDSet *fds) { + if (fd < 0) + continue; + ++ /* This is special and relies on close-on-exec semantics, make sure it's ++ * there */ ++ r = fd_cloexec(fd, true); ++ if (r < 0) ++ return r; ++ + p->bpf_outer_map_fd = fd; + } else if ((val = startswith(l, "exec-parameters-notify-socket="))) { + r = free_and_strdup(&p->notify_socket, val); +-- +2.43.0 + diff --git a/0001-core-pass-bpf_outer_map_fd-to-sd-executor-only-if-Re.patch b/0001-core-pass-bpf_outer_map_fd-to-sd-executor-only-if-Re.patch new file mode 100644 index 0000000..cf947f2 --- /dev/null +++ b/0001-core-pass-bpf_outer_map_fd-to-sd-executor-only-if-Re.patch @@ -0,0 +1,47 @@ +From 60ef4baeedc34b5c7ab0e2f211684f9b96d63f82 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 23 Nov 2023 19:08:22 +0000 +Subject: [PATCH 1/3] core: pass bpf_outer_map_fd to sd-executor only if + RestrictFileSystems was set + +It causes SELinux denials to be raised, so restrict it only where needed + +Follow-up for beb4ae87558cae +--- + src/core/execute-serialize.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c +index 342883994a..60c121a0d1 100644 +--- a/src/core/execute-serialize.c ++++ b/src/core/execute-serialize.c +@@ -1244,7 +1244,7 @@ static bool exec_parameters_is_idle_pipe_set(const ExecParameters *p) { + p->idle_pipe[3] >= 0; + } + +-static int exec_parameters_serialize(const ExecParameters *p, FILE *f, FDSet *fds) { ++static int exec_parameters_serialize(const ExecParameters *p, const ExecContext *c, FILE *f, FDSet *fds) { + int r; + + assert(f); +@@ -1375,7 +1375,7 @@ static int exec_parameters_serialize(const ExecParameters *p, FILE *f, FDSet *fd + return r; + } + +- if (p->bpf_outer_map_fd >= 0) { ++ if (c && exec_context_restrict_filesystems_set(c) && p->bpf_outer_map_fd >= 0) { + r = serialize_fd(f, fds, "exec-parameters-bpf-outer-map-fd", p->bpf_outer_map_fd); + if (r < 0) + return r; +@@ -3860,7 +3860,7 @@ int exec_serialize_invocation( + if (r < 0) + return log_debug_errno(r, "Failed to serialize command: %m"); + +- r = exec_parameters_serialize(p, f, fds); ++ r = exec_parameters_serialize(p, ctx, f, fds); + if (r < 0) + return log_debug_errno(r, "Failed to serialize parameters: %m"); + +-- +2.43.0 + diff --git a/0002-core-remove-redundant-check-when-serializing-FDs.patch b/0002-core-remove-redundant-check-when-serializing-FDs.patch new file mode 100644 index 0000000..e09a2e0 --- /dev/null +++ b/0002-core-remove-redundant-check-when-serializing-FDs.patch @@ -0,0 +1,92 @@ +From 2d042c75ffb71f59ebd4689c3972786c29b4bf51 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 23 Nov 2023 19:14:45 +0000 +Subject: [PATCH 2/3] core: remove redundant check when serializing FDs + +The helpers already skip if the FD is < 0 +--- + src/core/execute-serialize.c | 50 ++++++++++++++---------------------- + 1 file changed, 19 insertions(+), 31 deletions(-) + +diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c +index 60c121a0d1..56c4f4da8a 100644 +--- a/src/core/execute-serialize.c ++++ b/src/core/execute-serialize.c +@@ -1274,11 +1274,9 @@ static int exec_parameters_serialize(const ExecParameters *p, const ExecContext + return r; + } + +- if (p->n_socket_fds + p->n_storage_fds > 0) { +- r = serialize_fd_many(f, fds, "exec-parameters-fds", p->fds, p->n_socket_fds + p->n_storage_fds); +- if (r < 0) +- return r; +- } ++ r = serialize_fd_many(f, fds, "exec-parameters-fds", p->fds, p->n_socket_fds + p->n_storage_fds); ++ if (r < 0) ++ return r; + } + + r = serialize_strv(f, "exec-parameters-fd-names", p->fd_names); +@@ -1351,31 +1349,23 @@ static int exec_parameters_serialize(const ExecParameters *p, const ExecContext + return r; + } + +- if (p->stdin_fd >= 0) { +- r = serialize_fd(f, fds, "exec-parameters-stdin-fd", p->stdin_fd); +- if (r < 0) +- return r; +- } ++ r = serialize_fd(f, fds, "exec-parameters-stdin-fd", p->stdin_fd); ++ if (r < 0) ++ return r; + +- if (p->stdout_fd >= 0) { +- r = serialize_fd(f, fds, "exec-parameters-stdout-fd", p->stdout_fd); +- if (r < 0) +- return r; +- } ++ r = serialize_fd(f, fds, "exec-parameters-stdout-fd", p->stdout_fd); ++ if (r < 0) ++ return r; + +- if (p->stderr_fd >= 0) { +- r = serialize_fd(f, fds, "exec-parameters-stderr-fd", p->stderr_fd); +- if (r < 0) +- return r; +- } ++ r = serialize_fd(f, fds, "exec-parameters-stderr-fd", p->stderr_fd); ++ if (r < 0) ++ return r; + +- if (p->exec_fd >= 0) { +- r = serialize_fd(f, fds, "exec-parameters-exec-fd", p->exec_fd); +- if (r < 0) +- return r; +- } ++ r = serialize_fd(f, fds, "exec-parameters-exec-fd", p->exec_fd); ++ if (r < 0) ++ return r; + +- if (c && exec_context_restrict_filesystems_set(c) && p->bpf_outer_map_fd >= 0) { ++ if (c && exec_context_restrict_filesystems_set(c)) { + r = serialize_fd(f, fds, "exec-parameters-bpf-outer-map-fd", p->bpf_outer_map_fd); + if (r < 0) + return r; +@@ -1401,11 +1391,9 @@ static int exec_parameters_serialize(const ExecParameters *p, const ExecContext + if (r < 0) + return r; + +- if (p->user_lookup_fd >= 0) { +- r = serialize_fd(f, fds, "exec-parameters-user-lookup-fd", p->user_lookup_fd); +- if (r < 0) +- return r; +- } ++ r = serialize_fd(f, fds, "exec-parameters-user-lookup-fd", p->user_lookup_fd); ++ if (r < 0) ++ return r; + + r = serialize_strv(f, "exec-parameters-files-env", p->files_env); + if (r < 0) +-- +2.43.0 + diff --git a/0003-test-add-a-couple-of-tests-for-RestrictFileSystems.patch b/0003-test-add-a-couple-of-tests-for-RestrictFileSystems.patch new file mode 100644 index 0000000..4034b22 --- /dev/null +++ b/0003-test-add-a-couple-of-tests-for-RestrictFileSystems.patch @@ -0,0 +1,89 @@ +From 4a43c2b3a1066247f26d8a6e52ebfc40852a5f7e Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 24 Nov 2023 16:00:15 +0100 +Subject: [PATCH 3/3] test: add a couple of tests for RestrictFileSystems= + +--- + test/units/testsuite-07.exec-context.sh | 31 +++++++++++++++++++++++++ + test/units/util.sh | 19 +++++++++++++++ + 2 files changed, 50 insertions(+) + +diff --git a/test/units/testsuite-07.exec-context.sh b/test/units/testsuite-07.exec-context.sh +index b4118d2fe8..10b425359d 100755 +--- a/test/units/testsuite-07.exec-context.sh ++++ b/test/units/testsuite-07.exec-context.sh +@@ -4,6 +4,9 @@ + set -eux + set -o pipefail + ++# shellcheck source=test/units/util.sh ++. "$(dirname "$0")"/util.sh ++ + # Make sure the unit's exec context matches its configuration + # See: https://github.com/systemd/systemd/pull/29552 + +@@ -284,6 +287,34 @@ systemd-run --wait --pipe "${ARGUMENTS[@]}" \ + ulimit -R || exit 0; + : RTTIME; [[ $(ulimit -SR) -eq 666666 ]]; [[ $(ulimit -HR) -eq 666666 ]];' + ++# RestrictFileSystems= ++# ++# Note: running instrumented binaries requires at least /proc to be accessible, so let's ++# skip the test when we're running under sanitizers ++if [[ ! -v ASAN_OPTIONS ]] && systemctl --version | grep "+BPF_FRAMEWORK" && kernel_supports_lsm bpf; then ++ ROOTFS="$(df --output=fstype /usr/bin | sed --quiet 2p)" ++ systemd-run --wait --pipe -p RestrictFileSystems="" ls / ++ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar" ls / ++ (! systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS" ls /proc) ++ (! systemd-run --wait --pipe -p RestrictFileSystems="foo" ls /) ++ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar baz proc" ls /proc ++ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /proc ++ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /sys/fs/cgroup ++ ++ systemd-run --wait --pipe -p RestrictFileSystems="~" ls / ++ systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls / ++ systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls / ++ (! systemd-run --wait --pipe -p RestrictFileSystems="~$ROOTFS" ls /) ++ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls /proc) ++ (! systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls /proc) ++ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /proc) ++ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /sys) ++ systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls / ++ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /proc) ++ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /dev) ++ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /sys) ++fi ++ + # Ensure that clean-up codepaths work correctly if activation ultimately fails + touch /run/not-a-directory + mkdir /tmp/root +diff --git a/test/units/util.sh b/test/units/util.sh +index fdfb91f8c6..b5ed73237c 100755 +--- a/test/units/util.sh ++++ b/test/units/util.sh +@@ -197,3 +197,22 @@ openssl_supports_kdf() { + # but let's do that when/if the need arises + openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:foo -out /dev/null "$kdf" + } ++ ++kernel_supports_lsm() { ++ local lsm="${1:?}" ++ local items item ++ ++ if [[ ! -e /sys/kernel/security/lsm ]]; then ++ echo "/sys/kernel/security/lsm doesn't exist, assuming $lsm is not supported" ++ return 1 ++ fi ++ ++ mapfile -t -d, items Date: Thu, 23 Nov 2023 14:45:33 +0100 Subject: [PATCH 13/29] split-files: move static filelist config into split-files.py The idea was that it's nicer to keep that config in .spec where it's subject to syntax highlighting. split-files.py was supposed to a stand-alone program. But in practice this split is confusing, because file rules are listed in two places and we need to modify split-files.py quite often. This will be easier if everything is in one file. [skip changelog] --- split-files.py | 39 +++++++++++++++++++++++++++++++++++++-- systemd.spec | 39 ++------------------------------------- 2 files changed, 39 insertions(+), 39 deletions(-) diff --git a/split-files.py b/split-files.py index c6e3cb7..cd19a85 100644 --- a/split-files.py +++ b/split-files.py @@ -1,8 +1,43 @@ import re, sys, os, collections buildroot = sys.argv[1] -known_files = sys.stdin.read().splitlines() -known_files = {line.split()[-1]:line for line in known_files} + +known_files = ''' +%ghost %config(noreplace) /etc/crypttab +%ghost %attr(0444,root,root) /etc/udev/hwdb.bin +/etc/inittab +/usr/lib/systemd/purge-nobody-user +%ghost %config(noreplace) /etc/vconsole.conf +%ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf +%ghost %attr(0664,root,root) %verify(not group) /run/utmp +%ghost %attr(0664,root,root) %verify(not group) /var/log/wtmp +%ghost %attr(0660,root,root) %verify(not group) /var/log/btmp +%ghost %attr(0664,root,root) %verify(not md5 size mtime group) /var/log/lastlog +%ghost %config(noreplace) /etc/hostname +%ghost %config(noreplace) /etc/localtime +%ghost %config(noreplace) /etc/locale.conf +%ghost %attr(0444,root,root) %config(noreplace) /etc/machine-id +%ghost %config(noreplace) /etc/machine-info +%ghost %attr(0700,root,root) %dir /var/cache/private +%ghost %attr(0700,root,root) %dir /var/lib/private +%ghost %dir /var/lib/private/systemd +%ghost %dir /var/lib/private/systemd/journal-upload +%ghost /var/lib/private/systemd/journal-upload/state +%ghost %dir /var/lib/systemd/timesync +%ghost /var/lib/systemd/timesync/clock +%ghost %dir /var/lib/systemd/backlight +%ghost /var/lib/systemd/catalog/database +%ghost %dir /var/lib/systemd/coredump +%ghost /var/lib/systemd/journal-upload +%ghost %dir /var/lib/systemd/linger +%ghost %attr(0600,root,root) /var/lib/systemd/random-seed +%ghost %dir /var/lib/systemd/rfkill +%ghost %dir %verify(not mode group) /var/log/journal +%ghost %dir /var/log/journal/remote +%ghost %attr(0700,root,root) %dir /var/log/private +'''.splitlines() + +known_files = {line.split()[-1]:line for line in known_files if line} def files(root): os.chdir(root) diff --git a/systemd.spec b/systemd.spec index 28fdc6d..a70d85e 100644 --- a/systemd.spec +++ b/systemd.spec @@ -849,43 +849,8 @@ ln -s --relative %{buildroot}%{_bindir}/kernel-install %{buildroot}%{_sbindir}/i %find_lang %{name} -# Split files in build root into rpms. See split-files.py for the -# rules towards the end, anything which is an exception needs a line -# here. -python3 %{SOURCE2} %buildroot < Date: Thu, 23 Nov 2023 14:53:53 +0100 Subject: [PATCH 14/29] split-files: use a dictionary instead of many little variables Just refactoring, to make it easier to act on the list of outputs. [skip changelog] --- split-files.py | 84 ++++++++++++++++++++++++++------------------------ 1 file changed, 44 insertions(+), 40 deletions(-) diff --git a/split-files.py b/split-files.py index cd19a85..ad0d920 100644 --- a/split-files.py +++ b/split-files.py @@ -50,25 +50,29 @@ def files(root): if file.is_dir() and not file.is_symlink(): todo.append(file) -o_libs = open('.file-list-libs', 'w') -o_udev = open('.file-list-udev', 'w') -o_ukify = open('.file-list-ukify', 'w') -o_boot = open('.file-list-boot', 'w') -o_pam = open('.file-list-pam', 'w') -o_rpm_macros = open('.file-list-rpm-macros', 'w') -o_devel = open('.file-list-devel', 'w') -o_container = open('.file-list-container', 'w') -o_networkd = open('.file-list-networkd', 'w') -o_networkd_defaults = open('.file-list-networkd-defaults', 'w') -o_oomd_defaults = open('.file-list-oomd-defaults', 'w') -o_remote = open('.file-list-remote', 'w') -o_resolve = open('.file-list-resolve', 'w') -o_tests = open('.file-list-tests', 'w') -o_standalone_repart = open('.file-list-standalone-repart', 'w') -o_standalone_tmpfiles = open('.file-list-standalone-tmpfiles', 'w') -o_standalone_sysusers = open('.file-list-standalone-sysusers', 'w') -o_standalone_shutdown = open('.file-list-standalone-shutdown', 'w') -o_main = open('.file-list-main', 'w') +outputs = {suffix: open(f'.file-list-{suffix}', 'w') + for suffix in ( + 'libs', + 'udev', + 'ukify', + 'boot', + 'pam', + 'rpm-macros', + 'devel', + 'container', + 'networkd', + 'networkd-defaults', + 'oomd-defaults', + 'remote', + 'resolve', + 'tests', + 'standalone-repart', + 'standalone-tmpfiles', + 'standalone-sysusers', + 'standalone-shutdown', + 'main', + )} + for file in files(buildroot): n = file.path[1:] if re.match(r'''/usr/(share|include)$| @@ -95,36 +99,36 @@ for file in files(buildroot): if n.endswith('.standalone'): if 'repart' in n: - o = o_standalone_repart + o = outputs['standalone-repart'] elif 'tmpfiles' in n: - o = o_standalone_tmpfiles + o = outputs['standalone-tmpfiles'] elif 'sysusers' in n: - o = o_standalone_sysusers + o = outputs['standalone-sysusers'] elif 'shutdown' in n: - o = o_standalone_shutdown + o = outputs['standalone-shutdown'] else: assert False, 'Found .standalone not belonging to known packages' elif '/security/pam_' in n or '/man8/pam_' in n: - o = o_pam + o = outputs['pam'] elif '/rpm/' in n: - o = o_rpm_macros + o = outputs['rpm-macros'] elif '/usr/lib/systemd/tests' in n: - o = o_tests + o = outputs['tests'] elif 'ukify' in n: - o = o_ukify + o = outputs['ukify'] elif re.search(r'/libsystemd-(shared|core)-.*\.so$', n): - o = o_main + o = outputs['main'] elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n): - o = o_udev + o = outputs['udev'] elif re.search(r'/lib.*\.pc|/man3/|/usr/include|\.so$', n): - o = o_devel + o = outputs['devel'] elif re.search(r'''journal-(remote|gateway|upload)| systemd-remote\.conf| /usr/share/systemd/gatewayd| /var/log/journal/remote ''', n, re.X): - o = o_remote + o = outputs['remote'] elif re.search(r'''mymachines| machinectl| @@ -137,13 +141,13 @@ for file in files(buildroot): var-lib-machines.mount| org.freedesktop.(import|machine)1 ''', n, re.X): - o = o_container + o = outputs['container'] # .network.example files go into systemd-networkd, and the matching files # without .example go into systemd-networkd-defaults elif (re.search(r'''/usr/lib/systemd/network/.*\.network$''', n) and os.path.exists(f'./{n}.example')): - o = o_networkd_defaults + o = outputs['networkd-defaults'] elif re.search(r'''/usr/lib/systemd/network/.*\.network| networkd| @@ -154,13 +158,13 @@ for file in files(buildroot): systemd\.network| systemd\.netdev ''', n, re.X): - o = o_networkd + o = outputs['networkd'] elif '.so.' in n: - o = o_libs + o = outputs['libs'] elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X): - o = o_oomd_defaults + o = outputs['oomd-defaults'] elif re.search(r'''udev(?!\.pc)| hwdb| @@ -211,23 +215,23 @@ for file in files(buildroot): ''', n, re.X): # coredumpctl, homectl, portablectl are included in the main package because # they can be used to interact with remote daemons. Also, the user could be # confused if those user-facing binaries are not available. - o = o_udev + o = outputs['udev'] elif re.search(r'''/boot/efi| /usr/lib/systemd/boot| sd-boot|systemd-boot\.|loader.conf ''', n, re.X): - o = o_boot + o = outputs['boot'] elif re.search(r'''resolved|resolve1| systemd-resolve| resolvconf| systemd\.(positive|negative) ''', n, re.X): # resolvectl and nss-resolve are in the main package. - o = o_resolve + o = outputs['resolve'] else: - o = o_main + o = outputs['main'] if n in known_files: prefix = ' '.join(known_files[n].split()[:-1]) From 0e8fc18fbde4c57742cc844a73bc280b8929b781 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 23 Nov 2023 14:57:31 +0100 Subject: [PATCH 15/29] split-files: fail early if we split-files produces an empty output We would fail later anyway, because rpm refuses %files with an empty filelist file. But this is much later, after %check, so let's fail already in %install. [skip changelog] --- split-files.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/split-files.py b/split-files.py index ad0d920..d978886 100644 --- a/split-files.py +++ b/split-files.py @@ -249,3 +249,8 @@ for file in files(buildroot): suffix = '*' if '/man/' in n else '' print(f'{prefix}{n}{suffix}', file=o) + +if [print(f'ERROR: no file names were written to {o.name}') + for o in outputs.values() + if o.tell() == 0]: + sys.exit(1) From 453bbcb4233717f8e5ad5213882582484da8b7b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 23 Nov 2023 15:10:10 +0100 Subject: [PATCH 16/29] split-files: also handle conditional packages This is a bit annoying, but meh. [skip changelog] --- split-files.py | 7 +++++-- systemd.spec | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/split-files.py b/split-files.py index d978886..e03484f 100644 --- a/split-files.py +++ b/split-files.py @@ -1,6 +1,7 @@ import re, sys, os, collections buildroot = sys.argv[1] +no_bootloader = '--no-bootloader' in sys.argv known_files = ''' %ghost %config(noreplace) /etc/crypttab @@ -251,6 +252,8 @@ for file in files(buildroot): print(f'{prefix}{n}{suffix}', file=o) if [print(f'ERROR: no file names were written to {o.name}') - for o in outputs.values() - if o.tell() == 0]: + for name, o in outputs.items() + if (o.tell() == 0 and + not (no_bootloader and name in ('ukify', 'boot-unsigned'))) + ]: sys.exit(1) diff --git a/systemd.spec b/systemd.spec index a70d85e..ba7f6cb 100644 --- a/systemd.spec +++ b/systemd.spec @@ -850,7 +850,7 @@ ln -s --relative %{buildroot}%{_bindir}/kernel-install %{buildroot}%{_sbindir}/i %find_lang %{name} # Split files in build root into rpms -python3 %{SOURCE2} %buildroot +python3 %{SOURCE2} %buildroot %{!?want_bootloader:--no-bootloader} %check %if %{with tests} From 268ca6a05967f1b2fa5ff6eb1bf85f9f3e6266fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 2 Dec 2023 09:56:40 +0100 Subject: [PATCH 17/29] Version 255~rc4 --- ...se-bpf-outer-map-fd-in-systemd-execu.patch | 31 ------- ...ter_map_fd-to-sd-executor-only-if-Re.patch | 47 ---------- ...always-install-network-example-files.patch | 42 --------- ...art-rate-limit-for-systemd-vconsole-.patch | 45 --------- ...redundant-check-when-serializing-FDs.patch | 92 ------------------- ...ple-of-tests-for-RestrictFileSystems.patch | 89 ------------------ systemd.spec | 20 +--- 7 files changed, 1 insertion(+), 365 deletions(-) delete mode 100644 0001-Make-sure-we-close-bpf-outer-map-fd-in-systemd-execu.patch delete mode 100644 0001-core-pass-bpf_outer_map_fd-to-sd-executor-only-if-Re.patch delete mode 100644 0001-meson-always-install-network-example-files.patch delete mode 100644 0001-units-disable-start-rate-limit-for-systemd-vconsole-.patch delete mode 100644 0002-core-remove-redundant-check-when-serializing-FDs.patch delete mode 100644 0003-test-add-a-couple-of-tests-for-RestrictFileSystems.patch diff --git a/0001-Make-sure-we-close-bpf-outer-map-fd-in-systemd-execu.patch b/0001-Make-sure-we-close-bpf-outer-map-fd-in-systemd-execu.patch deleted file mode 100644 index 5388c6a..0000000 --- a/0001-Make-sure-we-close-bpf-outer-map-fd-in-systemd-execu.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ef90e8f9db911626c8f5c18c49cf6fe445afdefb Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Thu, 30 Nov 2023 11:01:14 +0100 -Subject: [PATCH] Make sure we close bpf outer map fd in systemd-executor - -Not doing so leaks it into the child service and causes selinux -denials. ---- - src/core/execute-serialize.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c -index 56c4f4da8a..6c19cd42a2 100644 ---- a/src/core/execute-serialize.c -+++ b/src/core/execute-serialize.c -@@ -1625,6 +1625,12 @@ static int exec_parameters_deserialize(ExecParameters *p, FILE *f, FDSet *fds) { - if (fd < 0) - continue; - -+ /* This is special and relies on close-on-exec semantics, make sure it's -+ * there */ -+ r = fd_cloexec(fd, true); -+ if (r < 0) -+ return r; -+ - p->bpf_outer_map_fd = fd; - } else if ((val = startswith(l, "exec-parameters-notify-socket="))) { - r = free_and_strdup(&p->notify_socket, val); --- -2.43.0 - diff --git a/0001-core-pass-bpf_outer_map_fd-to-sd-executor-only-if-Re.patch b/0001-core-pass-bpf_outer_map_fd-to-sd-executor-only-if-Re.patch deleted file mode 100644 index cf947f2..0000000 --- a/0001-core-pass-bpf_outer_map_fd-to-sd-executor-only-if-Re.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 60ef4baeedc34b5c7ab0e2f211684f9b96d63f82 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Thu, 23 Nov 2023 19:08:22 +0000 -Subject: [PATCH 1/3] core: pass bpf_outer_map_fd to sd-executor only if - RestrictFileSystems was set - -It causes SELinux denials to be raised, so restrict it only where needed - -Follow-up for beb4ae87558cae ---- - src/core/execute-serialize.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c -index 342883994a..60c121a0d1 100644 ---- a/src/core/execute-serialize.c -+++ b/src/core/execute-serialize.c -@@ -1244,7 +1244,7 @@ static bool exec_parameters_is_idle_pipe_set(const ExecParameters *p) { - p->idle_pipe[3] >= 0; - } - --static int exec_parameters_serialize(const ExecParameters *p, FILE *f, FDSet *fds) { -+static int exec_parameters_serialize(const ExecParameters *p, const ExecContext *c, FILE *f, FDSet *fds) { - int r; - - assert(f); -@@ -1375,7 +1375,7 @@ static int exec_parameters_serialize(const ExecParameters *p, FILE *f, FDSet *fd - return r; - } - -- if (p->bpf_outer_map_fd >= 0) { -+ if (c && exec_context_restrict_filesystems_set(c) && p->bpf_outer_map_fd >= 0) { - r = serialize_fd(f, fds, "exec-parameters-bpf-outer-map-fd", p->bpf_outer_map_fd); - if (r < 0) - return r; -@@ -3860,7 +3860,7 @@ int exec_serialize_invocation( - if (r < 0) - return log_debug_errno(r, "Failed to serialize command: %m"); - -- r = exec_parameters_serialize(p, f, fds); -+ r = exec_parameters_serialize(p, ctx, f, fds); - if (r < 0) - return log_debug_errno(r, "Failed to serialize parameters: %m"); - --- -2.43.0 - diff --git a/0001-meson-always-install-network-example-files.patch b/0001-meson-always-install-network-example-files.patch deleted file mode 100644 index de84bf7..0000000 --- a/0001-meson-always-install-network-example-files.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 518d40b992abca8de5b9136e88748783200535da Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 23 Nov 2023 00:06:29 +0100 -Subject: [PATCH] meson: always install network example files - -I started working on integrating this in the Fedora package and realized that -the example files should be installed regardless of the renamed files when -default-network=true is used. This is because the renamed files become part of -a different package, and we want to have the other files which are used as -documentation in the main package anyway. ---- - network/meson.build | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/network/meson.build b/network/meson.build -index 4f17f7385e..2a472f4f51 100644 ---- a/network/meson.build -+++ b/network/meson.build -@@ -18,6 +18,10 @@ if conf.get('ENABLE_NETWORKD') == 1 - '80-wifi-station.network.example', - ) - -+ install_data( -+ example_network_files, -+ install_dir : networkdir) -+ - if get_option('default-network') - foreach f : example_network_files - install_data( -@@ -25,12 +29,7 @@ if conf.get('ENABLE_NETWORKD') == 1 - rename : fs.replace_suffix(fs.name(f), ''), - install_dir : networkdir) - endforeach -- else -- install_data( -- example_network_files, -- install_dir : networkdir) - endif -- - endif - - install_data('99-default.link', diff --git a/0001-units-disable-start-rate-limit-for-systemd-vconsole-.patch b/0001-units-disable-start-rate-limit-for-systemd-vconsole-.patch deleted file mode 100644 index 1c8d79a..0000000 --- a/0001-units-disable-start-rate-limit-for-systemd-vconsole-.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 4704176795c167d49f87dfea79193913e6c6d939 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sat, 25 Nov 2023 13:27:17 +0100 -Subject: [PATCH] units: disable start rate limit for - systemd-vconsole-setup.service - -The unit will be started or restarted a few times during boot, but but it has -StartLimitBurst = DefaultStartLimitBurst = 5, which means that the fifth -restart will already fail. On my laptop, I have exactly 4 restarts, so I don't -hit the limit, but on a slightly different system we will easily hit the limit. -In https://bugzilla.redhat.com/show_bug.cgi?id=2251394, there are five reloads -and we hit the limit. - -Since 6ef512c0bb7aeb2000588d7d05e23b4681da8657 we propagate the start counter -over switch-root and daemon reloads, so it's easier to hit the limit during -boot. - -In principle there might be systems with lots of vtcon devices, so let's just -allow the unit to be restarted without a limit. - -Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251394. ---- - units/systemd-vconsole-setup.service.in | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/units/systemd-vconsole-setup.service.in b/units/systemd-vconsole-setup.service.in -index 3475d456bc..c6c5bc9130 100644 ---- a/units/systemd-vconsole-setup.service.in -+++ b/units/systemd-vconsole-setup.service.in -@@ -17,6 +17,12 @@ DefaultDependencies=no - Before=sysinit.target - Before=initrd-switch-root.target shutdown.target - -+# This unit will be restarted by udev whenever a new vtcon device appears or is -+# triggered. Usually that happens just a handful of times during boot, but some -+# systems may have hundreds or thousands of serial consoles connected, so let's -+# just disable the limit altogether. -+StartLimitIntervalSec=0 -+ - [Service] - Type=oneshot - # This service will be restarted by udev whenever a new vtcon device appears. --- -2.43.0 - diff --git a/0002-core-remove-redundant-check-when-serializing-FDs.patch b/0002-core-remove-redundant-check-when-serializing-FDs.patch deleted file mode 100644 index e09a2e0..0000000 --- a/0002-core-remove-redundant-check-when-serializing-FDs.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 2d042c75ffb71f59ebd4689c3972786c29b4bf51 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Thu, 23 Nov 2023 19:14:45 +0000 -Subject: [PATCH 2/3] core: remove redundant check when serializing FDs - -The helpers already skip if the FD is < 0 ---- - src/core/execute-serialize.c | 50 ++++++++++++++---------------------- - 1 file changed, 19 insertions(+), 31 deletions(-) - -diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c -index 60c121a0d1..56c4f4da8a 100644 ---- a/src/core/execute-serialize.c -+++ b/src/core/execute-serialize.c -@@ -1274,11 +1274,9 @@ static int exec_parameters_serialize(const ExecParameters *p, const ExecContext - return r; - } - -- if (p->n_socket_fds + p->n_storage_fds > 0) { -- r = serialize_fd_many(f, fds, "exec-parameters-fds", p->fds, p->n_socket_fds + p->n_storage_fds); -- if (r < 0) -- return r; -- } -+ r = serialize_fd_many(f, fds, "exec-parameters-fds", p->fds, p->n_socket_fds + p->n_storage_fds); -+ if (r < 0) -+ return r; - } - - r = serialize_strv(f, "exec-parameters-fd-names", p->fd_names); -@@ -1351,31 +1349,23 @@ static int exec_parameters_serialize(const ExecParameters *p, const ExecContext - return r; - } - -- if (p->stdin_fd >= 0) { -- r = serialize_fd(f, fds, "exec-parameters-stdin-fd", p->stdin_fd); -- if (r < 0) -- return r; -- } -+ r = serialize_fd(f, fds, "exec-parameters-stdin-fd", p->stdin_fd); -+ if (r < 0) -+ return r; - -- if (p->stdout_fd >= 0) { -- r = serialize_fd(f, fds, "exec-parameters-stdout-fd", p->stdout_fd); -- if (r < 0) -- return r; -- } -+ r = serialize_fd(f, fds, "exec-parameters-stdout-fd", p->stdout_fd); -+ if (r < 0) -+ return r; - -- if (p->stderr_fd >= 0) { -- r = serialize_fd(f, fds, "exec-parameters-stderr-fd", p->stderr_fd); -- if (r < 0) -- return r; -- } -+ r = serialize_fd(f, fds, "exec-parameters-stderr-fd", p->stderr_fd); -+ if (r < 0) -+ return r; - -- if (p->exec_fd >= 0) { -- r = serialize_fd(f, fds, "exec-parameters-exec-fd", p->exec_fd); -- if (r < 0) -- return r; -- } -+ r = serialize_fd(f, fds, "exec-parameters-exec-fd", p->exec_fd); -+ if (r < 0) -+ return r; - -- if (c && exec_context_restrict_filesystems_set(c) && p->bpf_outer_map_fd >= 0) { -+ if (c && exec_context_restrict_filesystems_set(c)) { - r = serialize_fd(f, fds, "exec-parameters-bpf-outer-map-fd", p->bpf_outer_map_fd); - if (r < 0) - return r; -@@ -1401,11 +1391,9 @@ static int exec_parameters_serialize(const ExecParameters *p, const ExecContext - if (r < 0) - return r; - -- if (p->user_lookup_fd >= 0) { -- r = serialize_fd(f, fds, "exec-parameters-user-lookup-fd", p->user_lookup_fd); -- if (r < 0) -- return r; -- } -+ r = serialize_fd(f, fds, "exec-parameters-user-lookup-fd", p->user_lookup_fd); -+ if (r < 0) -+ return r; - - r = serialize_strv(f, "exec-parameters-files-env", p->files_env); - if (r < 0) --- -2.43.0 - diff --git a/0003-test-add-a-couple-of-tests-for-RestrictFileSystems.patch b/0003-test-add-a-couple-of-tests-for-RestrictFileSystems.patch deleted file mode 100644 index 4034b22..0000000 --- a/0003-test-add-a-couple-of-tests-for-RestrictFileSystems.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 4a43c2b3a1066247f26d8a6e52ebfc40852a5f7e Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Fri, 24 Nov 2023 16:00:15 +0100 -Subject: [PATCH 3/3] test: add a couple of tests for RestrictFileSystems= - ---- - test/units/testsuite-07.exec-context.sh | 31 +++++++++++++++++++++++++ - test/units/util.sh | 19 +++++++++++++++ - 2 files changed, 50 insertions(+) - -diff --git a/test/units/testsuite-07.exec-context.sh b/test/units/testsuite-07.exec-context.sh -index b4118d2fe8..10b425359d 100755 ---- a/test/units/testsuite-07.exec-context.sh -+++ b/test/units/testsuite-07.exec-context.sh -@@ -4,6 +4,9 @@ - set -eux - set -o pipefail - -+# shellcheck source=test/units/util.sh -+. "$(dirname "$0")"/util.sh -+ - # Make sure the unit's exec context matches its configuration - # See: https://github.com/systemd/systemd/pull/29552 - -@@ -284,6 +287,34 @@ systemd-run --wait --pipe "${ARGUMENTS[@]}" \ - ulimit -R || exit 0; - : RTTIME; [[ $(ulimit -SR) -eq 666666 ]]; [[ $(ulimit -HR) -eq 666666 ]];' - -+# RestrictFileSystems= -+# -+# Note: running instrumented binaries requires at least /proc to be accessible, so let's -+# skip the test when we're running under sanitizers -+if [[ ! -v ASAN_OPTIONS ]] && systemctl --version | grep "+BPF_FRAMEWORK" && kernel_supports_lsm bpf; then -+ ROOTFS="$(df --output=fstype /usr/bin | sed --quiet 2p)" -+ systemd-run --wait --pipe -p RestrictFileSystems="" ls / -+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar" ls / -+ (! systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS" ls /proc) -+ (! systemd-run --wait --pipe -p RestrictFileSystems="foo" ls /) -+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar baz proc" ls /proc -+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /proc -+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /sys/fs/cgroup -+ -+ systemd-run --wait --pipe -p RestrictFileSystems="~" ls / -+ systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls / -+ systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls / -+ (! systemd-run --wait --pipe -p RestrictFileSystems="~$ROOTFS" ls /) -+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls /proc) -+ (! systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls /proc) -+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /proc) -+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /sys) -+ systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls / -+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /proc) -+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /dev) -+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /sys) -+fi -+ - # Ensure that clean-up codepaths work correctly if activation ultimately fails - touch /run/not-a-directory - mkdir /tmp/root -diff --git a/test/units/util.sh b/test/units/util.sh -index fdfb91f8c6..b5ed73237c 100755 ---- a/test/units/util.sh -+++ b/test/units/util.sh -@@ -197,3 +197,22 @@ openssl_supports_kdf() { - # but let's do that when/if the need arises - openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:foo -out /dev/null "$kdf" - } -+ -+kernel_supports_lsm() { -+ local lsm="${1:?}" -+ local items item -+ -+ if [[ ! -e /sys/kernel/security/lsm ]]; then -+ echo "/sys/kernel/security/lsm doesn't exist, assuming $lsm is not supported" -+ return 1 -+ fi -+ -+ mapfile -t -d, items Date: Sat, 2 Dec 2023 10:28:45 +0100 Subject: [PATCH 18/29] Upload sources [skip changelog] --- sources | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources b/sources index b931cf6..20ad87b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-255-rc3.tar.gz) = f46eb9264fb03868926d1abaa4a90af41ac4b2c7770756b87b2f212cd40f3e0c044679d523cbea3078362b12c4a1ee50d73dbe2639980d55c394db9d1a587b6d +SHA512 (systemd-255-rc4.tar.gz) = 7845aeed50a64771da6a5a39266fdbeb8b3b030aca18e03ad22a91bbd0c852e9c713a3cdf83b5b9d2f7f0fbb7a52c0d3a0dd44f28afb082ca340b45d9d4c78f5 From a3dfa110ec033f9e518e0a54be321c8ff3439c8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 2 Dec 2023 10:56:51 +0100 Subject: [PATCH 19/29] split-files: fix check for empty package [skip changelog] --- split-files.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/split-files.py b/split-files.py index e03484f..23402d3 100644 --- a/split-files.py +++ b/split-files.py @@ -254,6 +254,6 @@ for file in files(buildroot): if [print(f'ERROR: no file names were written to {o.name}') for name, o in outputs.items() if (o.tell() == 0 and - not (no_bootloader and name in ('ukify', 'boot-unsigned'))) + not (no_bootloader and name in ('ukify', 'boot'))) ]: sys.exit(1) From e36c897dbdeec1099fa9e4ec428fb3bb080df646 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 4 Dec 2023 12:42:29 +0900 Subject: [PATCH 20/29] Replace deprecated boolean value with enabled/disabled [skip changelog] --- systemd.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd.spec b/systemd.spec index 6394857..82161d1 100644 --- a/systemd.spec +++ b/systemd.spec @@ -622,9 +622,9 @@ CONFIGURE_OPTS=( -Dqrencode=%[%{defined rhel}?"disabled":"enabled"] -Dgnutls=%[%{with gnutls}?"enabled":"disabled"] -Dmicrohttpd=enabled - -Dvmspawn=true + -Dvmspawn=enabled -Dlibidn2=enabled - -Dlibiptc=false + -Dlibiptc=disabled -Dlibcurl=enabled -Dlibfido2=enabled -Dxenctrl=%[0%{?have_xen}?"enabled":"disabled"] From 3bab7a695c6fdb27c7800d47067b2203e2200869 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 4 Dec 2023 12:42:46 +0900 Subject: [PATCH 21/29] Drop deprecated split-usr option [skip changelog] --- systemd.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index 82161d1..f574aee 100644 --- a/systemd.spec +++ b/systemd.spec @@ -644,7 +644,6 @@ CONFIGURE_OPTS=( -Dnobody-user=nobody -Dnobody-group=nobody -Dcompat-mutable-uid-boundaries=true - -Dsplit-usr=false -Dsplit-bin=true -Db_lto=%[%{with lto}?"true":"false"] -Db_ndebug=false From 81bbc12743e3d152364ae74f625033a29174426f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 6 Dec 2023 22:19:12 +0100 Subject: [PATCH 22/29] Version 255 - Just a few bugfixes since 255-rc4: seccomp filters, logging, documentation, systemd-repart - Includes a hardware database update. --- sources | 2 +- systemd.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 20ad87b..e196ac7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-255-rc4.tar.gz) = 7845aeed50a64771da6a5a39266fdbeb8b3b030aca18e03ad22a91bbd0c852e9c713a3cdf83b5b9d2f7f0fbb7a52c0d3a0dd44f28afb082ca340b45d9d4c78f5 +SHA512 (systemd-255.tar.gz) = 51728de604c2169d8643718ac72acb8f70f613cfcca9e9abb7dac519f291fa26a16d48f24cae6897356319096cfe8f4d9377743e7870127374f98d432e0c557c diff --git a/systemd.spec b/systemd.spec index f574aee..8c31371 100644 --- a/systemd.spec +++ b/systemd.spec @@ -35,7 +35,7 @@ Name: systemd Url: https://systemd.io %if %{without inplace} -Version: 255~rc4 +Version: 255 %else # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') From 40811593d0192308d73bebbf32a950a00f5c9821 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 8 Dec 2023 09:43:00 +0100 Subject: [PATCH 23/29] Move systemd-bsod is to udev subpackage --- split-files.py | 1 + 1 file changed, 1 insertion(+) diff --git a/split-files.py b/split-files.py index 23402d3..a025062 100644 --- a/split-files.py +++ b/split-files.py @@ -173,6 +173,7 @@ for file in files(buildroot): boot-update| bless-boot| boot-system-token| + bsod| kernel-install| installkernel| vconsole| From 29eb35530b29232eed65718d0cd96d67cd7ffd6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 8 Dec 2023 12:35:59 +0100 Subject: [PATCH 24/29] Move config files to /usr/lib/systemd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... (e.g. /etc/systemd/system.conf → /usr/lib/systemd/systemd.conf). Both config file locations were already supported, and the files installed in /etc/ were "empty" (i.e. they had only comments and section headers). The move does not change the configuration, but just makes /etc more empty by default. See https://github.com/systemd/systemd/commit/6495361c7d for more discussion and details. --- systemd.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/systemd.spec b/systemd.spec index 8c31371..a8946de 100644 --- a/systemd.spec +++ b/systemd.spec @@ -662,6 +662,7 @@ CONFIGURE_OPTS=( # https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer -Ddefault-timeout-sec=45 -Ddefault-user-timeout-sec=45 + -Dconfigfiledir=/usr/lib -Doomd=true -Dadm-gid=4 -Daudio-gid=63 From 245a2587e095a08a61af4e48f7daa57dee3629e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 8 Dec 2023 18:17:39 +0100 Subject: [PATCH 25/29] Add /etc/ssh/sshd_config.d to the file list This is a bit of a mess: sshd can only load configuration from /etc/ssh/sshd_config.d, and that directory is declared as non-world-readable. This is in violation of the packaging guidelines which say that packaged files must be world-readable, and also makes very little sense, since those files are part of the package payload. If we create the directory with different permissions, and list it in %files, installation will fail. If we don't list it in %files, and the user doesn't have openssh-server installed, they will have an unowned directory. Another option would be to depend on owner of this directory, i.e. openssh-server, but we don't want to have that dependency. So let's copy the %files line from openssh-server and figure out what to do if it changes in openssh-server again. --- split-files.py | 1 + 1 file changed, 1 insertion(+) diff --git a/split-files.py b/split-files.py index a025062..4f939ec 100644 --- a/split-files.py +++ b/split-files.py @@ -8,6 +8,7 @@ known_files = ''' %ghost %attr(0444,root,root) /etc/udev/hwdb.bin /etc/inittab /usr/lib/systemd/purge-nobody-user +%dir %attr(0700,root,root) /etc/ssh/sshd_config.d %ghost %config(noreplace) /etc/vconsole.conf %ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf %ghost %attr(0664,root,root) %verify(not group) /run/utmp From 1d61a36c4c436c033981305afe15dada31ada6aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 9 Dec 2023 14:36:49 +0100 Subject: [PATCH 26/29] Add comment [skip changelog] --- split-files.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/split-files.py b/split-files.py index 4f939ec..5304bcc 100644 --- a/split-files.py +++ b/split-files.py @@ -8,6 +8,8 @@ known_files = ''' %ghost %attr(0444,root,root) /etc/udev/hwdb.bin /etc/inittab /usr/lib/systemd/purge-nobody-user +# This directory is owned by openssh-server, but we don't want to introduce +# a dependency. So let's copy the config and co-own the directory. %dir %attr(0700,root,root) /etc/ssh/sshd_config.d %ghost %config(noreplace) /etc/vconsole.conf %ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf @@ -39,7 +41,8 @@ known_files = ''' %ghost %attr(0700,root,root) %dir /var/log/private '''.splitlines() -known_files = {line.split()[-1]:line for line in known_files if line} +known_files = {line.split()[-1]:line for line in known_files.splitlines() + if line and not line.startswith('#')} def files(root): os.chdir(root) From 3a8edc754038f889f4a97641a6b286eaefaf01f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 11 Dec 2023 22:51:48 +0100 Subject: [PATCH 27/29] Fix previous commit [skip changelog] --- split-files.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/split-files.py b/split-files.py index 5304bcc..a595392 100644 --- a/split-files.py +++ b/split-files.py @@ -39,7 +39,7 @@ known_files = ''' %ghost %dir %verify(not mode group) /var/log/journal %ghost %dir /var/log/journal/remote %ghost %attr(0700,root,root) %dir /var/log/private -'''.splitlines() +''' known_files = {line.split()[-1]:line for line in known_files.splitlines() if line and not line.startswith('#')} From 4c7acded2ace6fc074b80f098ee3754de758eab7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 13 Dec 2023 13:02:45 +0100 Subject: [PATCH 28/29] Do not remove modified config files Our config files in /etc/ were marked as %config(noreplace). This means that the would not be replaced on upgraded if local modifications have been made. But when we moved them to /usr/lib, they would be be renamed to .rpmsave, if they had local modifications. This is not what I expected, but what rpm apparently does. So we need to add them as %ghost to prevent the removal. This is probably for the better anyway. --- split-files.py | 15 ++++++++------- systemd.spec | 19 +++++++++++++++++++ 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/split-files.py b/split-files.py index a595392..3f66ada 100644 --- a/split-files.py +++ b/split-files.py @@ -240,17 +240,18 @@ for file in files(buildroot): o = outputs['main'] if n in known_files: - prefix = ' '.join(known_files[n].split()[:-1]) - if prefix: - prefix += ' ' + prefix = known_files[n].split()[:-1] elif file.is_dir() and not file.is_symlink(): - prefix = '%dir ' + prefix = ['%dir'] elif 'README' in n: - prefix = '%doc ' + prefix = ['%doc'] elif n.startswith('/etc'): - prefix = '%config(noreplace) ' + prefix = ['%config(noreplace)'] + if file.stat().st_size == 0: + prefix += ['%ghost'] else: - prefix = '' + prefix = [] + prefix = ' '.join(prefix + ['']) if prefix else '' suffix = '*' if '/man/' in n else '' diff --git a/systemd.spec b/systemd.spec index a8946de..070190b 100644 --- a/systemd.spec +++ b/systemd.spec @@ -731,6 +731,25 @@ ln -sf ../bin/udevadm %{buildroot}%{_sbindir}/udevadm touch %{buildroot}/etc/crypttab chmod 600 %{buildroot}/etc/crypttab +# Config files that were moved under /usr. +# We need to %ghost them so that they are not removed on upgrades. +touch %{buildroot}/etc/systemd/coredump.conf \ + %{buildroot}/etc/systemd/homed.conf \ + %{buildroot}/etc/systemd/journald.conf \ + %{buildroot}/etc/systemd/journal-remote.conf \ + %{buildroot}/etc/systemd/journal-upload.conf \ + %{buildroot}/etc/systemd/logind.conf \ + %{buildroot}/etc/systemd/networkd.conf \ + %{buildroot}/etc/systemd/oomd.conf \ + %{buildroot}/etc/systemd/pstore.conf \ + %{buildroot}/etc/systemd/resolved.conf \ + %{buildroot}/etc/systemd/sleep.conf \ + %{buildroot}/etc/systemd/system.conf \ + %{buildroot}/etc/systemd/timesyncd.conf \ + %{buildroot}/etc/systemd/user.conf \ + %{buildroot}/etc/udev/udev.conf \ + %{buildroot}/etc/udev/iocost.conf + # /etc/initab install -Dm0644 -t %{buildroot}/etc/ %{SOURCE5} From 3211e4adfcca38dfe24188e28a65b1cf385ecfd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 16 Dec 2023 11:07:35 +0100 Subject: [PATCH 29/29] Version 255.1 --- sources | 2 +- systemd.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index e196ac7..ad62708 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-255.tar.gz) = 51728de604c2169d8643718ac72acb8f70f613cfcca9e9abb7dac519f291fa26a16d48f24cae6897356319096cfe8f4d9377743e7870127374f98d432e0c557c +SHA512 (systemd-255.1.tar.gz) = ec1506b8e36c943920d8a5a8f6bbedd687d6a8cbc5cd28510485aaa65b96ad1bb58e77cf138818c95d31ea748bb65c56b95efd781d18c8936e910e222e9fdedb diff --git a/systemd.spec b/systemd.spec index 070190b..ec214ca 100644 --- a/systemd.spec +++ b/systemd.spec @@ -35,7 +35,7 @@ Name: systemd Url: https://systemd.io %if %{without inplace} -Version: 255 +Version: 255.1 %else # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')