- Fixes a few different issues (systemd-timesyncd connectivity problems, broken
emoji output on the console, crashes in pid1 unit dependency logic)
- CVE-2022-4415: systemd: coredump not respecting fs.suid_dumpable kernel
setting
As requested in https://github.com/rhinstaller/anaconda/pull/4368#discussion_r1043839809,
so that it's easier to depend on the appropriate package. Once we have the
signed version built, this provides might be dropped. But let's add it at least
for now so that there's a stable name to depend on.
While at it, let's drop ? from %{_isa}. Systemd is always archful.
This file changes rarely, but it does every one in a while. And since we have an
independent copy, we forget to adjust it. We have had already two bugs because
of this. I submitted a PR upstream to include pam_namespace (because that makes
sense for all distros), so the diff between upstream and us now is just the
inclusion of system-auth (which is not upstreamable).
Effectively, the only difference right now is that 'pam_keyinit force revoke'
is included. It was added upstream with the comment:
We want that systemd --user gets its own keyring as usual, even if the
barebones PAM snippet we ship upstream is used. If we don't do this we get
the basic keyring systemd --system sets up for us.
4047e4fb7b got things very wrong.
The trick with "[ $1 -eq 1 ]" doesn't work for transaction triggers
because the argument is not provided by rpm. We need to use a state
file to propagate the information from %post to %posttrans.
... (for details see https://raw.githubusercontent.com/systemd/systemd/v252-rc1/NEWS)
systemd-pcrphase and systemd-measure and initrd-* units are moved to systemd-udev.
systemd-udev should be part of the initrd, and those tools don't make much sense
in systems without hardware (i.e. containers). (systemd-measure could possibly be
useful, but we can always move it back if there's a good reason.)
This tweaks the sysusers.d handling logic so that 'm' entries are
now translated to a series of groupadd + useradd + usermod call.
The last usermod call is the notable change, effectively affecting
the list of secondary groups now.
- Remove swap policy. Default amount of swap (8GB?) is a lot lower than
what we use internally with the swap policy. Which frequently leads to
GNOME getting killed
(e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1941170, and other
BZs not linked here). Internally we use 0.5x-1x size of physical memory
for swap via swapfiles (this will be documented in systemd upstream).
In simple cases of using more memory than is available (but without
memory pressure), the Kernel OOM killer can handle killing the
offending process.
- Expand the memory pressure policy to system.slice, user-.slice, and
all user owned slices. Support for ManagedOOM*= on user services was
added in https://github.com/systemd/systemd/pull/20690 which allows
us to be more fine grained on the pressure monitoring at the user
level. In addition to the system.slice and user-.slice PSI monitoring
this should result in a better systemd-oomd experience for desktop
systems.
Instead, add systemd-pam to pungi-fedora's multilib whitelist:
https://pagure.io/pungi-fedora/pull-request/1113
This should help with flatpak runtime packaging so that we can avoid
having to ship systemd-pam in the flatpak container.
https://pagure.io/releng/issue/10952: rpmdev-bumpspec apparently does
not like the way the Release field was conditionalized.
But since the switch to rpmautospec this isn't important, since the
v-r string will be generated by rpmautospec. I went over the changelog
and manually inserted tags for the old builds.
Unfortunately there's another issue, rpmautospec cannot deal with
%include: https://pagure.io/fedora-infra/rpmautospec/pull-request/267
Numbers for the latest builds are adjusted to match what koji lists.
Now that the tmpfiles snippet is a separate file shipped as part
of the networkd package, we can ship the sysusers snippet as a part
of the networkd package as well.
It turns out that with the Obsoletes, dnf will just install the normal
systemd package if systemd-standalone-* is requested. The commit message
for b36512ad8f which added this says I tested
with local package builds (where it works), but not when going through the
full repo with all packages.
I'm adding the Provides instead, so that it's possible to request on or
the other more easily.
I asked on fedora-devel@, and the lone reply was from Matthew Miller
who tried it once when it was introduced and hasn't used it since.
Dropping this removes the last dependency on libgcrypt and libgpg-error
in libsystemd, significantly reducing our installation footprint.
Right now libmicrohttpd is still linked to libgcrypt, so
libsystemd-journal-remote subpackage will pull libgcrypt in.
Zbigniew Jędrzejewski-Szmek
Martin Osvald
Yu Watanabe
Luca BRUNO
Anita Zhang
Neal Gompa
Kalev Lember
Fedora Release Engineering
Daan De Meyer
David Auer