From 445a6abc54446fa2c404c41c3f06a9c2f422b65a Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 25 Oct 2024 19:31:23 +0300 Subject: [PATCH] import systemd-256-14.el10 --- .gitignore | 1 + .systemd.metadata | 1 + SOURCES/.abignore | 3 + SOURCES/0001-Create-CNAME.patch | 18 + ...02-man-systemd-reorder-content-a-bit.patch | 103 ++ ...allow-hostnamed-to-exit-on-idle-if-v.patch | 43 + ...p-server-clear-buffer-before-receive.patch | 30 + ...number-of-device-units-generated-for.patch | 29 + ...se-GREEDY_REALLOC-to-grow-the-buffer.patch | 81 ++ ...-fail-if-we-can-t-access-the-TPM-due.patch | 132 ++ ...dnssec-rrtype-questions-when-we-aren.patch | 37 + ...Use-crypt_reencrypt_run-if-available.patch | 123 ++ ...le-summary-at-the-end-of-TEST-02-UNI.patch | 136 ++ ...11-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch | 29 + ...ew-stable-releases-will-be-in-the-ma.patch | 26 + ...on-only-offer-devices-for-completion.patch | 29 + ...E-document-reterr_-return-parameters.patch | 98 ++ ...nalyze-show-pcrs-also-in-sha384-bank.patch | 27 + ...are-flex-array-updated-for-gcc15-and.patch | 41 + ...-a-warning-to-systemd-tmpfiles-purge.patch | 31 + ...emporary-from-description-of-systemd.patch | 65 + ...rivileged-user-ns-for-integration-te.patch | 24 + ...rts.ubuntu.com-for-non-x86-backports.patch | 74 + ...I-packages-only-on-EFI-architectures.patch | 58 + ...kip-condition-before-installing-addi.patch | 31 + ...-drop-unneeded-firmware-uefi-setting.patch | 37 + SOURCES/0024-test-drop-obsolete-comment.patch | 28 + SOURCES/0025-test-support-TEST_NO_KVM.patch | 25 + ...T_NO_QEMU-in-mkosi-integration-wrapp.patch | 30 + ...stead-of-uefi-for-automated-fallback.patch | 27 + ...ce-fix-accept-socket-deserialization.patch | 45 + ...tion-that-the-captive-portal-option-.patch | 26 + ...isable-secure-boot-in-mkosi-GHA-runs.patch | 27 + SOURCES/0031-mkosi-bump-to-latest.patch | 23 + SOURCES/0032-NEWS-fix-typo.patch | 23 + ...moving-symlinks-even-for-units-that-.patch | 69 + ...ur-dry-run-when-removing-directories.patch | 35 + ...on-at-least-one-configuration-file-b.patch | 68 + ...rge-to-command-section-in-help-text-.patch | 37 + ...rict-noble-backports-to-noble-builds.patch | 37 + SOURCES/0038-repart-fix-memory-leak.patch | 22 + ...-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch | 42 + ...workflows-to-run-on-source-git-setup.patch | 98 ++ .../0041-ci-setup-source-git-automation.patch | 282 ++++ ...i-deploy-systemd-man-to-GitHub-Pages.patch | 78 ++ ...43-ci-reconfigure-Packit-for-RHEL-10.patch | 61 + ...-parameters-together-with-rhel-only-.patch | 37 + ...eate-user-journals-for-users-with-hi.patch | 59 + ...-tmpfiles-make-purge-hard-to-mis-use.patch | 67 + ...-use-system-auth-in-pam-systemd-user.patch | 33 + ...e-start-rhel10-naming-and-include-rh.patch | 317 +++++ ...les-copy-40-redhat.rules-from-RHEL-9.patch | 109 ++ ...nd-set-RemoveIPC-to-false-by-default.patch | 53 + ...reate-resolv.conf-stub-resolv.conf-s.patch | 43 + ...al-order-after-network-online.target.patch | 29 + ...il-increase-random-seed-size-to-1024.patch | 25 + ...able-systemd-journald-audit.socket-b.patch | 25 + ...f-don-t-touch-current-audit-settings.patch | 22 + ...evator-kernel-command-line-parameter.patch | 56 + ...tTasksMax-to-80-of-the-kernel-pid.ma.patch | 59 + ...ink-change-the-default-MACAddressPol.patch | 53 + ...g-level-of-messages-about-use-of-Kil.patch | 40 + ...n-rename-libbasic-to-libbasic_static.patch | 180 +++ ...ystemd-core-via-an-intermediate-stat.patch | 63 + ...-to-build-systemd-executor-staticall.patch | 101 ++ SOURCES/0063-taint-remove-unmerged-bin.patch | 86 ++ SOURCES/0064-presets-remove-resolved.patch | 28 + ...add-downstream-CONTRIBUTING-document.patch | 108 ++ ...ci-allow-policy-as-rhel-only-keyword.patch | 40 + ...st-only-for-Fedora-and-CentOS-Stream.patch | 68 + ...aint-remove-unused-variable-usr_sbin.patch | 27 + ...ackit-drop-the-libarchive-workaround.patch | 28 + ...-drop-the-dependency-on-python3-zstd.patch | 28 + ...ult-process-and-store-core-files-up-.patch | 30 + ...mounted-as-tmpfs-without-the-user-s-.patch | 23 + ...nit-don-t-add-Requires-for-tmp.mount.patch | 39 + ...its-add-Install-section-to-tmp.mount.patch | 24 + ...le-tmp.mount-statically-in-local-fs..patch | 28 + ...if-naming-scheme-add-rhel-9.5-scheme.patch | 64 + ..._id-use-firmware_node-sun-for-ID_NET.patch | 197 +++ ...net-naming-scheme-add-missing-period.patch | 36 + ...-drop-the-dependency-on-python3-zstd.patch | 28 + ...-try-to-acquire-triggering-units-for.patch | 48 + ...unit-add-one-assertion-for-u-manager.patch | 24 + ...troy-runtime-data-when-Type-oneshot-.patch | 88 ++ ...nore-kernel-threads-in-cg_kill_items.patch | 34 + ...t-try-to-open-pidfd-for-kernel-threa.patch | 30 + SOURCES/0085-cgroup-util-fix-typo.patch | 27 + ...eme-rename-rhel-10.0-to-rhel-10.0.be.patch | 75 + ...eme-disable-NAMING_FIRMWARE_NODE_SUN.patch | 43 + ...e-remove-NAMING_FIRMWARE_NODE_SUN-fr.patch | 38 + ...il-Don-t-try-to-open-pidfd-for-kerne.patch | 33 + ...p-test-on-architectures-without-UEFI.patch | 30 + SOURCES/10-map-count.conf | 3 + SOURCES/10-oomd-defaults.conf | 2 + SOURCES/10-oomd-per-slice-defaults.conf | 3 + SOURCES/20-yama-ptrace.conf | 42 + SOURCES/98-default-mac-none.link | 20 + SOURCES/inittab | 16 + SOURCES/macros.sysusers | 10 + SOURCES/purge-nobody-user | 101 ++ SOURCES/split-files.py | 233 ++++ SOURCES/sysctl.conf.README | 10 + SOURCES/systemd-journal-gatewayd.xml | 6 + SOURCES/systemd-journal-remote.xml | 6 + SOURCES/systemd-udev-trigger-no-reload.conf | 3 + SOURCES/sysusers.attr | 2 + SOURCES/sysusers.generate-pre.sh | 96 ++ SOURCES/sysusers.prov | 61 + SOURCES/test_sysusers_defined.py | 34 + SOURCES/triggers.systemd | 87 ++ SOURCES/yum-protect-systemd.conf | 2 + SPECS/systemd.spec | 1231 +++++++++++++++++ 113 files changed, 7081 insertions(+) create mode 100644 .gitignore create mode 100644 .systemd.metadata create mode 100644 SOURCES/.abignore create mode 100644 SOURCES/0001-Create-CNAME.patch create mode 100644 SOURCES/0002-man-systemd-reorder-content-a-bit.patch create mode 100644 SOURCES/0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch create mode 100644 SOURCES/0004-sd-dhcp-server-clear-buffer-before-receive.patch create mode 100644 SOURCES/0005-rules-Limit-the-number-of-device-units-generated-for.patch create mode 100644 SOURCES/0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch create mode 100644 SOURCES/0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch create mode 100644 SOURCES/0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch create mode 100644 SOURCES/0009-repart-Use-crypt_reencrypt_run-if-available.patch create mode 100644 SOURCES/0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch create mode 100644 SOURCES/0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch create mode 100644 SOURCES/0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch create mode 100644 SOURCES/0013-shell-completion-only-offer-devices-for-completion.patch create mode 100644 SOURCES/0014-CODING_STYLE-document-reterr_-return-parameters.patch create mode 100644 SOURCES/0015-analyze-show-pcrs-also-in-sha384-bank.patch create mode 100644 SOURCES/0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch create mode 100644 SOURCES/0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch create mode 100644 SOURCES/0018-man-units-drop-temporary-from-description-of-systemd.patch create mode 100644 SOURCES/0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch create mode 100644 SOURCES/0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch create mode 100644 SOURCES/0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch create mode 100644 SOURCES/0022-test-check-the-skip-condition-before-installing-addi.patch create mode 100644 SOURCES/0023-test-drop-unneeded-firmware-uefi-setting.patch create mode 100644 SOURCES/0024-test-drop-obsolete-comment.patch create mode 100644 SOURCES/0025-test-support-TEST_NO_KVM.patch create mode 100644 SOURCES/0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch create mode 100644 SOURCES/0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch create mode 100644 SOURCES/0028-core-service-fix-accept-socket-deserialization.patch create mode 100644 SOURCES/0029-test-network-mention-that-the-captive-portal-option-.patch create mode 100644 SOURCES/0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch create mode 100644 SOURCES/0031-mkosi-bump-to-latest.patch create mode 100644 SOURCES/0032-NEWS-fix-typo.patch create mode 100644 SOURCES/0033-install-allow-removing-symlinks-even-for-units-that-.patch create mode 100644 SOURCES/0034-tmpfiles-honour-dry-run-when-removing-directories.patch create mode 100644 SOURCES/0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch create mode 100644 SOURCES/0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch create mode 100644 SOURCES/0037-mkosi-restrict-noble-backports-to-noble-builds.patch create mode 100644 SOURCES/0038-repart-fix-memory-leak.patch create mode 100644 SOURCES/0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch create mode 100644 SOURCES/0040-ci-update-workflows-to-run-on-source-git-setup.patch create mode 100644 SOURCES/0041-ci-setup-source-git-automation.patch create mode 100644 SOURCES/0042-ci-deploy-systemd-man-to-GitHub-Pages.patch create mode 100644 SOURCES/0043-ci-reconfigure-Packit-for-RHEL-10.patch create mode 100644 SOURCES/0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch create mode 100644 SOURCES/0045-journal-again-create-user-journals-for-users-with-hi.patch create mode 100644 SOURCES/0046-tmpfiles-make-purge-hard-to-mis-use.patch create mode 100644 SOURCES/0047-fedora-use-system-auth-in-pam-systemd-user.patch create mode 100644 SOURCES/0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch create mode 100644 SOURCES/0049-rules-copy-40-redhat.rules-from-RHEL-9.patch create mode 100644 SOURCES/0050-logind-set-RemoveIPC-to-false-by-default.patch create mode 100644 SOURCES/0051-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch create mode 100644 SOURCES/0052-rc-local-order-after-network-online.target.patch create mode 100644 SOURCES/0053-random-util-increase-random-seed-size-to-1024.patch create mode 100644 SOURCES/0054-journal-don-t-enable-systemd-journald-audit.socket-b.patch create mode 100644 SOURCES/0055-journald.conf-don-t-touch-current-audit-settings.patch create mode 100644 SOURCES/0056-rules-add-elevator-kernel-command-line-parameter.patch create mode 100644 SOURCES/0057-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch create mode 100644 SOURCES/0058-udev-net-setup-link-change-the-default-MACAddressPol.patch create mode 100644 SOURCES/0059-core-decrease-log-level-of-messages-about-use-of-Kil.patch create mode 100644 SOURCES/0060-meson-rename-libbasic-to-libbasic_static.patch create mode 100644 SOURCES/0061-meson-build-libsystemd-core-via-an-intermediate-stat.patch create mode 100644 SOURCES/0062-meson-add-option-to-build-systemd-executor-staticall.patch create mode 100644 SOURCES/0063-taint-remove-unmerged-bin.patch create mode 100644 SOURCES/0064-presets-remove-resolved.patch create mode 100644 SOURCES/0065-doc-add-downstream-CONTRIBUTING-document.patch create mode 100644 SOURCES/0066-ci-allow-policy-as-rhel-only-keyword.patch create mode 100644 SOURCES/0067-ci-run-mkosi-test-only-for-Fedora-and-CentOS-Stream.patch create mode 100644 SOURCES/0068-taint-remove-unused-variable-usr_sbin.patch create mode 100644 SOURCES/0069-packit-drop-the-libarchive-workaround.patch create mode 100644 SOURCES/0070-packit-drop-the-dependency-on-python3-zstd.patch create mode 100644 SOURCES/0071-coredump-by-default-process-and-store-core-files-up-.patch create mode 100644 SOURCES/0072-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch create mode 100644 SOURCES/0073-unit-don-t-add-Requires-for-tmp.mount.patch create mode 100644 SOURCES/0074-units-add-Install-section-to-tmp.mount.patch create mode 100644 SOURCES/0075-units-don-t-enable-tmp.mount-statically-in-local-fs..patch create mode 100644 SOURCES/0076-netif-naming-scheme-add-rhel-9.5-scheme.patch create mode 100644 SOURCES/0077-udev-builtin-net_id-use-firmware_node-sun-for-ID_NET.patch create mode 100644 SOURCES/0078-man-net-naming-scheme-add-missing-period.patch create mode 100644 SOURCES/0079-Revert-packit-drop-the-dependency-on-python3-zstd.patch create mode 100644 SOURCES/0080-systemctl-do-not-try-to-acquire-triggering-units-for.patch create mode 100644 SOURCES/0081-core-unit-add-one-assertion-for-u-manager.patch create mode 100644 SOURCES/0082-core-service-destroy-runtime-data-when-Type-oneshot-.patch create mode 100644 SOURCES/0083-cgroup-util-Ignore-kernel-threads-in-cg_kill_items.patch create mode 100644 SOURCES/0084-cgroup-util-Don-t-try-to-open-pidfd-for-kernel-threa.patch create mode 100644 SOURCES/0085-cgroup-util-fix-typo.patch create mode 100644 SOURCES/0086-netif-naming-scheme-rename-rhel-10.0-to-rhel-10.0.be.patch create mode 100644 SOURCES/0087-net-naming-scheme-disable-NAMING_FIRMWARE_NODE_SUN.patch create mode 100644 SOURCES/0088-net-naming-scheme-remove-NAMING_FIRMWARE_NODE_SUN-fr.patch create mode 100644 SOURCES/0089-Revert-cgroup-util-Don-t-try-to-open-pidfd-for-kerne.patch create mode 100644 SOURCES/0090-ukify-Skip-test-on-architectures-without-UEFI.patch create mode 100644 SOURCES/10-map-count.conf create mode 100644 SOURCES/10-oomd-defaults.conf create mode 100644 SOURCES/10-oomd-per-slice-defaults.conf create mode 100644 SOURCES/20-yama-ptrace.conf create mode 100644 SOURCES/98-default-mac-none.link create mode 100644 SOURCES/inittab create mode 100644 SOURCES/macros.sysusers create mode 100755 SOURCES/purge-nobody-user create mode 100644 SOURCES/split-files.py create mode 100644 SOURCES/sysctl.conf.README create mode 100644 SOURCES/systemd-journal-gatewayd.xml create mode 100644 SOURCES/systemd-journal-remote.xml create mode 100644 SOURCES/systemd-udev-trigger-no-reload.conf create mode 100644 SOURCES/sysusers.attr create mode 100755 SOURCES/sysusers.generate-pre.sh create mode 100755 SOURCES/sysusers.prov create mode 100755 SOURCES/test_sysusers_defined.py create mode 100644 SOURCES/triggers.systemd create mode 100644 SOURCES/yum-protect-systemd.conf create mode 100644 SPECS/systemd.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ae35001 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/systemd-256.tar.gz diff --git a/.systemd.metadata b/.systemd.metadata new file mode 100644 index 0000000..dd1381a --- /dev/null +++ b/.systemd.metadata @@ -0,0 +1 @@ +0d5b0f0799d3a803ba1fe03e4136cecdbf3837db SOURCES/systemd-256.tar.gz diff --git a/SOURCES/.abignore b/SOURCES/.abignore new file mode 100644 index 0000000..6a33b88 --- /dev/null +++ b/SOURCES/.abignore @@ -0,0 +1,3 @@ +[suppress_file] +# Those shared objects are private to systemd +file_name_regexp=libsystemd-(shared|core)-.*.so diff --git a/SOURCES/0001-Create-CNAME.patch b/SOURCES/0001-Create-CNAME.patch new file mode 100644 index 0000000..fbb444e --- /dev/null +++ b/SOURCES/0001-Create-CNAME.patch @@ -0,0 +1,18 @@ +From 1c27c902ad8316f490648a0e4415abd51b450b1a Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 11 Jun 2024 23:04:12 +0100 +Subject: [PATCH] Create CNAME + +--- + docs/CNAME | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 docs/CNAME + +diff --git a/docs/CNAME b/docs/CNAME +new file mode 100644 +index 0000000000..cdcf4d9a52 +--- /dev/null ++++ b/docs/CNAME +@@ -0,0 +1 @@ ++systemd.io +\ No newline at end of file diff --git a/SOURCES/0002-man-systemd-reorder-content-a-bit.patch b/SOURCES/0002-man-systemd-reorder-content-a-bit.patch new file mode 100644 index 0000000..1469876 --- /dev/null +++ b/SOURCES/0002-man-systemd-reorder-content-a-bit.patch @@ -0,0 +1,103 @@ +From d918804408801bf46a49018e374ebdfbeae08805 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 5 Jun 2024 11:28:21 +0200 +Subject: [PATCH] man/systemd: reorder content a bit + +Section "Description" didn't actually say what systemd does. And we had a giant +"Concepts" section that actually described units types and other details about +them. So let's move the basic description of functionality to "Description" and +rename the following section to "Units". + +The link to the Original Design Document is moved to "See Also", it is of +historical interest mostly at this point. + +The only actual change is that when talking about API filesystems, /dev is also +mentioned. (I think /sys+/proc+/dev are the canonical set and should be always +listed on one breath.) + +(cherry picked from commit f11aaf7dfb295de429b1567282b19caaba036bba) +--- + man/systemd.xml | 49 ++++++++++++++++++++++++------------------------- + 1 file changed, 24 insertions(+), 25 deletions(-) + +diff --git a/man/systemd.xml b/man/systemd.xml +index 66db5bbf25..f4aa7e06ca 100644 +--- a/man/systemd.xml ++++ b/man/systemd.xml +@@ -62,10 +62,29 @@ + user.conf.d directories. See + systemd-system.conf5 + for more information. ++ ++ systemd contains native implementations of various tasks that need to be ++ executed as part of the boot process. For example, it sets the hostname or configures the loopback ++ network device. It also sets up and mounts various API file systems, such as /sys/, ++ /proc/, and /dev/. ++ ++ Note that some but not all interfaces provided by systemd are covered by the ++ Interface Portability and Stability Promise. ++ ++ The D-Bus API of systemd is described in ++ org.freedesktop.systemd15 ++ and ++ org.freedesktop.LogControl15. ++ ++ ++ Systems which invoke systemd in a container or initrd environment should implement the Container Interface or ++ initrd Interface ++ specifications, respectively. + + + +- Concepts ++ Units + + systemd provides a dependency system between various + entities called "units" of 11 different types. Units encapsulate +@@ -261,34 +280,10 @@ + example, start jobs for any of those inactive units getting queued as + well. + +- systemd contains native implementations of various tasks +- that need to be executed as part of the boot process. For example, +- it sets the hostname or configures the loopback network device. It +- also sets up and mounts various API file systems, such as +- /sys/ or /proc/. +- +- For more information about the concepts and +- ideas behind systemd, please refer to the +- Original Design Document. +- +- Note that some but not all interfaces provided by systemd are covered by the +- Interface Portability and Stability Promise. +- + Units may be generated dynamically at boot and system + manager reload time, for example based on other configuration + files or parameters passed on the kernel command line. For details, see + systemd.generator7. +- +- The D-Bus API of systemd is described in +- org.freedesktop.systemd15 +- and +- org.freedesktop.LogControl15. +- +- +- Systems which invoke systemd in a container or initrd environment should implement the Container Interface or +- initrd Interface +- specifications, respectively. + + + +@@ -1558,6 +1553,10 @@ + bootup7 + systemd.directives7 + ++ ++ For more information about the concepts and ++ ideas behind systemd, please refer to the ++ Original Design Document. + + + diff --git a/SOURCES/0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch b/SOURCES/0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch new file mode 100644 index 0000000..99e1e6e --- /dev/null +++ b/SOURCES/0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch @@ -0,0 +1,43 @@ +From f2b5c1ff51b7c7876036c6c722e2a47b696695d9 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 8 May 2024 10:38:11 +0200 +Subject: [PATCH] hostnamed: don't allow hostnamed to exit on idle if varlink + connections are still ongoing + +And while we are at it, ongoing PK authorizations are also a reason to +block exit on idle. + +(cherry picked from commit ac908152b3b43a49f793d225c075423422cd3e33) +--- + src/hostname/hostnamed.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c +index 82d08803fa..fe1216fc1c 100644 +--- a/src/hostname/hostnamed.c ++++ b/src/hostname/hostnamed.c +@@ -1682,6 +1682,13 @@ static int connect_varlink(Context *c) { + return 0; + } + ++static bool context_check_idle(void *userdata) { ++ Context *c = ASSERT_PTR(userdata); ++ ++ return varlink_server_current_connections(c->varlink_server) == 0 && ++ hashmap_isempty(c->polkit_registry); ++} ++ + static int run(int argc, char *argv[]) { + _cleanup_(context_destroy) Context context = { + .hostname_source = _HOSTNAME_INVALID, /* appropriate value will be set later */ +@@ -1731,8 +1738,8 @@ static int run(int argc, char *argv[]) { + context.bus, + "org.freedesktop.hostname1", + DEFAULT_EXIT_USEC, +- /* check_idle= */ NULL, +- /* userdata= */ NULL); ++ context_check_idle, ++ &context); + if (r < 0) + return log_error_errno(r, "Failed to run event loop: %m"); + diff --git a/SOURCES/0004-sd-dhcp-server-clear-buffer-before-receive.patch b/SOURCES/0004-sd-dhcp-server-clear-buffer-before-receive.patch new file mode 100644 index 0000000..b51d6f3 --- /dev/null +++ b/SOURCES/0004-sd-dhcp-server-clear-buffer-before-receive.patch @@ -0,0 +1,30 @@ +From 0d573787ea1610ba57a359cf437841f62b186e77 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 12 Jun 2024 00:48:56 +0900 +Subject: [PATCH] sd-dhcp-server: clear buffer before receive + +I do not think this is necessary, but all other places in +libsystemd-network we clear buffer before receive. Without this, +Coverity warns about use-of-uninitialized-values. +Let's silence Coverity. + +Closes CID#1469721. + +(cherry picked from commit 40f9fa0af4c3094d93e833e62f7e301cd453da62) +--- + src/libsystemd-network/sd-dhcp-server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c +index c3b0f82dc4..4967f066dc 100644 +--- a/src/libsystemd-network/sd-dhcp-server.c ++++ b/src/libsystemd-network/sd-dhcp-server.c +@@ -1252,7 +1252,7 @@ static int server_receive_message(sd_event_source *s, int fd, + /* Preallocate the additional size for DHCP Relay Agent Information Option if needed */ + buflen += relay_agent_information_length(server->agent_circuit_id, server->agent_remote_id) + 2; + +- message = malloc(buflen); ++ message = malloc0(buflen); + if (!message) + return -ENOMEM; + diff --git a/SOURCES/0005-rules-Limit-the-number-of-device-units-generated-for.patch b/SOURCES/0005-rules-Limit-the-number-of-device-units-generated-for.patch new file mode 100644 index 0000000..8328a1d --- /dev/null +++ b/SOURCES/0005-rules-Limit-the-number-of-device-units-generated-for.patch @@ -0,0 +1,29 @@ +From a3d94332a2b5128697373d3093c1cfa56649ec61 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 10 Jun 2024 12:59:58 +0200 +Subject: [PATCH] rules: Limit the number of device units generated for serial + ttys + +As per the suggestion in https://github.com/systemd/systemd/issues/33242. + +This reduces the number of /dev/ttySXX device units generated in +mkosi from 32 to 4. + +(cherry picked from commit dc38f9addd04c34d1fd743efc407bdebb3573d05) +--- + rules.d/99-systemd.rules.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in +index ad0c7e2fb5..8ba6f177f8 100644 +--- a/rules.d/99-systemd.rules.in ++++ b/rules.d/99-systemd.rules.in +@@ -10,6 +10,8 @@ + ACTION=="remove", GOTO="systemd_end" + + SUBSYSTEM=="tty", KERNEL=="tty[a-zA-Z]*|hvc*|xvc*|hvsi*|ttysclp*|sclp_line*|3270/tty[0-9]*", TAG+="systemd" ++# Exclude 8250 serial ports with a zero IO port, as they are not usable until "setserial /dev/ttySxxx port …" is invoked. ++SUBSYSTEM=="tty", KERNEL=="ttyS*", DRIVERS=="serial8250", ATTR{port}=="0x0", ENV{SYSTEMD_READY}="0" + KERNEL=="vport*", TAG+="systemd" + + SUBSYSTEM=="ptp", TAG+="systemd" diff --git a/SOURCES/0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch b/SOURCES/0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch new file mode 100644 index 0000000..776f109 --- /dev/null +++ b/SOURCES/0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch @@ -0,0 +1,81 @@ +From 514ef0f93b76cbe0ba6b4de07a7b21fd0c2b7bae Mon Sep 17 00:00:00 2001 +From: q66 +Date: Thu, 6 Jun 2024 13:45:48 +0200 +Subject: [PATCH] strbuf: use GREEDY_REALLOC to grow the buffer + +This allows us to reserve a bunch of capacity ahead of time, +improving the performance of hwdb significantly thanks to not +having to reallocate so many times. + +Before: +``` +$ sudo time valgrind --leak-check=full ./systemd-hwdb update +==113297== Memcheck, a memory error detector +==113297== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. +==113297== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info +==113297== Command: ./systemd-hwdb update +==113297== +==113297== +==113297== HEAP SUMMARY: +==113297== in use at exit: 0 bytes in 0 blocks +==113297== total heap usage: 1,412,640 allocs, 1,412,640 frees, 117,920,009,195 bytes allocated +==113297== +==113297== All heap blocks were freed -- no leaks are possible +==113297== +==113297== For lists of detected and suppressed errors, rerun with: -s +==113297== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) +132.44user 21.15system 2:35.61elapsed 98%CPU (0avgtext+0avgdata 228560maxresident)k +0inputs+25296outputs (0major+6886930minor)pagefaults 0swaps +``` + +After: +``` +$ sudo time valgrind --leak-check=full ./systemd-hwdb update +==112572== Memcheck, a memory error detector +==112572== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. +==112572== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info +==112572== Command: ./systemd-hwdb update +==112572== +==112572== +==112572== HEAP SUMMARY: +==112572== in use at exit: 0 bytes in 0 blocks +==112572== total heap usage: 1,320,113 allocs, 1,320,113 frees, 70,614,501 bytes allocated +==112572== +==112572== All heap blocks were freed -- no leaks are possible +==112572== +==112572== For lists of detected and suppressed errors, rerun with: -s +==112572== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) +21.94user 0.19system 0:22.23elapsed 99%CPU (0avgtext+0avgdata 229876maxresident)k +0inputs+25264outputs (0major+57275minor)pagefaults 0swaps +``` + +Co-authored-by: Yu Watanabe +(cherry picked from commit 621b10fe2c3203c537996e84c7c89b0ff994ad93) +--- + src/basic/strbuf.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/basic/strbuf.c b/src/basic/strbuf.c +index 0617acc8d2..6d43955bb1 100644 +--- a/src/basic/strbuf.c ++++ b/src/basic/strbuf.c +@@ -107,7 +107,6 @@ static void bubbleinsert(struct strbuf_node *node, + /* add string, return the index/offset into the buffer */ + ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) { + uint8_t c; +- char *buf_new; + struct strbuf_child_entry *child; + struct strbuf_node *node; + ssize_t off; +@@ -147,10 +146,8 @@ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) { + } + + /* add new string */ +- buf_new = realloc(str->buf, str->len + len+1); +- if (!buf_new) ++ if (!GREEDY_REALLOC(str->buf, str->len + len + 1)) + return -ENOMEM; +- str->buf = buf_new; + off = str->len; + memcpy(str->buf + off, s, len); + str->len += len; diff --git a/SOURCES/0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch b/SOURCES/0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch new file mode 100644 index 0000000..683891a --- /dev/null +++ b/SOURCES/0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch @@ -0,0 +1,132 @@ +From 30df42a9277bbf138d52887c9b79e452db425585 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 17 May 2024 16:20:11 +0200 +Subject: [PATCH] tpm2-setup: Don't fail if we can't access the TPM due to + authorization failure + +The TPM might be password/pin protected for various reasons even if +there is no SRK yet. Let's handle those cases gracefully instead of +failing the unit as it is enabled by default. + +(cherry picked from commit d6518003f8ebbfb6f85dbf227736ae05b0961199) +--- + catalog/systemd.catalog.in | 13 +++++++++++++ + src/shared/tpm2-util.c | 2 ++ + src/systemd/sd-messages.h | 3 +++ + src/tpm2-setup/tpm2-setup.c | 13 ++++++++++++- + units/systemd-tpm2-setup-early.service.in | 3 +++ + units/systemd-tpm2-setup.service.in | 3 +++ + 6 files changed, 36 insertions(+), 1 deletion(-) + +diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in +index 3c9a6860da..2831152763 100644 +--- a/catalog/systemd.catalog.in ++++ b/catalog/systemd.catalog.in +@@ -780,3 +780,16 @@ Documentation: https://systemd.io/PORTABLE_SERVICES/ + A Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has been + detached from the system and is no longer available for use. The list of attached + Portable Services can be queried with 'portablectl list'. ++ ++-- ad7089f928ac4f7ea00c07457d47ba8a ++Subject: Authorization failure while attempting to enroll SRK into TPM ++Defined-By: systemd ++Support: %SUPPORT_URL% ++Documentation: man:systemd-tpm2-setup.service(8) ++ ++An authorization failure occured while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform ++Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of ++the TPM. ++ ++Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password ++protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p ""'. +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 87ce53cf95..9603f1837e 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -2119,6 +2119,8 @@ int tpm2_create_primary( + /* creationData= */ NULL, + /* creationHash= */ NULL, + /* creationTicket= */ NULL); ++ if (rc == TPM2_RC_BAD_AUTH) ++ return log_debug_errno(SYNTHETIC_ERRNO(EDEADLK), "Authorization failure while attempting to enroll SRK into TPM."); + if (rc != TSS2_RC_SUCCESS) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "Failed to generate primary key in TPM: %s", +diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h +index e3f68068a8..16e9986be3 100644 +--- a/src/systemd/sd-messages.h ++++ b/src/systemd/sd-messages.h +@@ -272,6 +272,9 @@ _SD_BEGIN_DECLARATIONS; + #define SD_MESSAGE_PORTABLE_DETACHED SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b) + #define SD_MESSAGE_PORTABLE_DETACHED_STR SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b) + ++#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION SD_ID128_MAKE(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a) ++#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR SD_ID128_MAKE_STR(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a) ++ + _SD_END_DECLARATIONS; + + #endif +diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c +index 35628fc02a..b95c5e7a58 100644 +--- a/src/tpm2-setup/tpm2-setup.c ++++ b/src/tpm2-setup/tpm2-setup.c +@@ -3,6 +3,8 @@ + #include + #include + ++#include "sd-messages.h" ++ + #include "build.h" + #include "fd-util.h" + #include "fileio.h" +@@ -223,6 +225,8 @@ static int load_public_key_tpm2(struct public_key_data *ret) { + /* ret_name= */ NULL, + /* ret_qname= */ NULL, + NULL); ++ if (r == -EDEADLK) ++ return r; + if (r < 0) + return log_error_errno(r, "Failed to get or create SRK: %m"); + if (r > 0) +@@ -289,6 +293,13 @@ static int run(int argc, char *argv[]) { + } + + r = load_public_key_tpm2(&tpm2_key); ++ if (r == -EDEADLK) { ++ log_struct_errno(LOG_INFO, r, ++ LOG_MESSAGE("Insufficient permissions to access TPM, not generating SRK."), ++ "MESSAGE_ID=" SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR); ++ return 76; /* Special return value which means "Insufficient permissions to access TPM, ++ * cannot generate SRK". This isn't really an error when called at boot. */; ++ } + if (r < 0) + return r; + +@@ -383,4 +394,4 @@ static int run(int argc, char *argv[]) { + return 0; + } + +-DEFINE_MAIN_FUNCTION(run); ++DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run); +diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in +index 9982c84aba..7fdb99b53f 100644 +--- a/units/systemd-tpm2-setup-early.service.in ++++ b/units/systemd-tpm2-setup-early.service.in +@@ -21,3 +21,6 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem + Type=oneshot + RemainAfterExit=yes + ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes --graceful ++ ++# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK. ++SuccessExitStatus=76 +diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in +index 0af7292528..ac29a76966 100644 +--- a/units/systemd-tpm2-setup.service.in ++++ b/units/systemd-tpm2-setup.service.in +@@ -22,3 +22,6 @@ ConditionPathExists=!/etc/initrd-release + Type=oneshot + RemainAfterExit=yes + ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --graceful ++ ++# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK. ++SuccessExitStatus=76 diff --git a/SOURCES/0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch b/SOURCES/0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch new file mode 100644 index 0000000..47ce5cf --- /dev/null +++ b/SOURCES/0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch @@ -0,0 +1,37 @@ +From ba031f1fe86e36d7adc0340b047de32399c98bf7 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Fri, 8 Mar 2024 13:40:08 -0700 +Subject: [PATCH] resolved: permit dnssec rrtype questions when we aren't + validating + +This check introduced in 91adc4db33f6 is intended to spare us from +encountering broken resolver behavior we don't want to deal with. +However if we aren't validating we more than likely don't know the state +of the upstream resolver's support for dnssec. Let's let clients try +these queries if they want. + +This brings the behavior of sd-resolved in-line with previouly stated +change in the meaning of DNSSEC=no, which now means "don't validate" +rather than "don't validate, because the upstream resolver is declared to +be dnssec-unaware". + +Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC") +(cherry picked from commit 364c948707afa097f6ad177b61c2b51a86c0089a) +--- + src/resolve/resolved-dns-server.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c +index 340f11f4f4..b37f541c7f 100644 +--- a/src/resolve/resolved-dns-server.c ++++ b/src/resolve/resolved-dns-server.c +@@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) { + if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */ + return true; + +- if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level)) +- return false; +- + if (server->packet_bad_opt) + return false; + diff --git a/SOURCES/0009-repart-Use-crypt_reencrypt_run-if-available.patch b/SOURCES/0009-repart-Use-crypt_reencrypt_run-if-available.patch new file mode 100644 index 0000000..135eb65 --- /dev/null +++ b/SOURCES/0009-repart-Use-crypt_reencrypt_run-if-available.patch @@ -0,0 +1,123 @@ +From 70f5fb2f7ab585458008b1d3144e4ebaf98db42e Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sun, 2 Jun 2024 16:24:52 +0200 +Subject: [PATCH] repart: Use crypt_reencrypt_run() if available + +crypt_reencrypt() is deprecated, so let's look for and prefer +crypt_reencrypt_run() if it is available. + +(cherry picked from commit b99b2941276a74878a23470b36c75b0c21dbdd4a) +--- + meson.build | 1 + + src/partition/repart.c | 6 +++++- + src/shared/cryptsetup-util.c | 19 ++++++++----------- + src/shared/cryptsetup-util.h | 6 +++--- + 4 files changed, 17 insertions(+), 15 deletions(-) + +diff --git a/meson.build b/meson.build +index ea4e12aa1c..e42151998b 100644 +--- a/meson.build ++++ b/meson.build +@@ -1262,6 +1262,7 @@ foreach ident : ['crypt_set_metadata_size', + 'crypt_token_max', + 'crypt_reencrypt_init_by_passphrase', + 'crypt_reencrypt', ++ 'crypt_reencrypt_run', + 'crypt_set_data_offset', + 'crypt_set_keyring_to_link', + 'crypt_resume_by_volume_key'] +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 6f67d46025..2ecae4ca03 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -3913,7 +3913,7 @@ static int partition_target_sync(Context *context, Partition *p, PartitionTarget + } + + static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) { +-#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && HAVE_CRYPT_REENCRYPT ++#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && (HAVE_CRYPT_REENCRYPT_RUN || HAVE_CRYPT_REENCRYPT) + const char *node = partition_target_path(target); + struct crypt_params_luks2 luks_params = { + .label = strempty(ASSERT_PTR(p)->new_label), +@@ -4220,7 +4220,11 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta + if (r < 0) + return log_error_errno(r, "Failed to load reencryption context: %m"); + ++#if HAVE_CRYPT_REENCRYPT_RUN ++ r = sym_crypt_reencrypt_run(cd, NULL, NULL); ++#else + r = sym_crypt_reencrypt(cd, NULL); ++#endif + if (r < 0) + return log_error_errno(r, "Failed to encrypt %s: %m", node); + } else { +diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c +index 288e6e8942..d0dd434df8 100644 +--- a/src/shared/cryptsetup-util.c ++++ b/src/shared/cryptsetup-util.c +@@ -54,10 +54,10 @@ DLSYM_FUNCTION(crypt_volume_key_get); + #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE + DLSYM_FUNCTION(crypt_reencrypt_init_by_passphrase); + #endif +-#if HAVE_CRYPT_REENCRYPT +-DISABLE_WARNING_DEPRECATED_DECLARATIONS; ++#if HAVE_CRYPT_REENCRYPT_RUN ++DLSYM_FUNCTION(crypt_reencrypt_run); ++#elif HAVE_CRYPT_REENCRYPT + DLSYM_FUNCTION(crypt_reencrypt); +-REENABLE_WARNING; + #endif + DLSYM_FUNCTION(crypt_metadata_locking); + #if HAVE_CRYPT_SET_DATA_OFFSET +@@ -246,11 +246,8 @@ int dlopen_cryptsetup(void) { + + /* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with + * crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is +- * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the +- * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off +- * warnings about this for now. */ +- +- DISABLE_WARNING_DEPRECATED_DECLARATIONS; ++ * still available though, and given we want to support 2.2.0 for a while longer, we'll use the old ++ * symbol if the new one is not available. */ + + ELF_NOTE_DLOPEN("cryptsetup", + "Support for disk encryption, integrity, and authentication", +@@ -304,7 +301,9 @@ int dlopen_cryptsetup(void) { + #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE + DLSYM_ARG(crypt_reencrypt_init_by_passphrase), + #endif +-#if HAVE_CRYPT_REENCRYPT ++#if HAVE_CRYPT_REENCRYPT_RUN ++ DLSYM_ARG(crypt_reencrypt_run), ++#elif HAVE_CRYPT_REENCRYPT + DLSYM_ARG(crypt_reencrypt), + #endif + DLSYM_ARG(crypt_metadata_locking), +@@ -316,8 +315,6 @@ int dlopen_cryptsetup(void) { + if (r <= 0) + return r; + +- REENABLE_WARNING; +- + /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that + * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set + * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some +diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h +index f00ac367b6..d255e59004 100644 +--- a/src/shared/cryptsetup-util.h ++++ b/src/shared/cryptsetup-util.h +@@ -70,10 +70,10 @@ DLSYM_PROTOTYPE(crypt_volume_key_get); + #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE + DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase); + #endif +-#if HAVE_CRYPT_REENCRYPT +-DISABLE_WARNING_DEPRECATED_DECLARATIONS; ++#if HAVE_CRYPT_REENCRYPT_RUN ++DLSYM_PROTOTYPE(crypt_reencrypt_run); ++#elif HAVE_CRYPT_REENCRYPT + DLSYM_PROTOTYPE(crypt_reencrypt); +-REENABLE_WARNING; + #endif + DLSYM_PROTOTYPE(crypt_metadata_locking); + #if HAVE_CRYPT_SET_DATA_OFFSET diff --git a/SOURCES/0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch b/SOURCES/0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch new file mode 100644 index 0000000..315a5ff --- /dev/null +++ b/SOURCES/0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch @@ -0,0 +1,136 @@ +From 4a468387acbc8a2bd51bffaeca242e415e55b614 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 12 Jun 2024 12:09:25 +0200 +Subject: [PATCH] test: dump a simple summary at the end of TEST-02-UNITTEST + +Let's dump a list of skipped tests and logs from failed tests at the end +of TEST-02-UNITTEST to make debugging fails in CI slightly less painful. + +(cherry picked from commit 2ac0e52f29eb5f0040882fc46bcfa369893577f3) +--- + test/TEST-02-UNITTESTS/test.sh | 8 ---- + test/test-functions | 68 --------------------------------- + test/units/TEST-02-UNITTESTS.sh | 14 +++++++ + 3 files changed, 14 insertions(+), 76 deletions(-) + +diff --git a/test/TEST-02-UNITTESTS/test.sh b/test/TEST-02-UNITTESTS/test.sh +index f165c99368..2cf9c31096 100755 +--- a/test/TEST-02-UNITTESTS/test.sh ++++ b/test/TEST-02-UNITTESTS/test.sh +@@ -37,12 +37,4 @@ test_append_files() { + fi + } + +-check_result_nspawn() { +- check_result_nspawn_unittests "${1}" +-} +- +-check_result_qemu() { +- check_result_qemu_unittests +-} +- + do_test "$@" +diff --git a/test/test-functions b/test/test-functions +index be6eb1d9b2..8b497b2e27 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1860,74 +1860,6 @@ check_result_qemu() { + return $ret + } + +-check_result_nspawn_unittests() { +- local workspace="${1:?}" +- local ret=1 +- +- [[ -e "$workspace/testok" ]] && ret=0 +- +- if [[ -s "$workspace/failed" ]]; then +- ret=$((ret + 1)) +- echo "=== Failed test log ===" +- cat "$workspace/failed" +- else +- if [[ -s "$workspace/skipped" ]]; then +- echo "=== Skipped test log ==" +- cat "$workspace/skipped" +- # We might have only skipped tests - that should not fail the job +- ret=0 +- fi +- if [[ -s "$workspace/testok" ]]; then +- echo "=== Passed tests ===" +- cat "$workspace/testok" +- fi +- fi +- +- get_bool "${TIMED_OUT:=}" && ret=1 +- check_coverage_reports "$workspace" || ret=5 +- +- save_journal "$workspace/var/log/journal" $ret +- echo "${JOURNAL_LIST:-"No journals were saved"}" +- +- _umount_dir "${initdir:?}" +- +- return $ret +-} +- +-check_result_qemu_unittests() { +- local ret=1 +- +- mount_initdir +- [[ -e "${initdir:?}/testok" ]] && ret=0 +- +- if [[ -s "$initdir/failed" ]]; then +- ret=$((ret + 1)) +- echo "=== Failed test log ===" +- cat "$initdir/failed" +- else +- if [[ -s "$initdir/skipped" ]]; then +- echo "=== Skipped test log ==" +- cat "$initdir/skipped" +- # We might have only skipped tests - that should not fail the job +- ret=0 +- fi +- if [[ -s "$initdir/testok" ]]; then +- echo "=== Passed tests ===" +- cat "$initdir/testok" +- fi +- fi +- +- get_bool "${TIMED_OUT:=}" && ret=1 +- check_coverage_reports "$initdir" || ret=5 +- +- save_journal "$initdir/var/log/journal" $ret +- echo "${JOURNAL_LIST:-"No journals were saved"}" +- +- _umount_dir "$initdir" +- +- return $ret +-} +- + create_rc_local() { + dinfo "Create rc.local" + mkdir -p "${initdir:?}/etc/rc.d" +diff --git a/test/units/TEST-02-UNITTESTS.sh b/test/units/TEST-02-UNITTESTS.sh +index 6392425130..4448643f9a 100755 +--- a/test/units/TEST-02-UNITTESTS.sh ++++ b/test/units/TEST-02-UNITTESTS.sh +@@ -95,6 +95,20 @@ export -f run_test + find /usr/lib/systemd/tests/unit-tests/ -maxdepth 1 -type f -name "${TESTS_GLOB}" -print0 | + xargs -0 -I {} --max-procs="$MAX_QUEUE_SIZE" bash -ec "run_test {}" + ++# Write all pending messages, so they don't get mixed with the summaries below ++journalctl --sync ++ ++# No need for full test logs in this case ++if [[ -s /skipped-tests ]]; then ++ : "=== SKIPPED TESTS ===" ++ cat /skipped-tests ++fi ++ ++if [[ -s /failed ]]; then ++ : "=== FAILED TESTS ===" ++ cat /failed ++fi ++ + # Test logs are sometimes lost, as the system shuts down immediately after + journalctl --sync + diff --git a/SOURCES/0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch b/SOURCES/0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch new file mode 100644 index 0000000..8afa8c8 --- /dev/null +++ b/SOURCES/0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch @@ -0,0 +1,29 @@ +From d316aed5d8e15fb5b13b5618f1b2d1d020b1e7bf Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 3 Jun 2024 12:35:29 +0200 +Subject: [PATCH] repart: Use CRYPT_ACTIVATE_PRIVATE + +Let's skip udev device scanning when activating a LUKS volume in +systemd-repart as we don't depend on any udev symlinks and don't +expect anything except repart to access the volume. + +Suggested by https://github.com/systemd/systemd/issues/33129#issuecomment-2143390941. + +(cherry picked from commit 726fc7ae696510b04c24810f691d34f5d20529d6) +--- + src/partition/repart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 2ecae4ca03..78cf60f724 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -4236,7 +4236,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta + dm_name, + NULL, + VOLUME_KEY_SIZE, +- arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0); ++ (arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0) | CRYPT_ACTIVATE_PRIVATE); + if (r < 0) + return log_error_errno(r, "Failed to activate LUKS superblock: %m"); + diff --git a/SOURCES/0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch b/SOURCES/0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch new file mode 100644 index 0000000..13f9173 --- /dev/null +++ b/SOURCES/0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch @@ -0,0 +1,26 @@ +From 4ebcdcb1360dbb10444f518bad7f04e10bcb6387 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 11 Jun 2024 23:09:30 +0100 +Subject: [PATCH] NEWS: note that new stable releases will be in the main repo + +(cherry picked from commit 40d637bace4041f081088673cb230669c1e34faf) +--- + NEWS | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/NEWS b/NEWS +index 02ad8b2c79..bbee0852be 100644 +--- a/NEWS ++++ b/NEWS +@@ -81,6 +81,11 @@ CHANGES WITH 256: + * systemd.crash_reboot and related settings are deprecated in favor of + systemd.crash_action=. + ++ * Stable releases for version v256 and newer will now be pushed in the ++ main repository. The systemd-stable repository will be used for existing ++ stable branches (v255-stable and lower), and when they reach EOL it will ++ be archived. ++ + General Changes and New Features: + + * Various programs will now attempt to load the main configuration file diff --git a/SOURCES/0013-shell-completion-only-offer-devices-for-completion.patch b/SOURCES/0013-shell-completion-only-offer-devices-for-completion.patch new file mode 100644 index 0000000..4d871f8 --- /dev/null +++ b/SOURCES/0013-shell-completion-only-offer-devices-for-completion.patch @@ -0,0 +1,29 @@ +From 2034de6157cc0d3e60489cdc16c7a5651f38783c Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Wed, 12 Jun 2024 14:35:34 +0200 +Subject: [PATCH] shell-completion: only offer devices for completion + +This skips directories and other stuff like /dev/core, /dev/initctl or +/dev/log. + +(cherry picked from commit bde35f4a91663ebb854330f582baeef0f9adcbfb) +--- + shell-completion/bash/udevadm | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/shell-completion/bash/udevadm b/shell-completion/bash/udevadm +index 05f921cf49..3842d722e7 100644 +--- a/shell-completion/bash/udevadm ++++ b/shell-completion/bash/udevadm +@@ -32,10 +32,7 @@ __get_all_sysdevs() { + } + + __get_all_device_nodes() { +- local i +- for i in /dev/* /dev/*/* /dev/*/*/*; do +- echo $i +- done ++ find /dev -xtype b -o -xtype c + } + + __get_all_device_units() { diff --git a/SOURCES/0014-CODING_STYLE-document-reterr_-return-parameters.patch b/SOURCES/0014-CODING_STYLE-document-reterr_-return-parameters.patch new file mode 100644 index 0000000..9a94776 --- /dev/null +++ b/SOURCES/0014-CODING_STYLE-document-reterr_-return-parameters.patch @@ -0,0 +1,98 @@ +From a61a83a22b5f464463f9ab9e3ee3950f299c9f43 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 12 Jun 2024 18:31:56 +0200 +Subject: [PATCH] CODING_STYLE: document "reterr_" return parameters + +In some recent PRs (e.g. #32628) I started to systematically name return +parameters that shall only be initialized on failure (because they carry +additional error meta information, such as the line/column number of +parse failures or so). Let's make this official in the coding style. + +(cherry picked from commit 7811864b08393eda5ff92145ea2776180d9b28ee) +--- + docs/CODING_STYLE.md | 62 ++++++++++++++++++++++++++++++++++---------- + 1 file changed, 48 insertions(+), 14 deletions(-) + +diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md +index 8f687e6662..309436a397 100644 +--- a/docs/CODING_STYLE.md ++++ b/docs/CODING_STYLE.md +@@ -164,30 +164,64 @@ SPDX-License-Identifier: LGPL-2.1-or-later + thread. Use `is_main_thread()` to detect whether the calling thread is the + main thread. + +-- Do not write functions that clobber call-by-reference variables on +- failure. Use temporary variables for these cases and change the passed in +- variables only on success. The rule is: never clobber return parameters on +- failure, always initialize return parameters on success. +- +-- Typically, function parameters fit into three categories: input parameters, +- mutable objects, and call-by-reference return parameters. Input parameters +- should always carry suitable "const" declarators if they are pointers, to +- indicate they are input-only and not changed by the function. Return +- parameters are best prefixed with "ret_", to clarify they are return +- parameters. (Conversely, please do not prefix parameters that aren't +- output-only with "ret_", in particular not mutable parameters that are both +- input as well as output). Example: ++- Typically, function parameters fit into four categories: input parameters, ++ mutable objects, call-by-reference return parameters that are initialized on ++ success, and call-by-reference return parameters that are initialized on ++ failure. Input parameters should always carry suitable `const` declarators if ++ they are pointers, to indicate they are input-only and not changed by the ++ function. The name of return parameters that are initialized on success ++ should be prefixed with `ret_`, to clarify they are return parameters. The ++ name of return parameters that are initialized on failure should be prefixed ++ with `reterr_`. (Examples of such parameters: those which carry additional ++ error information, such as the row/column of parse errors or so). – ++ Conversely, please do not prefix parameters that aren't output-only with ++ `ret_` or `reterr_`, in particular not mutable parameters that are both input ++ as well as output. ++ ++ Example: + + ```c + static int foobar_frobnicate( + Foobar* object, /* the associated mutable object */ + const char *input, /* immutable input parameter */ +- char **ret_frobnicated) { /* return parameter */ ++ char **ret_frobnicated, /* return parameter on success */ ++ unsigned *reterr_line, /* return parameter on failure */ ++ unsigned *reterr_column) { /* ditto */ + … + return 0; + } + ``` + ++- Do not write functions that clobber call-by-reference success return ++ parameters on failure (i.e. `ret_xyz`, see above), or that clobber ++ call-by-reference failure return parameters on success ++ (i.e. `reterr_xyz`). Use temporary variables for these cases and change the ++ passed in variables only in the right condition. The rule is: never clobber ++ success return parameters on failure, always initialize success return ++ parameters on success (and the reverse for failure return parameters, of ++ course). ++ ++- Please put `reterr_` return parameters in the function parameter list last, ++ and `ret_` return parameters immediately before that. ++ ++ Good: ++ ++ ```c ++ static int do_something( ++ const char *input, ++ const char *ret_on_success, ++ const char *reterr_on_failure); ++ ``` ++ ++ Not good: ++ ++ ```c ++ static int do_something( ++ const char *reterr_on_failure, ++ const char *ret_on_success, ++ const char *input); ++ ``` ++ + - The order in which header files are included doesn't matter too + much. systemd-internal headers must not rely on an include order, so it is + safe to include them in any order possible. However, to not clutter global diff --git a/SOURCES/0015-analyze-show-pcrs-also-in-sha384-bank.patch b/SOURCES/0015-analyze-show-pcrs-also-in-sha384-bank.patch new file mode 100644 index 0000000..c94137a --- /dev/null +++ b/SOURCES/0015-analyze-show-pcrs-also-in-sha384-bank.patch @@ -0,0 +1,27 @@ +From 51390a1f41a762ef96d3c496d8a5d890d722907d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 4 Jun 2024 11:02:34 +0200 +Subject: [PATCH] analyze: show pcrs also in sha384 bank + +SHA384 is pretty much the bank we actually *want* to use, since it's +faster to calculate than SHA256, hence at the very least, start +considering. + +(cherry picked from commit acaca5ab250a51be6ba07768bee80bf0f7b462fa) +--- + src/analyze/analyze-pcrs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c +index 43e415fc6d..1c3da3fd84 100644 +--- a/src/analyze/analyze-pcrs.c ++++ b/src/analyze/analyze-pcrs.c +@@ -11,7 +11,7 @@ + static int get_pcr_alg(const char **ret) { + assert(ret); + +- FOREACH_STRING(alg, "sha256", "sha1") { ++ FOREACH_STRING(alg, "sha256", "sha384", "sha1") { + _cleanup_free_ char *p = NULL; + + if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/0", alg) < 0) diff --git a/SOURCES/0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch b/SOURCES/0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch new file mode 100644 index 0000000..44ebc9b --- /dev/null +++ b/SOURCES/0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch @@ -0,0 +1,41 @@ +From 3706b5e8e92fe6a4ff21cefe66f2eb27953a3fdf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= +Date: Thu, 13 Jun 2024 11:59:28 -0400 +Subject: [PATCH] fundamental: declare flex array updated for gcc15 and clang + 19 + +Silly workaround that: +- allowed flexible arrays in unions +- allowed flexible arrays in otherwise empty structs + +Is no longer needed since https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=adb1c8a0f167c3a1f7593d75f5a10eb07a5d741a +(GCC15) or clang 19 https://github.com/llvm/llvm-project/commit/14ba782a87e16e9e15460a51f50e67e2744c26d9 + +(cherry picked from commit 3c2f2146f50c75662987541719bedc4aee9df939) +--- + src/fundamental/macro-fundamental.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h +index 5ccbda5186..8aca5f784a 100644 +--- a/src/fundamental/macro-fundamental.h ++++ b/src/fundamental/macro-fundamental.h +@@ -517,6 +517,10 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) { + } \ + } + ++/* Restriction/bug (see above) was fixed in GCC 15 and clang 19.*/ ++#if __GNUC__ >= 15 || (defined(__clang__) && __clang_major__ >= 19) ++#define DECLARE_FLEX_ARRAY(type, name) type name[]; ++#else + /* Declare a flexible array usable in a union. + * This is essentially a work-around for a pointless constraint in C99 + * and might go away in some future version of the standard. +@@ -528,6 +532,7 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) { + dummy_t __empty__ ## name; \ + type name[]; \ + } ++#endif + + /* Declares an ELF read-only string section that does not occupy memory at runtime. */ + #define DECLARE_NOALLOC_SECTION(name, text) \ diff --git a/SOURCES/0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch b/SOURCES/0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch new file mode 100644 index 0000000..a7a5afc --- /dev/null +++ b/SOURCES/0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch @@ -0,0 +1,31 @@ +From aedeaf745028a463150fd6d2b1aca778797735ac Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Fri, 14 Jun 2024 17:31:22 -0400 +Subject: [PATCH] man: add a bit of a warning to systemd-tmpfiles --purge + +Mention that by default, /home is managed by tmpfiles.d/home.conf, and +recommend that users run systemd-tmpfiles --dry-run --purge first to +see exactly what will be removed. + +(cherry picked from commit 9ebcac3b5125a8b0b11f371731ea167cd4684adc) +--- + man/systemd-tmpfiles.xml | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml +index 008bff62da..6f3ec66611 100644 +--- a/man/systemd-tmpfiles.xml ++++ b/man/systemd-tmpfiles.xml +@@ -150,7 +150,11 @@ + + + If this option is passed, all files and directories created by a +- tmpfiles.d/ entry will be deleted. ++ tmpfiles.d/ entry will be deleted. Keep in mind that by default, ++ /home is created by systemd-tmpfiles ++ (see /usr/lib/tmpfiles.d/home.conf). Therefore it is recommended ++ to first run systemd-tmpfiles --dry-run --purge to be certain which files ++ and directories will be deleted. + + + diff --git a/SOURCES/0018-man-units-drop-temporary-from-description-of-systemd.patch b/SOURCES/0018-man-units-drop-temporary-from-description-of-systemd.patch new file mode 100644 index 0000000..207204d --- /dev/null +++ b/SOURCES/0018-man-units-drop-temporary-from-description-of-systemd.patch @@ -0,0 +1,65 @@ +From 1a0e6961cfaed42bda542e111738c136f7b4d73f Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 15 Jun 2024 17:27:33 +0200 +Subject: [PATCH] man,units: drop "temporary" from description of + systemd-tmpfiles + +Historically, systemd-tmpfiles was designed to manager temporary +files, but nowadays it has become a generic tool for managing +all kinds of files. To avoid user confusion, let's remove "temporary" +from the tool's description. + +As discussed in #33349 + +(cherry picked from commit b5c8cc0a3b8e4e2fea0539d6420a76b524ea5735) +--- + man/systemd-tmpfiles.xml | 8 +++++--- + units/systemd-tmpfiles-setup.service | 2 +- + units/user/systemd-tmpfiles-setup.service | 2 +- + 3 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml +index 6f3ec66611..9767aead85 100644 +--- a/man/systemd-tmpfiles.xml ++++ b/man/systemd-tmpfiles.xml +@@ -55,9 +55,11 @@ + + Description + +- systemd-tmpfiles creates, deletes, and cleans up volatile and temporary files +- and directories, using the configuration file format and location specified in +- tmpfiles.d5. It must ++ systemd-tmpfiles creates, deletes, and cleans up files and directories, using ++ the configuration file format and location specified in ++ tmpfiles.d5. ++ Historically, it was designed to manage volatile and temporary files, as the name suggests, but it provides ++ generic file management functionality and can be used to manage any kind of files. It must + be invoked with one or more commands , , and + , to select the respective subset of operations. + +diff --git a/units/systemd-tmpfiles-setup.service b/units/systemd-tmpfiles-setup.service +index 6cae32850f..b92beb7314 100644 +--- a/units/systemd-tmpfiles-setup.service ++++ b/units/systemd-tmpfiles-setup.service +@@ -8,7 +8,7 @@ + # (at your option) any later version. + + [Unit] +-Description=Create Volatile Files and Directories ++Description=Create System Files and Directories + Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8) + + DefaultDependencies=no +diff --git a/units/user/systemd-tmpfiles-setup.service b/units/user/systemd-tmpfiles-setup.service +index 156689edcd..54e453c4fc 100644 +--- a/units/user/systemd-tmpfiles-setup.service ++++ b/units/user/systemd-tmpfiles-setup.service +@@ -8,7 +8,7 @@ + # (at your option) any later version. + + [Unit] +-Description=Create User's Volatile Files and Directories ++Description=Create User Files and Directories + Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8) + DefaultDependencies=no + Conflicts=shutdown.target diff --git a/SOURCES/0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch b/SOURCES/0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch new file mode 100644 index 0000000..ddc2f39 --- /dev/null +++ b/SOURCES/0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch @@ -0,0 +1,24 @@ +From 9f5f3c2f8bc2c3d82678672f3e700c1eb4e52d61 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 11:16:21 +0100 +Subject: [PATCH] mkosi: enable unprivileged user ns for integration tests + +Ubuntu disables them by default in Noble, ship a sysctl to turn them back on +so that tests can use them + +(cherry picked from commit 4cfcde024f34b3e5f682364d4e0c6185ef07d467) +--- + .../usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf | 4 ++++ + 1 file changed, 4 insertions(+) + create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf + +diff --git a/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf +new file mode 100644 +index 0000000000..657ac72f8d +--- /dev/null ++++ b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf +@@ -0,0 +1,4 @@ ++# Ubuntu since Noble disables unprivileged user namespaces by default, re-enable them as they are needed ++# for integration tests ++kernel.apparmor_restrict_unprivileged_unconfined = 0 ++kernel.apparmor_restrict_unprivileged_userns = 0 diff --git a/SOURCES/0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch b/SOURCES/0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch new file mode 100644 index 0000000..19dd89d --- /dev/null +++ b/SOURCES/0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch @@ -0,0 +1,74 @@ +From 21feae324e812580062c36aa14cc5e68a37aa151 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 15:28:56 +0100 +Subject: [PATCH] mkosi: use ports.ubuntu.com for non-x86 backports + +Follow-up for 46368556afee7a1f3a1685609942438ef2d9d6c1 + +(cherry picked from commit c01cb8cbff8512b65b7903b55f78c8d12661b8d7) +--- + mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf | 3 --- + .../mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf | 9 +++++++++ + .../system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf | 9 +++++++++ + .../mkosi.conf.d/10-ubuntu/noble-backports-ports.sources | 6 ++++++ + 4 files changed, 24 insertions(+), 3 deletions(-) + create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf + create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf + create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources + +diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf +index 25957b1e92..86f9736ed9 100644 +--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf ++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf +@@ -3,9 +3,6 @@ + [Match] + Distribution=ubuntu + +-[Distribution] +-PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources +- + [Content] + Packages= + linux-image-generic +diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf +new file mode 100644 +index 0000000000..0ec4807822 +--- /dev/null ++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf +@@ -0,0 +1,9 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# The ports Ubuntu archive is for non i386/amd64 repositories ++ ++[Match] ++Architecture=!x86-64 ++Architecture=!x86 ++ ++[Distribution] ++PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources +diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf +new file mode 100644 +index 0000000000..c08eeac337 +--- /dev/null ++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf +@@ -0,0 +1,9 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# The main Ubuntu archive is only for i386/amd64 repositories ++ ++[Match] ++Architecture=|x86-64 ++Architecture=|x86 ++ ++[Distribution] ++PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources +diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources +new file mode 100644 +index 0000000000..5b96dc544d +--- /dev/null ++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources +@@ -0,0 +1,6 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++Types: deb ++URIs: http://ports.ubuntu.com ++Suites: noble-backports ++Components: main universe ++Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg diff --git a/SOURCES/0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch b/SOURCES/0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch new file mode 100644 index 0000000..3229128 --- /dev/null +++ b/SOURCES/0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch @@ -0,0 +1,58 @@ +From 9802a28b367b3d403c41b570949e3c91f505ede5 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 20:42:12 +0100 +Subject: [PATCH] mkosi: install EFI packages only on EFI architectures + +sbsigntool, systemd-boot and systemd-boot-efi do not exist on other +architectures + +(cherry picked from commit 47fe3f29b4ba1b44ae71a7e67c579c4883731dd4) +--- + .../mkosi.conf.d/10-debian-ubuntu/mkosi.conf | 3 --- + .../10-debian-ubuntu/mkosi.conf.d/efi.conf | 16 ++++++++++++++++ + 2 files changed, 16 insertions(+), 3 deletions(-) + create mode 100644 mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf + +diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf +index ae014fa966..ecac78049d 100644 +--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf ++++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf +@@ -20,8 +20,6 @@ VolatilePackages= + libsystemd-dev + libudev-dev + systemd +- systemd-boot +- systemd-boot-efi + systemd-container + systemd-coredump + systemd-dev +@@ -74,7 +72,6 @@ Packages= + python3-pexpect + python3-psutil + quota +- sbsigntool + softhsm2 + squashfs-tools + stress +diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf +new file mode 100644 +index 0000000000..781670a775 +--- /dev/null ++++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf +@@ -0,0 +1,16 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# sbsigntool exists only on UEFI architectures ++ ++[Match] ++Architecture=|x86 ++Architecture=|x86-64 ++Architecture=|arm ++Architecture=|arm64 ++Architecture=|riscv32 ++Architecture=|riscv64 ++ ++[Content] ++Packages= ++ sbsigntool ++ systemd-boot ++ systemd-boot-efi diff --git a/SOURCES/0022-test-check-the-skip-condition-before-installing-addi.patch b/SOURCES/0022-test-check-the-skip-condition-before-installing-addi.patch new file mode 100644 index 0000000..415f47d --- /dev/null +++ b/SOURCES/0022-test-check-the-skip-condition-before-installing-addi.patch @@ -0,0 +1,31 @@ +From 50b53b8221aa9d5e8fa3269b73d13b8a304728a8 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 13:41:50 +0100 +Subject: [PATCH] test: check the skip condition before installing additional + files + +(cherry picked from commit e1daedb4be6d8180790e0b303872fb1c87ddc7fc) +--- + test/units/TEST-43-PRIVATEUSER-UNPRIV.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh +index 165af47f15..f8a2a62467 100755 +--- a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh ++++ b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh +@@ -6,13 +6,13 @@ set -o pipefail + # shellcheck source=test/units/util.sh + . "$(dirname "$0")"/util.sh + +-install_extension_images +- + if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then + echo "Cannot create unprivileged user namespaces" >/skipped + exit 77 + fi + ++install_extension_images ++ + systemd-analyze log-level debug + + runas testuser systemd-run --wait --user --unit=test-private-users \ diff --git a/SOURCES/0023-test-drop-unneeded-firmware-uefi-setting.patch b/SOURCES/0023-test-drop-unneeded-firmware-uefi-setting.patch new file mode 100644 index 0000000..32a797a --- /dev/null +++ b/SOURCES/0023-test-drop-unneeded-firmware-uefi-setting.patch @@ -0,0 +1,37 @@ +From 51a2e7be5ec1a28be11d309897671c8dd4511ae8 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 16:08:57 +0100 +Subject: [PATCH] test: drop unneeded firmware: uefi setting + +These tests no longer need this, as they are running in nspawn, drop it + +(cherry picked from commit f44fc531c95e37c83203375c411189009a01b482) +--- + test/TEST-09-REBOOT/meson.build | 2 -- + test/TEST-18-FAILUREACTION/meson.build | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/test/TEST-09-REBOOT/meson.build b/test/TEST-09-REBOOT/meson.build +index c4b41bc97b..b7556189f5 100644 +--- a/test/TEST-09-REBOOT/meson.build ++++ b/test/TEST-09-REBOOT/meson.build +@@ -4,7 +4,5 @@ integration_tests += [ + integration_test_template + { + 'name' : fs.name(meson.current_source_dir()), + 'storage' : 'persistent', +- # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware. +- 'firmware' : 'uefi', + }, + ] +diff --git a/test/TEST-18-FAILUREACTION/meson.build b/test/TEST-18-FAILUREACTION/meson.build +index 5edfbcad1f..8dec5f37e7 100644 +--- a/test/TEST-18-FAILUREACTION/meson.build ++++ b/test/TEST-18-FAILUREACTION/meson.build +@@ -3,7 +3,5 @@ + integration_tests += [ + integration_test_template + { + 'name' : fs.name(meson.current_source_dir()), +- # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware. +- 'firmware' : 'uefi', + }, + ] diff --git a/SOURCES/0024-test-drop-obsolete-comment.patch b/SOURCES/0024-test-drop-obsolete-comment.patch new file mode 100644 index 0000000..4b1e1ab --- /dev/null +++ b/SOURCES/0024-test-drop-obsolete-comment.patch @@ -0,0 +1,28 @@ +From df1e7d9572fab94209989f341bb1e1a86d88223b Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 19:21:32 +0100 +Subject: [PATCH] test: drop obsolete comment + +We want to keep various logic here instead of mkosi, so drop the +temporary comment + +(cherry picked from commit 626518ecd5e7b0c0c708ba53d7eb62934506ed54) +--- + test/integration-test-wrapper.py | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py +index 5b098a3e01..1e015e7d47 100755 +--- a/test/integration-test-wrapper.py ++++ b/test/integration-test-wrapper.py +@@ -2,10 +2,6 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + + '''Test wrapper command for driving integration tests. +- +-Note: This is deliberately rough and only intended to drive existing tests +-with the expectation that as part of formally defining the API it will be tidy. +- + ''' + + import argparse diff --git a/SOURCES/0025-test-support-TEST_NO_KVM.patch b/SOURCES/0025-test-support-TEST_NO_KVM.patch new file mode 100644 index 0000000..e30df11 --- /dev/null +++ b/SOURCES/0025-test-support-TEST_NO_KVM.patch @@ -0,0 +1,25 @@ +From a36cb5660e4d84c16242c1d70b99d9a2e389f191 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 19:15:24 +0100 +Subject: [PATCH] test: support TEST_NO_KVM + +The shell integration suite allows to manually deselect KVM, so +suppor the same env var for the same purpose in python. + +(cherry picked from commit 7d2701e7d1d0a7194026dd371071df6e63f59a82) +--- + test/integration-test-wrapper.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py +index 1e015e7d47..15b1ce1055 100755 +--- a/test/integration-test-wrapper.py ++++ b/test/integration-test-wrapper.py +@@ -124,6 +124,7 @@ def main(): + *args.mkosi_args, + '--append', + '--qemu-firmware', args.firmware, ++ '--qemu-kvm', "auto" if not bool(int(os.getenv("TEST_NO_KVM", "0"))) else "no", + '--kernel-command-line-extra', + ' '.join([ + 'systemd.hostname=H', diff --git a/SOURCES/0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch b/SOURCES/0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch new file mode 100644 index 0000000..95739e6 --- /dev/null +++ b/SOURCES/0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch @@ -0,0 +1,30 @@ +From 6178aa4bbcc6b0531314c1a2e9df61e45e6c9ad4 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 17 Jun 2024 14:09:40 +0100 +Subject: [PATCH] test: support TEST_NO_QEMU in mkosi integration wrapper + +Same as the old integration test suite, allow skipping tests that +require qemu. +ppc64el's vsock support doesn't appear to work, so we'll skip it, +as it is already done in the legacy framework. + +(cherry picked from commit 464d182b3e470e4163ca376145539a537a6e43a2) +--- + test/integration-test-wrapper.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py +index 15b1ce1055..b6a16aa3ef 100755 +--- a/test/integration-test-wrapper.py ++++ b/test/integration-test-wrapper.py +@@ -57,6 +57,10 @@ def main(): + print(f"SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr) + exit(77) + ++ if args.vm and bool(int(os.getenv("TEST_NO_QEMU", "0"))): ++ print(f"TEST_NO_QEMU=1, skipping {args.name}", file=sys.stderr) ++ exit(77) ++ + name = args.name + (f"-{i}" if (i := os.getenv("MESON_TEST_ITERATION")) else "") + + dropin = textwrap.dedent( diff --git a/SOURCES/0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch b/SOURCES/0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch new file mode 100644 index 0000000..405e322 --- /dev/null +++ b/SOURCES/0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch @@ -0,0 +1,27 @@ +From 7d65709901cb3fc746639398776cfdb7cb750a03 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 17 Jun 2024 15:37:43 +0100 +Subject: [PATCH] test: use 'auto' instead of 'uefi' for automated fallback + +mkosi will prefer UEFI if the architecture supports it, but fallback +to 'linux' if it doesn't. + +(cherry picked from commit 80468db8fa21ffd07dc2f28c656eeaf8f0292367) +--- + test/TEST-06-SELINUX/meson.build | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build +index 7a850beb81..9261a49c49 100644 +--- a/test/TEST-06-SELINUX/meson.build ++++ b/test/TEST-06-SELINUX/meson.build +@@ -5,7 +5,8 @@ integration_tests += [ + 'name' : fs.name(meson.current_source_dir()), + 'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'], + # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware. +- 'firmware' : 'uefi', ++ # Use 'auto' to automatically fallback on non-uefi architectures. ++ 'firmware' : 'auto', + 'vm' : true, + }, + ] diff --git a/SOURCES/0028-core-service-fix-accept-socket-deserialization.patch b/SOURCES/0028-core-service-fix-accept-socket-deserialization.patch new file mode 100644 index 0000000..c92c6b2 --- /dev/null +++ b/SOURCES/0028-core-service-fix-accept-socket-deserialization.patch @@ -0,0 +1,45 @@ +From f7d55cc801611781fbff2817f2fd4a16ec96ca85 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Mon, 17 Jun 2024 07:47:20 +0200 +Subject: [PATCH] core/service: fix accept-socket deserialization + +Follow-up for 45b1017488cef2a5bacdf82028ce900a311c9a1c + +(cherry picked from commit 9f5d8c3da4f505346bd1edfae907a2abcdbdc578) +--- + src/core/service.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index 8ec27c463a..6e81460ad0 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -1351,7 +1351,7 @@ static int service_coldplug(Unit *u) { + service_start_watchdog(s); + + if (UNIT_ISSET(s->accept_socket)) { +- Socket* socket = SOCKET(UNIT_DEREF(s->accept_socket)); ++ Socket *socket = SOCKET(UNIT_DEREF(s->accept_socket)); + + if (socket->max_connections_per_source > 0) { + SocketPeer *peer; +@@ -3220,8 +3220,8 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, + } else if (streq(key, "accept-socket")) { + Unit *socket; + +- if (u->type != UNIT_SOCKET) { +- log_unit_debug(u, "Failed to deserialize accept-socket: unit is not a socket"); ++ if (unit_name_to_type(value) != UNIT_SOCKET) { ++ log_unit_debug(u, "Deserialized accept-socket is not a socket unit, ignoring: %s", value); + return 0; + } + +@@ -3230,7 +3230,7 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, + log_unit_debug_errno(u, r, "Failed to load accept-socket unit '%s': %m", value); + else { + unit_ref_set(&s->accept_socket, u, socket); +- SOCKET(socket)->n_connections++; ++ ASSERT_PTR(SOCKET(socket))->n_connections++; + } + + } else if (streq(key, "socket-fd")) { diff --git a/SOURCES/0029-test-network-mention-that-the-captive-portal-option-.patch b/SOURCES/0029-test-network-mention-that-the-captive-portal-option-.patch new file mode 100644 index 0000000..4e78bf7 --- /dev/null +++ b/SOURCES/0029-test-network-mention-that-the-captive-portal-option-.patch @@ -0,0 +1,26 @@ +From 4cc6da9a5dfb69f149404d5a784c57bca2a21237 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 18 Jun 2024 00:09:03 +0900 +Subject: [PATCH] test-network: mention that the captive portal option is + supported since v2.20 + +The current latest release is v2.19, hence the test is typically skipped now. + +(cherry picked from commit 4f6d8ab0767e534553bfa130f39dbb07ebb804a4) +--- + test/test-network/systemd-networkd-tests.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index 92cb07f11c..0355c7aca1 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -5824,6 +5824,8 @@ class NetworkdRATests(unittest.TestCase, Utilities): + self.assertIn('pref high', output) + self.assertNotIn('pref low', output) + ++ # radvd supports captive portal since v2.20. ++ # https://github.com/radvd-project/radvd/commit/791179a7f730decbddb2290ef0e34aa85d71b1bc + @unittest.skipUnless(radvd_check_config('captive-portal.conf'), "Installed radvd doesn't support captive portals") + def test_captive_portal(self): + copy_network_unit('25-veth-client.netdev', diff --git a/SOURCES/0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch b/SOURCES/0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch new file mode 100644 index 0000000..72675ca --- /dev/null +++ b/SOURCES/0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch @@ -0,0 +1,27 @@ +From b455006ae189d4ceef4214d8d4ab2027781d37e0 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 17 Jun 2024 17:40:28 +0100 +Subject: [PATCH] CI: disable secure boot in mkosi GHA runs + +Booting a guest with secure boot is broken in Azure due to a hypervisor +bug. Disable it for now. Given there's no option, need to edit +the configuration on the fly. + +(cherry picked from commit bdd0b45bfd7190bb8eb50c71ff6f50a80d6e6e52) +--- + .github/workflows/mkosi.yml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml +index 425d737b62..62efd367cb 100644 +--- a/.github/workflows/mkosi.yml ++++ b/.github/workflows/mkosi.yml +@@ -117,6 +117,8 @@ jobs: + + - name: Configure + run: | ++ # XXX: drop after the HyperV bug that breaks secure boot KVM guests is solved ++ sed -i "s/'firmware'\s*:\s*'auto'/'firmware' : 'uefi'/g" test/*/meson.build + tee mkosi.local.conf < +Date: Mon, 17 Jun 2024 15:40:10 +0100 +Subject: [PATCH] mkosi: bump to latest + +(cherry picked from commit 3001339dc5b3faf8f8edee4c07b14a4abdf3d66f) +--- + .github/workflows/mkosi.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml +index 62efd367cb..3a8dabd95c 100644 +--- a/.github/workflows/mkosi.yml ++++ b/.github/workflows/mkosi.yml +@@ -92,7 +92,7 @@ jobs: + + steps: + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 +- - uses: systemd/mkosi@0081ea66faf56a35353d6aeadfe42f9679c7d1cf ++ - uses: systemd/mkosi@6972f9efba5c8472d990be3783b7e7dbf76e109e + + # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space + # immediately, we remove the files in the background. However, we first move them to a different location diff --git a/SOURCES/0032-NEWS-fix-typo.patch b/SOURCES/0032-NEWS-fix-typo.patch new file mode 100644 index 0000000..4c4fbcd --- /dev/null +++ b/SOURCES/0032-NEWS-fix-typo.patch @@ -0,0 +1,23 @@ +From a776dcf7af3b189f4f9616d174dbfc53a9bd6db6 Mon Sep 17 00:00:00 2001 +From: Carlo Teubner +Date: Tue, 18 Jun 2024 09:41:59 +0100 +Subject: [PATCH] NEWS: fix typo + +(cherry picked from commit f6d517f8478bdd83b7d149b242a47d7686235c7e) +--- + NEWS | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index bbee0852be..da81fe3c5d 100644 +--- a/NEWS ++++ b/NEWS +@@ -195,7 +195,7 @@ CHANGES WITH 256: + additional per-user service managers, whose users are transient and + are only defined as long as the service manager is running. (This is + implemented via DynamicUser=1), allowing a user manager to be used to +- manager a group of processes without needing to create an actual user ++ manage a group of processes without needing to create an actual user + account. These service managers run with home directories of + /var/lib/capsules/ and can contain regular services and + other units. A capsule is started via a simple "systemctl start diff --git a/SOURCES/0033-install-allow-removing-symlinks-even-for-units-that-.patch b/SOURCES/0033-install-allow-removing-symlinks-even-for-units-that-.patch new file mode 100644 index 0000000..b8e614f --- /dev/null +++ b/SOURCES/0033-install-allow-removing-symlinks-even-for-units-that-.patch @@ -0,0 +1,69 @@ +From c26e56d08f30a2946dfa1d03781c63bfa9f56c1d Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 7 Jun 2024 21:39:45 +0100 +Subject: [PATCH] install: allow removing symlinks even for units that are gone + +If a symlink is leftover, still allow cleaning it up via 'disable'. This +happens when a unit is stopped and removed, but not disabled, and a reload +has already happened. At that point, cleaning up the old symlinks becomes +impossible through the APIs, and needs to be done manually. Always allow +cleaning up symlinks, if they exist, by only erroring out if there is an +OOM. + +Follow-up for f31f10a6207efc9ae9e0b1f73975b5b610914017 + +(cherry picked from commit 5163c9b1e56293b1bb2803420613c5b374570892) +--- + src/shared/install.c | 14 ++++++++++---- + test/units/TEST-26-SYSTEMCTL.sh | 6 ++++++ + 2 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/src/shared/install.c b/src/shared/install.c +index dd2bd5c948..c94b456c21 100644 +--- a/src/shared/install.c ++++ b/src/shared/install.c +@@ -2282,7 +2282,9 @@ static int install_context_mark_for_removal( + else { + log_debug_errno(r, "Unit %s not found, removing name.", i->name); + r = install_changes_add(changes, n_changes, r, i->path ?: i->name, NULL); +- if (r < 0) ++ /* In case there's no unit, we still want to remove any leftover symlink, even if ++ * the unit might have been removed already, hence treating ENOENT as non-fatal. */ ++ if (r != -ENOENT) + return r; + } + } else if (r < 0) { +@@ -2874,9 +2876,13 @@ static int do_unit_file_disable( + r = install_info_add(&ctx, *name, NULL, lp->root_dir, /* auxiliary= */ false, &info); + if (r >= 0) + r = install_info_traverse(&ctx, lp, info, SEARCH_LOAD|SEARCH_FOLLOW_CONFIG_SYMLINKS, NULL); +- +- if (r < 0) +- return install_changes_add(changes, n_changes, r, *name, NULL); ++ if (r < 0) { ++ r = install_changes_add(changes, n_changes, r, *name, NULL); ++ /* In case there's no unit, we still want to remove any leftover symlink, even if ++ * the unit might have been removed already, hence treating ENOENT as non-fatal. */ ++ if (r != -ENOENT) ++ return r; ++ } + + /* If we enable multiple units, some with install info and others without, + * the "empty [Install] section" warning is not shown. Let's make the behavior +diff --git a/test/units/TEST-26-SYSTEMCTL.sh b/test/units/TEST-26-SYSTEMCTL.sh +index ae7a5d6eb6..1471f3fd9e 100755 +--- a/test/units/TEST-26-SYSTEMCTL.sh ++++ b/test/units/TEST-26-SYSTEMCTL.sh +@@ -343,6 +343,12 @@ systemctl cat "$UNIT_NAME" + systemctl help "$UNIT_NAME" + systemctl service-watchdogs + systemctl service-watchdogs "$(systemctl service-watchdogs)" ++# Ensure that the enablement symlinks can still be removed after the user is gone, to avoid having leftovers ++systemctl enable "$UNIT_NAME" ++systemctl stop "$UNIT_NAME" ++rm -f "/usr/lib/systemd/system/$UNIT_NAME" ++systemctl daemon-reload ++systemctl disable "$UNIT_NAME" + + # show/set-environment + # Make sure PATH is set diff --git a/SOURCES/0034-tmpfiles-honour-dry-run-when-removing-directories.patch b/SOURCES/0034-tmpfiles-honour-dry-run-when-removing-directories.patch new file mode 100644 index 0000000..13b0e02 --- /dev/null +++ b/SOURCES/0034-tmpfiles-honour-dry-run-when-removing-directories.patch @@ -0,0 +1,35 @@ +From 90ec0265707d381ed8cc77de475cd963686eaba3 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 18 Jun 2024 09:54:33 +0200 +Subject: [PATCH] tmpfiles: honour --dry-run when removing directories + +(cherry picked from commit edeceb80a91e8400e8c22f08a41045a2ba270fe6) +--- + src/tmpfiles/tmpfiles.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 807925f199..283be21d16 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -3024,10 +3024,16 @@ static int remove_recursive( + return r; + + if (remove_instance) { +- log_debug("Removing directory \"%s\".", instance); +- r = RET_NERRNO(rmdir(instance)); +- if (r < 0 && !IN_SET(r, -ENOENT, -ENOTEMPTY)) +- return log_error_errno(r, "Failed to remove %s: %m", instance); ++ log_action("Would remove", "Removing", "%s directory \"%s\".", instance); ++ if (!arg_dry_run) { ++ r = RET_NERRNO(rmdir(instance)); ++ if (r < 0) { ++ bool fatal = !IN_SET(r, -ENOENT, -ENOTEMPTY); ++ log_full_errno(fatal ? LOG_ERR : LOG_DEBUG, r, "Failed to remove %s: %m", instance); ++ if (fatal) ++ return r; ++ } ++ } + } + return 0; + } diff --git a/SOURCES/0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch b/SOURCES/0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch new file mode 100644 index 0000000..0fc7532 --- /dev/null +++ b/SOURCES/0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch @@ -0,0 +1,68 @@ +From e76015738942246db70f444b3567afd1b132f824 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 18 Jun 2024 09:55:20 +0200 +Subject: [PATCH] tmpfiles: insist on at least one configuration file being + specified on --purge + +Also, extend the man page explanation substantially, matching more +closely what --create says. + +Fixes: #33349 +(cherry picked from commit 41064a3c97c9a53c97bbe8a1de799a82c4374a2d) +--- + man/systemd-tmpfiles.xml | 26 ++++++++++++++++++++------ + src/tmpfiles/tmpfiles.c | 4 ++++ + 2 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml +index 9767aead85..2a494b9c5c 100644 +--- a/man/systemd-tmpfiles.xml ++++ b/man/systemd-tmpfiles.xml +@@ -151,12 +151,26 @@ + + + +- If this option is passed, all files and directories created by a +- tmpfiles.d/ entry will be deleted. Keep in mind that by default, +- /home is created by systemd-tmpfiles +- (see /usr/lib/tmpfiles.d/home.conf). Therefore it is recommended +- to first run systemd-tmpfiles --dry-run --purge to be certain which files +- and directories will be deleted. ++ ++ If this option is passed, all files and directories marked for ++ creation by the tmpfiles.d/ files specified on the command ++ line will be deleted. Specifically, this acts on all files and directories ++ marked with f, F, d, D, ++ v, q, Q, p, ++ L, c, b, C, ++ w, e. If this switch is used at least one ++ tmpfiles.d/ file (or - for standard input) must be ++ specified on the command line or the invocation will be refused, for safety reasons (as otherwise ++ much of the installed system files might be removed). ++ ++ The primary usecase for this option is to automatically remove files and directories that ++ originally have been created on behalf of an installed packaged at package removal time. ++ ++ It is recommended to first run this command in combination with ++ (see below) to verify which files and directories will be deleted. ++ ++ Warning! This is is usually not the command you want! In most cases ++ is what you are looking for. + + + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 283be21d16..1704197207 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -4344,6 +4344,10 @@ static int parse_argv(int argc, char *argv[]) { + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "You need to specify at least one of --clean, --create, --remove, or --purge."); + ++ if (FLAGS_SET(arg_operation, OPERATION_PURGE) && optind >= argc) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), ++ "Refusing --purge without specification of a configuration file."); ++ + if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Option --replace= is not supported with --cat-config/--tldr."); diff --git a/SOURCES/0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch b/SOURCES/0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch new file mode 100644 index 0000000..954232f --- /dev/null +++ b/SOURCES/0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch @@ -0,0 +1,37 @@ +From 08b8237303efdf072a0f61615b7f1633eafc8e0a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 18 Jun 2024 09:56:15 +0200 +Subject: [PATCH] tmpfiles: move --purge to command section in --help text + where it belongs + +Also, make contrast between --remove and --purge clearer: one deletes +files marked for deletion, the other deletes files marked for creation. + +(cherry picked from commit 69d76823ce6e9c307184946ed55b207eb728e625) +--- + src/tmpfiles/tmpfiles.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 1704197207..8cc8c1ccd6 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -4148,7 +4148,9 @@ static int help(void) { + "\n%3$sCommands:%4$s\n" + " --create Create files and directories\n" + " --clean Clean up files and directories\n" +- " --remove Remove files and directories\n" ++ " --remove Remove files and directories marked for removal\n" ++ " --purge Delete files and directories marked for creation in\n" ++ " specified configuration files (careful!)\n" + " -h --help Show this help\n" + " --version Show package version\n" + "\n%3$sOptions:%4$s\n" +@@ -4157,7 +4159,6 @@ static int help(void) { + " --tldr Show non-comment parts of configuration\n" + " --boot Execute actions only safe at boot\n" + " --graceful Quietly ignore unknown users or groups\n" +- " --purge Delete all files owned by the configuration files\n" + " --prefix=PATH Only apply rules with the specified prefix\n" + " --exclude-prefix=PATH Ignore rules with the specified prefix\n" + " -E Ignore rules prefixed with /dev, /proc, /run, /sys\n" diff --git a/SOURCES/0037-mkosi-restrict-noble-backports-to-noble-builds.patch b/SOURCES/0037-mkosi-restrict-noble-backports-to-noble-builds.patch new file mode 100644 index 0000000..b2dd982 --- /dev/null +++ b/SOURCES/0037-mkosi-restrict-noble-backports-to-noble-builds.patch @@ -0,0 +1,37 @@ +From 7b18adadde58798a895366105c6c1517231029d9 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 18 Jun 2024 13:35:32 +0100 +Subject: [PATCH] mkosi: restrict noble-backports to noble builds + +Follow-up for c01cb8cbff8512b65b7903b55f78c8d12661b8d7 + +(cherry picked from commit f97b243edfcae211aade6ceb2fd89ae9d9209fac) +--- + .../system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf | 1 + + mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf +index 0ec4807822..582f038b5f 100644 +--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf ++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf +@@ -4,6 +4,7 @@ + [Match] + Architecture=!x86-64 + Architecture=!x86 ++Release=noble + + [Distribution] + PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources +diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf +index c08eeac337..7347be9069 100644 +--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf ++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf +@@ -4,6 +4,7 @@ + [Match] + Architecture=|x86-64 + Architecture=|x86 ++Release=noble + + [Distribution] + PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources diff --git a/SOURCES/0038-repart-fix-memory-leak.patch b/SOURCES/0038-repart-fix-memory-leak.patch new file mode 100644 index 0000000..1b81bdb --- /dev/null +++ b/SOURCES/0038-repart-fix-memory-leak.patch @@ -0,0 +1,22 @@ +From f8f669fd69bf15f386308ef8f4cbbbd5a7ad69cd Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Tue, 18 Jun 2024 14:07:50 +0200 +Subject: [PATCH] repart: fix memory leak + +(cherry picked from commit a81f5ffd40081441dafc678fe83d185436dde35a) +--- + src/partition/repart.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 78cf60f724..8f64520ee7 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -187,6 +187,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep); + STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep); + STATIC_DESTRUCTOR_REGISTER(arg_tpm2_pcrlock, freep); + STATIC_DESTRUCTOR_REGISTER(arg_filter_partitions, freep); ++STATIC_DESTRUCTOR_REGISTER(arg_defer_partitions, freep); + STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep); + STATIC_DESTRUCTOR_REGISTER(arg_copy_from, strv_freep); + STATIC_DESTRUCTOR_REGISTER(arg_copy_source, freep); diff --git a/SOURCES/0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch b/SOURCES/0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch new file mode 100644 index 0000000..5e2315d --- /dev/null +++ b/SOURCES/0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch @@ -0,0 +1,42 @@ +From 34ba18b0124407403690738b46fbd6236fe65c92 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 18 Jun 2024 17:55:31 +0900 +Subject: [PATCH] logs-show: do not use _SOURCE_MONOTONIC_TIMESTAMP field + +The timestamp is not in CLOCK_MONOTONIC, but CLOCK_BOOTTIME, +while header monotonic timestamp is in CLOCK_MONOTONIC. Hence, we cannot +adjust timestamp by comparing with header monotonic timestamp and +_SOURCE_MONOTONIC_TIMESTAMP field. + +Fixes a regression caused by affde1d7e79a634ee6053dbd4a57b3b51b74c170. +Fixes #33293. + +(cherry picked from commit 144498e7e6efe2d90981cb14e3ed462a70a955c6) +--- + src/shared/logs-show.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c +index c71c868889..153a4110ce 100644 +--- a/src/shared/logs-show.c ++++ b/src/shared/logs-show.c +@@ -450,6 +450,9 @@ static void parse_display_realtime( + assert(j); + assert(ret); + ++ // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime. ++ source_monotonic = NULL; ++ + /* First, try _SOURCE_REALTIME_TIMESTAMP. */ + if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t)) { + *ret = t; +@@ -488,6 +491,9 @@ static void parse_display_timestamp( + assert(ret_display_ts); + assert(ret_boot_id); + ++ // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime. ++ source_monotonic = NULL; ++ + if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t)) + source_ts.realtime = t; + diff --git a/SOURCES/0040-ci-update-workflows-to-run-on-source-git-setup.patch b/SOURCES/0040-ci-update-workflows-to-run-on-source-git-setup.patch new file mode 100644 index 0000000..b5a7f60 --- /dev/null +++ b/SOURCES/0040-ci-update-workflows-to-run-on-source-git-setup.patch @@ -0,0 +1,98 @@ +From 67ff61b054e8d4d4d3923c3b81586b2d4e286d6b Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 16 May 2024 14:24:38 +0200 +Subject: [PATCH] ci: update workflows to run on source-git setup + +rhel-only: ci + +Related: RHEL-36636 +--- + .github/workflows/cflite_pr.yml | 3 --- + .github/workflows/codeql.yml | 6 ------ + .github/workflows/differential-shellcheck.yml | 4 ---- + .github/workflows/linter.yml | 3 --- + .github/workflows/unit_tests.yml | 3 --- + 5 files changed, 19 deletions(-) + +diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml +index f0d321794a..87dcd3c478 100644 +--- a/.github/workflows/cflite_pr.yml ++++ b/.github/workflows/cflite_pr.yml +@@ -5,9 +5,6 @@ + name: ClusterFuzzLite PR fuzzing + on: + pull_request: +- branches: +- - main +- - v[0-9]+-stable + + permissions: read-all + +diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml +index 0d284f75f1..daf34486d2 100644 +--- a/.github/workflows/codeql.yml ++++ b/.github/workflows/codeql.yml +@@ -6,9 +6,6 @@ name: "CodeQL" + + on: + pull_request: +- branches: +- - main +- - v[0-9]+-stable + paths: + - '**/meson.build' + - '.github/**/codeql*' +@@ -16,9 +13,6 @@ on: + - 'test/**' + - 'tools/**' + push: +- branches: +- - main +- - v[0-9]+-stable + + permissions: + contents: read +diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml +index 244f5d503b..403b5cfc58 100644 +--- a/.github/workflows/differential-shellcheck.yml ++++ b/.github/workflows/differential-shellcheck.yml +@@ -4,11 +4,7 @@ + name: Differential ShellCheck + on: + push: +- branches: +- - main + pull_request: +- branches: +- - main + + permissions: + contents: read +diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml +index cf0bc09453..e7fb70f2f5 100644 +--- a/.github/workflows/linter.yml ++++ b/.github/workflows/linter.yml +@@ -6,9 +6,6 @@ name: Lint Code Base + + on: + pull_request: +- branches: +- - main +- - v[0-9]+-stable + + permissions: + contents: read +diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml +index 895068c2a2..bf6c820092 100644 +--- a/.github/workflows/unit_tests.yml ++++ b/.github/workflows/unit_tests.yml +@@ -5,9 +5,6 @@ + name: Unit tests + on: + pull_request: +- branches: +- - main +- - v[0-9]+-stable + + permissions: + contents: read diff --git a/SOURCES/0041-ci-setup-source-git-automation.patch b/SOURCES/0041-ci-setup-source-git-automation.patch new file mode 100644 index 0000000..5f9deb7 --- /dev/null +++ b/SOURCES/0041-ci-setup-source-git-automation.patch @@ -0,0 +1,282 @@ +From 67b16d23396d9837f878850e890f90228d59d49e Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 16 May 2024 14:36:04 +0200 +Subject: [PATCH] ci: setup source-git automation + +rhel-only: ci + +Related: RHEL-36636 +--- + .github/advanced-commit-linter.yml | 17 +++++ + .github/auto-merge.yml | 4 ++ + .github/pull-request-validator.yml | 4 ++ + .github/regression-sniffer.yml | 1 + + .github/tracker-validator.yml | 31 ++++++++ + .github/workflows/gather-pr-metadata.yml | 12 ++-- + .../source-git-automation-on-demand.yml | 72 +++++++++++++++++++ + .github/workflows/source-git-automation.yml | 45 ++++++++++++ + 8 files changed, 179 insertions(+), 7 deletions(-) + create mode 100644 .github/advanced-commit-linter.yml + create mode 100644 .github/auto-merge.yml + create mode 100644 .github/pull-request-validator.yml + create mode 100644 .github/regression-sniffer.yml + create mode 100644 .github/tracker-validator.yml + create mode 100644 .github/workflows/source-git-automation-on-demand.yml + create mode 100644 .github/workflows/source-git-automation.yml + +diff --git a/.github/advanced-commit-linter.yml b/.github/advanced-commit-linter.yml +new file mode 100644 +index 0000000000..3609fe4612 +--- /dev/null ++++ b/.github/advanced-commit-linter.yml +@@ -0,0 +1,17 @@ ++policy: ++ cherry-pick: ++ upstream: ++ - github: systemd/systemd ++ exception: ++ note: ++ - rhel-only ++ - RHEL-only ++ tracker: ++ - keyword: ++ - 'Resolves: ' ++ - 'Related: ' ++ - 'Reverts: ' ++ type: jira ++ issue-format: ++ - 'RHEL-\d+$' ++ url: 'https://issues.redhat.com/browse/' +diff --git a/.github/auto-merge.yml b/.github/auto-merge.yml +new file mode 100644 +index 0000000000..35c2539295 +--- /dev/null ++++ b/.github/auto-merge.yml +@@ -0,0 +1,4 @@ ++labels: ++ dont-merge: dont-merge ++ manual-merge: pr/needs-manual-merge ++target-branch': ['main'] +diff --git a/.github/pull-request-validator.yml b/.github/pull-request-validator.yml +new file mode 100644 +index 0000000000..4bb5bbec12 +--- /dev/null ++++ b/.github/pull-request-validator.yml +@@ -0,0 +1,4 @@ ++labels: ++ missing-review: pr/needs-review ++ changes-requested: pr/changes-requested ++ missing-failing-ci: pr/needs-ci +diff --git a/.github/regression-sniffer.yml b/.github/regression-sniffer.yml +new file mode 100644 +index 0000000000..3824028e92 +--- /dev/null ++++ b/.github/regression-sniffer.yml +@@ -0,0 +1 @@ ++upstream: systemd/systemd +diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml +new file mode 100644 +index 0000000000..2e858606ff +--- /dev/null ++++ b/.github/tracker-validator.yml +@@ -0,0 +1,31 @@ ++labels: ++ missing-tracker: tracker/missing ++ invalid-product: tracker/invalid-product ++ invalid-component: tracker/invalid-component ++ unapproved: tracker/unapproved ++products: ++ - Red Hat Enterprise Linux 10 ++ - CentOS Stream 10 ++ - rhel-10.0.beta ++ - rhel-10.0 ++ - rhel-10.0.z ++ - rhel-10.1 ++ - rhel-10.1.z ++ - rhel-10.2 ++ - rhel-10.2.z ++ - rhel-10.3 ++ - rhel-10.3.z ++ - rhel-10.4 ++ - rhel-10.4.z ++ - rhel-10.5 ++ - rhel-10.5.z ++ - rhel-10.6 ++ - rhel-10.6.z ++ - rhel-10.7 ++ - rhel-10.7.z ++ - rhel-10.8 ++ - rhel-10.8.z ++ - rhel-10.9 ++ - rhel-10.9.z ++ - rhel-10.10 ++ - rhel-10.10.z +diff --git a/.github/workflows/gather-pr-metadata.yml b/.github/workflows/gather-pr-metadata.yml +index e4a0caff03..857689a37b 100644 +--- a/.github/workflows/gather-pr-metadata.yml ++++ b/.github/workflows/gather-pr-metadata.yml +@@ -1,18 +1,17 @@ + --- +- + name: Gather Pull Request Metadata + + on: + pull_request: +- branches: [ main ] ++ types: [ opened, reopened, synchronize ] ++ branches: [ main, rhel-10.0.beta, rhel-10.* ] + + permissions: + contents: read + + jobs: + gather-metadata: +- if: github.repository == 'systemd/systemd' +- runs-on: ubuntu-24.04 ++ runs-on: ubuntu-latest + + steps: + - name: Repository checkout +@@ -20,11 +19,10 @@ jobs: + + - id: metadata + name: Gather Pull Request Metadata +- uses: redhat-plumbers-in-action/gather-pull-request-metadata@17821d3bc27c1efed339595898c2e622accc5a1b ++ uses: redhat-plumbers-in-action/gather-pull-request-metadata@v1 + + - name: Upload Pull Request Metadata artifact +- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 ++ uses: actions/upload-artifact@v4 + with: + name: Pull Request Metadata + path: ${{ steps.metadata.outputs.metadata-file }} +- retention-days: 1 +diff --git a/.github/workflows/source-git-automation-on-demand.yml b/.github/workflows/source-git-automation-on-demand.yml +new file mode 100644 +index 0000000000..af9ea781f6 +--- /dev/null ++++ b/.github/workflows/source-git-automation-on-demand.yml +@@ -0,0 +1,72 @@ ++name: Source git Automation Scheduled/On Demand ++on: ++ schedule: ++ # Workflow runs every 45 minutes ++ - cron: '*/45 * * * *' ++ workflow_dispatch: ++ inputs: ++ pr-number: ++ description: 'Pull Request number/s ; when not provided, the workflow will run for all open PRs' ++ required: true ++ default: '0' ++ ++permissions: ++ contents: read ++ ++jobs: ++ # Get all open PRs ++ gather-pull-requests: ++ if: github.repository == 'redhat-plumbers/systemd-rhel10' ++ runs-on: ubuntu-latest ++ ++ outputs: ++ pr-numbers: ${{ steps.get-pr-numbers.outputs.result }} ++ pr-numbers-manual: ${{ steps.parse-manual-input.outputs.result }} ++ ++ steps: ++ - id: get-pr-numbers ++ if: inputs.pr-number == '0' ++ name: Get all open PRs ++ uses: actions/github-script@v6 ++ with: ++ # !FIXME: this is not working if there is more than 100 PRs opened ++ script: | ++ const { data: pullRequests } = await github.rest.pulls.list({ ++ owner: context.repo.owner, ++ repo: context.repo.repo, ++ state: 'open', ++ per_page: 100 ++ }); ++ return pullRequests.map(pr => pr.number); ++ ++ - id: parse-manual-input ++ if: inputs.pr-number != '0' ++ name: Parse manual input ++ run: | ++ # shellcheck disable=SC2086 ++ echo "result="[ ${{ inputs.pr-number }} ]"" >> $GITHUB_OUTPUT ++ shell: bash ++ ++ validate-pr: ++ name: 'Validation of Pull Request #${{ matrix.pr-number }}' ++ needs: [ gather-pull-requests ] ++ runs-on: ubuntu-latest ++ ++ strategy: ++ fail-fast: false ++ matrix: ++ pr-number: ${{ inputs.pr-number == 0 && fromJSON(needs.gather-pull-requests.outputs.pr-numbers) || fromJSON(needs.gather-pull-requests.outputs.pr-numbers-manual) }} ++ ++ permissions: ++ # required for merging PRs ++ contents: write ++ # required for PR comments and setting labels ++ pull-requests: write ++ ++ steps: ++ - name: Source-git Automation ++ uses: redhat-plumbers-in-action/source-git-automation@v1 ++ with: ++ pr-number: ${{ matrix.pr-number }} ++ jira-api-token: ${{ secrets.JIRA_API_TOKEN }} ++ token: ${{ secrets.GITHUB_TOKEN }} +diff --git a/.github/workflows/source-git-automation.yml b/.github/workflows/source-git-automation.yml +new file mode 100644 +index 0000000000..d58242efa7 +--- /dev/null ++++ b/.github/workflows/source-git-automation.yml +@@ -0,0 +1,45 @@ ++name: Source git Automation ++on: ++ workflow_run: ++ workflows: [ Gather Pull Request Metadata ] ++ types: ++ - completed ++ ++permissions: ++ contents: read ++ ++jobs: ++ download-metadata: ++ if: > ++ github.event.workflow_run.event == 'pull_request' && ++ github.event.workflow_run.conclusion == 'success' && ++ github.repository == 'redhat-plumbers/systemd-rhel10' ++ runs-on: ubuntu-latest ++ ++ outputs: ++ pr-metadata: ${{ steps.Artifact.outputs.pr-metadata-json }} ++ ++ steps: ++ - id: Artifact ++ name: Download Artifact ++ uses: redhat-plumbers-in-action/download-artifact@v1 ++ with: ++ name: Pull Request Metadata ++ ++ source-git-automation: ++ needs: [ download-metadata ] ++ runs-on: ubuntu-latest ++ ++ permissions: ++ # required for merging PRs ++ contents: write ++ # required for PR comments and setting labels ++ pull-requests: write ++ ++ steps: ++ - name: Source-git Automation ++ uses: redhat-plumbers-in-action/source-git-automation@v1 ++ with: ++ pr-metadata: ${{ needs.download-metadata.outputs.pr-metadata }} ++ jira-api-token: ${{ secrets.JIRA_API_TOKEN }} ++ token: ${{ secrets.GITHUB_TOKEN }} diff --git a/SOURCES/0042-ci-deploy-systemd-man-to-GitHub-Pages.patch b/SOURCES/0042-ci-deploy-systemd-man-to-GitHub-Pages.patch new file mode 100644 index 0000000..a42248f --- /dev/null +++ b/SOURCES/0042-ci-deploy-systemd-man-to-GitHub-Pages.patch @@ -0,0 +1,78 @@ +From ecae988291383e13e5b23b5d7a4a1f8a7d6736dc Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 16 May 2024 15:14:17 +0200 +Subject: [PATCH] ci: deploy systemd man to GitHub Pages + +rhel-only: ci + +Related: RHEL-36636 +--- + .github/workflows/deploy-man-pages.yml | 59 ++++++++++++++++++++++++++ + 1 file changed, 59 insertions(+) + create mode 100644 .github/workflows/deploy-man-pages.yml + +diff --git a/.github/workflows/deploy-man-pages.yml b/.github/workflows/deploy-man-pages.yml +new file mode 100644 +index 0000000000..9739228a87 +--- /dev/null ++++ b/.github/workflows/deploy-man-pages.yml +@@ -0,0 +1,59 @@ ++name: Deploy systemd man to Pages ++ ++on: ++ push: ++ branches: [ main ] ++ paths: ++ - man/* ++ - .github/workflows/deploy-man-pages.yml ++ schedule: ++ # Run every Monday at 4:00 AM UTC ++ - cron: 0 4 * * 1 ++ workflow_dispatch: ++ ++permissions: ++ contents: read ++ ++# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. ++# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. ++concurrency: ++ group: pages ++ cancel-in-progress: false ++ ++jobs: ++ # Single deploy job since we're just deploying ++ deploy: ++ environment: ++ name: github-pages ++ url: ${{ steps.deployment.outputs.page_url }} ++ runs-on: ubuntu-latest ++ ++ permissions: ++ pages: write ++ id-token: write ++ ++ steps: ++ - uses: actions/checkout@v4 ++ ++ - name: Install dependencies ++ run: | ++ sudo add-apt-repository -y --no-update --enable-source ++ sudo apt-get -y update ++ sudo apt-get -y build-dep systemd ++ ++ - name: Build HTML man pages ++ run: | ++ meson setup build ++ ninja -C build man/html ++ ++ - name: Setup Pages ++ uses: actions/configure-pages@v4 ++ ++ - name: Upload artifact ++ uses: actions/upload-pages-artifact@v3 ++ with: ++ path: ./build/man ++ ++ - name: Deploy to GitHub Pages ++ id: deployment ++ uses: actions/deploy-pages@v4 diff --git a/SOURCES/0043-ci-reconfigure-Packit-for-RHEL-10.patch b/SOURCES/0043-ci-reconfigure-Packit-for-RHEL-10.patch new file mode 100644 index 0000000..d58235c --- /dev/null +++ b/SOURCES/0043-ci-reconfigure-Packit-for-RHEL-10.patch @@ -0,0 +1,61 @@ +From 970ac707323ce1b50c6f45184df4373d651e669c Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Fri, 17 May 2024 13:55:40 +0200 +Subject: [PATCH] ci: reconfigure Packit for RHEL 10 + +rhel-only: ci + +Related: RHEL-36636 +--- + .packit.yml | 28 +++++++++------------------- + 1 file changed, 9 insertions(+), 19 deletions(-) + +diff --git a/.packit.yml b/.packit.yml +index 2dcc9e86ca..340c6992ec 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -24,14 +24,12 @@ actions: + - "bash -ec 'git describe --tags --abbrev=0 | cut -b 2-'" + + post-upstream-clone: +- # Use the Fedora Rawhide specfile +- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1" ++ # Use the CentOS Stream 10 specfile ++ - "git clone -b c10s https://gitlab.com/redhat/centos-stream/rpms/systemd.git .packit_rpm --depth=1" + # Drop the "sources" file so rebase-helper doesn't think we're a dist-git + - "rm -fv .packit_rpm/sources" +- # Drop backported patches from the specfile, but keep the downstream-only ones +- # - Patch(0000-0499): backported patches from upstream +- # - Patch0500-9999: downstream-only patches +- - "sed -ri '/^Patch(0[0-4]?[0-9]{0,2})?\\:.+\\.patch/d' .packit_rpm/systemd.spec" ++ # Drop all patches, since they're already included in the tarball ++ - "sed -ri '/^Patch[0-9]+:/d' .packit_rpm/systemd.spec" + # Build the RPM with --werror. Even though --werror doesn't work in all + # cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the + # RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]). +@@ -45,20 +43,12 @@ actions: + # until the change propagates to Rawhide's specfile + - "sed -ri '0,/^BuildRequires: .+$/s//&\\nBuildRequires: libarchive-devel\\nRequires: libarchive/' .packit_rpm/systemd.spec" + ++# Available targets can be listed via `copr-cli list-chroots` + jobs: + - job: copr_build + trigger: pull_request + targets: +- - fedora-rawhide-aarch64 +- - fedora-rawhide-i386 +- - fedora-rawhide-ppc64le +- - fedora-rawhide-s390x +- - fedora-rawhide-x86_64 +- +-- job: tests +- trigger: pull_request +- fmf_url: https://src.fedoraproject.org/tests/systemd +- fmf_ref: main +- tmt_plan: ci +- targets: +- - fedora-rawhide-x86_64 ++ - centos-stream-10-aarch64 ++ - centos-stream-10-ppc64le ++ - centos-stream-10-s390x ++ - centos-stream-10-x86_64 diff --git a/SOURCES/0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch b/SOURCES/0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch new file mode 100644 index 0000000..bac631f --- /dev/null +++ b/SOURCES/0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch @@ -0,0 +1,37 @@ +From 517bf132e5508a2ac140dbea3650e89205dee052 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Fri, 21 Jun 2024 16:15:24 +0200 +Subject: [PATCH] ci: allow to pass parameters together with rhel-only note + +Supported parameters: + +* feature - for feature related commits (cross-version) +* bugfix - for bugfix related commits (cross-version) +* doc - for documentation related commits (usually version specific) +* workaround - for workaround related commits (usually version specific) +* ci - for CI related commits (version specific) +* test - for test related commits (version specific) +* other - for commits that do not fit into any of the above categories or use just `rhel-only` + +rhel-only: ci + +Related: RHEL-36636 +--- + .github/advanced-commit-linter.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/.github/advanced-commit-linter.yml b/.github/advanced-commit-linter.yml +index 3609fe4612..3e3e3fe2bf 100644 +--- a/.github/advanced-commit-linter.yml ++++ b/.github/advanced-commit-linter.yml +@@ -4,8 +4,8 @@ policy: + - github: systemd/systemd + exception: + note: +- - rhel-only +- - RHEL-only ++ - 'rhel-only: (feature|bugfix|doc|workaround|ci|test|other)' ++ - 'RHEL-only: (feature|bugfix|doc|workaround|ci|test|other)' + tracker: + - keyword: + - 'Resolves: ' diff --git a/SOURCES/0045-journal-again-create-user-journals-for-users-with-hi.patch b/SOURCES/0045-journal-again-create-user-journals-for-users-with-hi.patch new file mode 100644 index 0000000..4358717 --- /dev/null +++ b/SOURCES/0045-journal-again-create-user-journals-for-users-with-hi.patch @@ -0,0 +1,59 @@ +From 8ca92aa84573b47bb6ee6a5853ecd08463b97af8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 9 Jan 2024 11:28:04 +0100 +Subject: [PATCH] journal: again create user journals for users with high uids + +This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d +'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped +in an additional check of uid_is_container(uid). The problem is that that change +is not backwards-compatible at all and very hard for users to handle. +There is no common agreement on mappings of high-range uids. Systemd declares +ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/, +but this is only a recent change and various sites allocated those ranges +in a different way, in particular FreeIPA uses (used?) uids from this range +for human users. On big sites with lots of users changing uids is obviously a +hard problem. We generally assume that uids cannot be "freed" and/or changed +and/or reused safely, so we shouldn't demand the same from others. + +This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN / +SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing +huge problems for existing systems with were created with a different +definition and couldn't be easily updated. For that case, we added a +configuration time switch and we now parse /etc/login.defs to actually use the +value that is appropriate for the local system. + +Unfortunately, login.defs doesn't have a concept of container allocation ranges +(and we don't have code to parse and use those nonexistent names either), so we +can't tell users to adjust logind.defs to work around the changed definition. + +login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing, +because they are used to define where the add allocations for subuids, which is +generally a much smaller range. Maybe we should talk with other folks about +the appropriate allocation ranges and define some new settings in login.defs. +But this would require discussion and coordination with other projects first. + +Actualy, it seems that this change was needed at all. The code in the container +does not log to the outside journal. It talks to its own journald, which does +journal splitting using its internal logic based on shifted uids. So let's +revert the change to fix user systems. + +Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843. + +rhel-only: bugfix + +Related: RHEL-40924 +--- + src/basic/uid-classification.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c +index e2d2cebc6d..2c8b06c0d3 100644 +--- a/src/basic/uid-classification.c ++++ b/src/basic/uid-classification.c +@@ -127,5 +127,5 @@ bool uid_for_system_journal(uid_t uid) { + + /* Returns true if the specified UID shall get its data stored in the system journal. */ + +- return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY || uid_is_container(uid); ++ return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY; + } diff --git a/SOURCES/0046-tmpfiles-make-purge-hard-to-mis-use.patch b/SOURCES/0046-tmpfiles-make-purge-hard-to-mis-use.patch new file mode 100644 index 0000000..b699822 --- /dev/null +++ b/SOURCES/0046-tmpfiles-make-purge-hard-to-mis-use.patch @@ -0,0 +1,67 @@ +From 6ad266a125eabbf27dfbe64aae9a0d9060c2bd08 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 18 Jun 2024 20:32:10 +0200 +Subject: [PATCH] tmpfiles: make --purge hard to (mis-)use + +Follow-up for https://github.com/systemd/systemd/pull/33383. + +rhel-only: bugfix + +Related: RHEL-40924 +--- + src/tmpfiles/tmpfiles.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 8cc8c1ccd6..14048545db 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -4197,6 +4197,7 @@ static int parse_argv(int argc, char *argv[]) { + ARG_IMAGE_POLICY, + ARG_REPLACE, + ARG_DRY_RUN, ++ ARG_DESTROY_DATA, + ARG_NO_PAGER, + }; + +@@ -4220,10 +4221,18 @@ static int parse_argv(int argc, char *argv[]) { + { "replace", required_argument, NULL, ARG_REPLACE }, + { "dry-run", no_argument, NULL, ARG_DRY_RUN }, + { "no-pager", no_argument, NULL, ARG_NO_PAGER }, ++ ++ /* This is not documented on purpose. ++ * If you think --purge should be allowed without jumping through hoops, ++ * consider opening a bug report with the description of the use case. ++ */ ++ { "destroy-data", no_argument, NULL, ARG_DESTROY_DATA }, ++ + {} + }; + + int c, r; ++ bool destroy_data = false; + + assert(argc >= 0); + assert(argv); +@@ -4330,6 +4339,10 @@ static int parse_argv(int argc, char *argv[]) { + arg_dry_run = true; + break; + ++ case ARG_DESTROY_DATA: ++ destroy_data = true; ++ break; ++ + case ARG_NO_PAGER: + arg_pager_flags |= PAGER_DISABLE; + break; +@@ -4349,6 +4362,10 @@ static int parse_argv(int argc, char *argv[]) { + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Refusing --purge without specification of a configuration file."); + ++ if (FLAGS_SET(arg_operation, OPERATION_PURGE) && !arg_dry_run && !destroy_data) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), ++ "Refusing --purge without --destroy-data."); ++ + if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Option --replace= is not supported with --cat-config/--tldr."); diff --git a/SOURCES/0047-fedora-use-system-auth-in-pam-systemd-user.patch b/SOURCES/0047-fedora-use-system-auth-in-pam-systemd-user.patch new file mode 100644 index 0000000..c7a7849 --- /dev/null +++ b/SOURCES/0047-fedora-use-system-auth-in-pam-systemd-user.patch @@ -0,0 +1,33 @@ +From 79519b922b59c2282223742327cc8d75c7b219d0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 14 Dec 2022 22:24:53 +0100 +Subject: [PATCH] fedora: use system-auth in pam systemd-user + +Adjust upstream config to use our shared stack + +rhel-only: feature + +Related: RHEL-40924 +--- + src/login/systemd-user.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in +index 8a3c9e0165..74ef5f2552 100644 +--- a/src/login/systemd-user.in ++++ b/src/login/systemd-user.in +@@ -7,7 +7,7 @@ + -account sufficient pam_systemd_home.so + {% endif %} + account sufficient pam_unix.so no_pass_expiry +-account required pam_permit.so ++account include system-auth + + {% if HAVE_SELINUX %} + session required pam_selinux.so close +@@ -20,4 +20,4 @@ session required pam_namespace.so + -session optional pam_systemd_home.so + {% endif %} + session optional pam_umask.so silent +-session optional pam_systemd.so ++session include system-auth diff --git a/SOURCES/0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch b/SOURCES/0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch new file mode 100644 index 0000000..2e5bf6a --- /dev/null +++ b/SOURCES/0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch @@ -0,0 +1,317 @@ +From b91be007c4172b50e5ca570c3c3cd64fecbf377b Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 25 Jun 2024 14:00:45 +0200 +Subject: [PATCH] net-naming-scheme: start rhel10 naming and include rhel8 and + rhel9 ones + +Also add RHEL8,9,10 versions to version-info.xml file + +rhel-only: feature + +Resolves: RHEL-22621 +--- + man/systemd.net-naming-scheme.xml | 186 ++++++++++++++++++++++++++++++ + man/version-info.xml | 33 ++++++ + src/shared/netif-naming-scheme.c | 17 +++ + src/shared/netif-naming-scheme.h | 20 ++++ + 4 files changed, 256 insertions(+) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index ff811c2bd7..690e3d2c27 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -525,7 +525,193 @@ + + + ++ ++ rhel-10.0 ++ ++ Same as naming scheme v255. ++ ++ ++ ++ ++ ++ By default rhel-10.0 is used. ++ ++ ++ RHEL-9 schemes ++ It is also possible to pick a scheme from RHEL-9 ++ ++ ++ rhel-9.0 ++ ++ Since version v247 we no longer set ++ ID_NET_NAME_SLOT if we detect that a PCI device associated with a slot is a PCI ++ bridge as that would create naming conflict when there are more child devices on that bridge. Now, ++ this is relaxed and we will use slot information to generate the name based on it but only if ++ the PCI device has multiple functions. This is safe because distinct function number is a part of ++ the device name for multifunction devices. ++ ++ ++ ++ ++ ++ ++ rhel-9.1 ++ ++ Same as naming scheme rhel-9.0. ++ ++ ++ ++ ++ ++ ++ rhel-9.2 ++ ++ Same as naming scheme rhel-9.0. ++ ++ ++ ++ ++ ++ ++ rhel-9.3 ++ ++ Naming was changed for SR-IOV virtual device representors. ++ ++ The rslot suffix was added to differentiate SR-IOV ++ virtual device representors attached to a single physical device interface. ++ ++ ++ ++ ++ ++ ++ rhel-9.4 ++ ++ Same as naming scheme rhel-9.3. ++ ++ ++ ++ ++ ++ ++ ++ ++ RHEL-8 schemes ++ It is also possible to pick a scheme from RHEL-8 ++ ++ ++ rhel-8.0 ++ ++ Same as naming scheme v239. ++ ++ ++ ++ ++ ++ ++ rhel-8.1 ++ ++ Same as naming scheme rhel-8.0. ++ ++ ++ ++ ++ ++ ++ rhel-8.2 ++ ++ Same as naming scheme rhel-8.0. ++ ++ ++ ++ ++ ++ ++ rhel-8.3 ++ ++ Same as naming scheme rhel-8.0. ++ ++ ++ ++ ++ ++ ++ rhel-8.4 ++ ++ If the PCI slot is assocated with PCI bridge and that has multiple child network ++ controllers then all of them might derive the same value of ID_NET_NAME_SLOT ++ property. That could cause naming conflict if the property is selected as a device name. Now, we detect the ++ situation, slot - bridge relation, and we don't produce the ID_NET_NAME_SLOT property to ++ avoid possible naming conflict. ++ ++ ++ ++ ++ ++ ++ rhel-8.5 ++ ++ Same as naming scheme rhel-8.4. ++ ++ ++ ++ ++ ++ ++ rhel-8.6 ++ ++ Same as naming scheme rhel-8.4. ++ ++ ++ ++ ++ ++ ++ rhel-8.7 ++ ++ PCI hotplug slot names for the s390 PCI driver are a hexadecimal representation ++ of the function_id device attribute. This attribute is now used to build the ++ ID_NET_NAME_SLOT. Before that, all slot names were parsed as decimal ++ numbers, which could either result in an incorrect value of the ID_NET_NAME_SLOT ++ property or none at all. ++ ++ Some firmware and hypervisor implementations report unreasonable high numbers for the onboard ++ index. To prevent the generation of bogus onbard interface names, index numbers greater than 16381 ++ (2^14-1) were ignored. For s390 PCI devices index values up to 65535 (2^16-1) are valid. To account ++ for that, the limit is increased to now 65535. ++ ++ ++ ++ ++ ++ ++ rhel-8.8 ++ ++ Same as naming scheme rhel-8.7. ++ ++ ++ ++ ++ ++ ++ rhel-8.9 ++ ++ Same as naming scheme rhel-8.7. ++ ++ ++ ++ ++ ++ ++ rhel-8.10 ++ ++ Same as naming scheme rhel-8.7. ++ ++ ++ ++ + ++ + + Note that latest may be used to denote the latest scheme known (to this + particular version of systemd). +diff --git a/man/version-info.xml b/man/version-info.xml +index bd210b20d3..274450d408 100644 +--- a/man/version-info.xml ++++ b/man/version-info.xml +@@ -81,4 +81,37 @@ + Added in version 255. + Added in version 256. + Added in version 257. ++ Added in rhel-8.0. ++ Added in rhel-8.1. ++ Added in rhel-8.2. ++ Added in rhel-8.3. ++ Added in rhel-8.4. ++ Added in rhel-8.5. ++ Added in rhel-8.6. ++ Added in rhel-8.7. ++ Added in rhel-8.8. ++ Added in rhel-8.9. ++ Added in rhel-8.10. ++ Added in rhel-9.0. ++ Added in rhel-9.1. ++ Added in rhel-9.2. ++ Added in rhel-9.3. ++ Added in rhel-9.4. ++ Added in rhel-9.5. ++ Added in rhel-9.6. ++ Added in rhel-9.7. ++ Added in rhel-9.8. ++ Added in rhel-9.9. ++ Added in rhel-9.10. ++ Added in rhel-10.0. ++ Added in rhel-10.1. ++ Added in rhel-10.2. ++ Added in rhel-10.3. ++ Added in rhel-10.4. ++ Added in rhel-10.5. ++ Added in rhel-10.6. ++ Added in rhel-10.7. ++ Added in rhel-10.8. ++ Added in rhel-10.9. ++ Added in rhel-10.10. + +diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c +index 2955b6e8d5..e4d4c0ba88 100644 +--- a/src/shared/netif-naming-scheme.c ++++ b/src/shared/netif-naming-scheme.c +@@ -24,6 +24,23 @@ static const NamingScheme naming_schemes[] = { + { "v253", NAMING_V253 }, + { "v254", NAMING_V254 }, + { "v255", NAMING_V255 }, ++ { "rhel-8.0", NAMING_RHEL_8_0 }, ++ { "rhel-8.1", NAMING_RHEL_8_1 }, ++ { "rhel-8.2", NAMING_RHEL_8_2 }, ++ { "rhel-8.3", NAMING_RHEL_8_3 }, ++ { "rhel-8.4", NAMING_RHEL_8_4 }, ++ { "rhel-8.5", NAMING_RHEL_8_5 }, ++ { "rhel-8.6", NAMING_RHEL_8_6 }, ++ { "rhel-8.7", NAMING_RHEL_8_7 }, ++ { "rhel-8.8", NAMING_RHEL_8_8 }, ++ { "rhel-8.9", NAMING_RHEL_8_9 }, ++ { "rhel-8.10", NAMING_RHEL_8_10 }, ++ { "rhel-9.0", NAMING_RHEL_9_0 }, ++ { "rhel-9.1", NAMING_RHEL_9_1 }, ++ { "rhel-9.2", NAMING_RHEL_9_2 }, ++ { "rhel-9.3", NAMING_RHEL_9_3 }, ++ { "rhel-9.4", NAMING_RHEL_9_4 }, ++ { "rhel-10.0", NAMING_RHEL_10_0 }, + /* … add more schemes here, as the logic to name devices is updated … */ + + EXTRA_NET_NAMING_MAP +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index 62afdc514a..b0697c141e 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -63,6 +63,26 @@ typedef enum NamingSchemeFlags { + * systemd version 255, naming scheme "v255". */ + NAMING_V255 = NAMING_V254 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT, + ++ NAMING_RHEL_8_0 = NAMING_V239, ++ NAMING_RHEL_8_1 = NAMING_V239, ++ NAMING_RHEL_8_2 = NAMING_V239, ++ NAMING_RHEL_8_3 = NAMING_V239, ++ NAMING_RHEL_8_4 = NAMING_V239 | NAMING_BRIDGE_NO_SLOT, ++ NAMING_RHEL_8_5 = NAMING_RHEL_8_4, ++ NAMING_RHEL_8_6 = NAMING_RHEL_8_4, ++ NAMING_RHEL_8_7 = NAMING_RHEL_8_4 | NAMING_SLOT_FUNCTION_ID | NAMING_16BIT_INDEX, ++ NAMING_RHEL_8_8 = NAMING_RHEL_8_7, ++ NAMING_RHEL_8_9 = NAMING_RHEL_8_7, ++ NAMING_RHEL_8_10 = NAMING_RHEL_8_7, ++ ++ NAMING_RHEL_9_0 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT, ++ NAMING_RHEL_9_1 = NAMING_RHEL_9_0, ++ NAMING_RHEL_9_2 = NAMING_RHEL_9_0, ++ NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R, ++ NAMING_RHEL_9_4 = NAMING_RHEL_9_3, ++ ++ NAMING_RHEL_10_0 = NAMING_V255, ++ + EXTRA_NET_NAMING_SCHEMES + + _NAMING_SCHEME_FLAGS_INVALID = -EINVAL, diff --git a/SOURCES/0049-rules-copy-40-redhat.rules-from-RHEL-9.patch b/SOURCES/0049-rules-copy-40-redhat.rules-from-RHEL-9.patch new file mode 100644 index 0000000..2d127b9 --- /dev/null +++ b/SOURCES/0049-rules-copy-40-redhat.rules-from-RHEL-9.patch @@ -0,0 +1,109 @@ +From ee9a767142ec66b1ca93af9401dc8f723ae59881 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 12 Jun 2024 14:23:30 +0200 +Subject: [PATCH] rules: copy 40-redhat.rules from RHEL 9 + +Also split rules into 40-redhat-hotplug.rules, 40-redhat-s390.rules and 40-redhat.rules. + +rhel-only: feature + +Resolves: RHEL-40360 +--- + rules.d/40-redhat-hotplug.rules | 23 +++++++++++++++++++++++ + rules.d/40-redhat-s390.rules | 24 ++++++++++++++++++++++++ + rules.d/40-redhat.rules | 8 ++++++++ + rules.d/meson.build | 5 ++++- + 4 files changed, 59 insertions(+), 1 deletion(-) + create mode 100644 rules.d/40-redhat-hotplug.rules + create mode 100644 rules.d/40-redhat-s390.rules + create mode 100644 rules.d/40-redhat.rules + +diff --git a/rules.d/40-redhat-hotplug.rules b/rules.d/40-redhat-hotplug.rules +new file mode 100644 +index 0000000000..5555eeac75 +--- /dev/null ++++ b/rules.d/40-redhat-hotplug.rules +@@ -0,0 +1,23 @@ ++# do not edit this file, it will be overwritten on update ++ ++# CPU hotadd request ++SUBSYSTEM!="cpu", GOTO="cpu_online_end" ++ACTION!="add", GOTO="cpu_online_end" ++CONST{arch}=="ppc64*", GOTO="cpu_online_end" ++CONST{arch}=="s390*", ATTR{configure}=="0", GOTO="cpu_online_end" ++ ++TEST=="online", ATTR{online}=="0", ATTR{online}="1" ++ ++LABEL="cpu_online_end" ++ ++# Memory hotadd request ++SUBSYSTEM!="memory", GOTO="memory_hotplug_end" ++ACTION!="add", GOTO="memory_hotplug_end" ++CONST{arch}=="s390*", GOTO="memory_hotplug_end" ++CONST{arch}=="ppc64*", GOTO="memory_hotplug_end" ++ ++ENV{.state}="online" ++CONST{virt}=="none", ENV{.state}="online_movable" ++ATTR{state}=="offline", ATTR{state}="$env{.state}" ++ ++LABEL="memory_hotplug_end" +diff --git a/rules.d/40-redhat-s390.rules b/rules.d/40-redhat-s390.rules +new file mode 100644 +index 0000000000..64698b90e8 +--- /dev/null ++++ b/rules.d/40-redhat-s390.rules +@@ -0,0 +1,24 @@ ++# do not edit this file, it will be overwritten on update ++ ++# Rule for prandom character device node permissions ++KERNEL=="prandom", MODE="0644" ++ ++# Rules for creating the ID_PATH for SCSI devices based on the CCW bus ++# using the form: ccw--zfcp-: ++# ++ACTION=="remove", GOTO="zfcp_scsi_device_end" ++ ++# ++# Set environment variable "ID_ZFCP_BUS" to "1" if the devices ++# (both disk and partition) are SCSI devices based on FCP devices ++# ++KERNEL=="sd*", SUBSYSTEMS=="ccw", DRIVERS=="zfcp", ENV{.ID_ZFCP_BUS}="1" ++ ++# For SCSI disks ++KERNEL=="sd*[!0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}" ++ ++ ++# For partitions on a SCSI disk ++KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n" ++ ++LABEL="zfcp_scsi_device_end" +diff --git a/rules.d/40-redhat.rules b/rules.d/40-redhat.rules +new file mode 100644 +index 0000000000..975d56fdfd +--- /dev/null ++++ b/rules.d/40-redhat.rules +@@ -0,0 +1,8 @@ ++# do not edit this file, it will be overwritten on update ++ ++# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded ++ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge" ++ ++# load SCSI generic (sg) driver ++SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg" ++SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg" +diff --git a/rules.d/meson.build b/rules.d/meson.build +index 3040fae8a4..edf419f449 100644 +--- a/rules.d/meson.build ++++ b/rules.d/meson.build +@@ -5,7 +5,10 @@ install_data( + install_dir : udevrulesdir) + + rules = [ +- [files('60-autosuspend.rules', ++ [files('40-redhat-hotplug.rules', ++ '40-redhat-s390.rules', ++ '40-redhat.rules', ++ '60-autosuspend.rules', + '60-block.rules', + '60-cdrom_id.rules', + '60-dmi-id.rules', diff --git a/SOURCES/0050-logind-set-RemoveIPC-to-false-by-default.patch b/SOURCES/0050-logind-set-RemoveIPC-to-false-by-default.patch new file mode 100644 index 0000000..f2a4438 --- /dev/null +++ b/SOURCES/0050-logind-set-RemoveIPC-to-false-by-default.patch @@ -0,0 +1,53 @@ +From 6e4f0c54b24080fb57261a54a4e26b64f806f40d Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 1 Aug 2018 10:58:28 +0200 +Subject: [PATCH] logind: set RemoveIPC to false by default + +RHEL-only: bugfix + +Related: RHEL-40924 +--- + man/logind.conf.xml | 2 +- + src/login/logind-core.c | 2 +- + src/login/logind.conf.in | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/logind.conf.xml b/man/logind.conf.xml +index c52431fd41..bb5e13bfd9 100644 +--- a/man/logind.conf.xml ++++ b/man/logind.conf.xml +@@ -374,7 +374,7 @@ + user fully logs out. Takes a boolean argument. If enabled, the user may not consume IPC resources after the + last of the user's sessions terminated. This covers System V semaphores, shared memory and message queues, as + well as POSIX shared memory and message queues. Note that IPC objects of the root user and other system users +- are excluded from the effect of this setting. Defaults to yes. ++ are excluded from the effect of this setting. Defaults to no. + + + +diff --git a/src/login/logind-core.c b/src/login/logind-core.c +index 71e4247a79..26250c5704 100644 +--- a/src/login/logind-core.c ++++ b/src/login/logind-core.c +@@ -36,7 +36,7 @@ void manager_reset_config(Manager *m) { + + m->n_autovts = 6; + m->reserve_vt = 6; +- m->remove_ipc = true; ++ m->remove_ipc = false; + m->inhibit_delay_max = 5 * USEC_PER_SEC; + m->user_stop_delay = 10 * USEC_PER_SEC; + +diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in +index b62458ec3c..dc798bea2d 100644 +--- a/src/login/logind.conf.in ++++ b/src/login/logind.conf.in +@@ -46,7 +46,7 @@ + #IdleActionSec=30min + #RuntimeDirectorySize=10% + #RuntimeDirectoryInodesMax= +-#RemoveIPC=yes ++#RemoveIPC=no + #InhibitorsMax=8192 + #SessionsMax=8192 + #StopIdleSessionSec=infinity diff --git a/SOURCES/0051-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch b/SOURCES/0051-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch new file mode 100644 index 0000000..beb127b --- /dev/null +++ b/SOURCES/0051-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch @@ -0,0 +1,43 @@ +From ed416f79aac6c1136f5d20a19cfc20c2709ab314 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 5 Aug 2021 17:11:47 +0200 +Subject: [PATCH] tmpfiles: don't create resolv.conf -> stub-resolv.conf + symlink + +RHEL-only: bugfix + +Related: RHEL-40924 +--- + tmpfiles.d/meson.build | 1 - + tmpfiles.d/systemd-resolve.conf | 10 ---------- + 2 files changed, 11 deletions(-) + delete mode 100644 tmpfiles.d/systemd-resolve.conf + +diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build +index bec24ac7b4..55ce48979d 100644 +--- a/tmpfiles.d/meson.build ++++ b/tmpfiles.d/meson.build +@@ -10,7 +10,6 @@ files = [['README', ''], + ['systemd-nologin.conf', 'HAVE_PAM'], + ['systemd-nspawn.conf', 'ENABLE_MACHINED'], + ['systemd-pstore.conf', 'ENABLE_PSTORE'], +- ['systemd-resolve.conf', 'ENABLE_RESOLVE'], + ['systemd-tmp.conf', ''], + ['tmp.conf', ''], + ['x11.conf', ''], +diff --git a/tmpfiles.d/systemd-resolve.conf b/tmpfiles.d/systemd-resolve.conf +deleted file mode 100644 +index cb1c56d6a6..0000000000 +--- a/tmpfiles.d/systemd-resolve.conf ++++ /dev/null +@@ -1,10 +0,0 @@ +-# This file is part of systemd. +-# +-# systemd is free software; you can redistribute it and/or modify it +-# under the terms of the GNU Lesser General Public License as published by +-# the Free Software Foundation; either version 2.1 of the License, or +-# (at your option) any later version. +- +-# See tmpfiles.d(5) for details +- +-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf diff --git a/SOURCES/0052-rc-local-order-after-network-online.target.patch b/SOURCES/0052-rc-local-order-after-network-online.target.patch new file mode 100644 index 0000000..d8c1298 --- /dev/null +++ b/SOURCES/0052-rc-local-order-after-network-online.target.patch @@ -0,0 +1,29 @@ +From 49241b42effa3684b485a8b90e5b4256a6223971 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 11 Mar 2021 15:48:23 +0100 +Subject: [PATCH] rc-local: order after network-online.target + +I think this was the intent of commit 91b684c7300879a8d2006038f7d9185d92c3c3bf, +just network-online.target didn't exist back then. + +RHEL-only: bugfix + +Related: RHEL-40924 +--- + units/rc-local.service.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/units/rc-local.service.in b/units/rc-local.service.in +index 6fb0838cdb..40ffc15c99 100644 +--- a/units/rc-local.service.in ++++ b/units/rc-local.service.in +@@ -13,7 +13,8 @@ + Description={{RC_LOCAL_PATH}} Compatibility + Documentation=man:systemd-rc-local-generator(8) + ConditionFileIsExecutable={{RC_LOCAL_PATH}} +-After=network.target ++After=network-online.target ++Wants=network-online.target + + [Service] + Type=forking diff --git a/SOURCES/0053-random-util-increase-random-seed-size-to-1024.patch b/SOURCES/0053-random-util-increase-random-seed-size-to-1024.patch new file mode 100644 index 0000000..f1710ba --- /dev/null +++ b/SOURCES/0053-random-util-increase-random-seed-size-to-1024.patch @@ -0,0 +1,25 @@ +From 9a6ef20bab1411570b3af6f6bbdb1a299ea8e73a Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 15 Jul 2021 11:15:17 +0200 +Subject: [PATCH] random-util: increase random seed size to 1024 + +RHEL-only: feature + +Related: RHEL-40924 +--- + src/basic/random-util.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/random-util.h b/src/basic/random-util.h +index b1a4d10971..08b1a3599a 100644 +--- a/src/basic/random-util.h ++++ b/src/basic/random-util.h +@@ -21,7 +21,7 @@ static inline uint32_t random_u32(void) { + } + + /* Some limits on the pool sizes when we deal with the kernel random pool */ +-#define RANDOM_POOL_SIZE_MIN 32U ++#define RANDOM_POOL_SIZE_MIN 1024U + #define RANDOM_POOL_SIZE_MAX (10U*1024U*1024U) + #define RANDOM_EFI_SEED_SIZE 32U + diff --git a/SOURCES/0054-journal-don-t-enable-systemd-journald-audit.socket-b.patch b/SOURCES/0054-journal-don-t-enable-systemd-journald-audit.socket-b.patch new file mode 100644 index 0000000..3d95209 --- /dev/null +++ b/SOURCES/0054-journal-don-t-enable-systemd-journald-audit.socket-b.patch @@ -0,0 +1,25 @@ +From 15465a4a302c4379746a21ef7b7fb9a9bfea9297 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Thu, 2 May 2019 14:11:54 +0200 +Subject: [PATCH] journal: don't enable systemd-journald-audit.socket by + default + +RHEL-only: feature + +Related: RHEL-40924 +--- + presets/90-systemd.preset | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset +index da6b9805fd..004ea6fe14 100644 +--- a/presets/90-systemd.preset ++++ b/presets/90-systemd.preset +@@ -21,7 +21,6 @@ enable systemd-boot-update.service + enable systemd-confext.service + enable systemd-homed.service + enable systemd-homed-activate.service +-enable systemd-journald-audit.socket + enable systemd-mountfsd.socket + enable systemd-network-generator.service + enable systemd-networkd.service diff --git a/SOURCES/0055-journald.conf-don-t-touch-current-audit-settings.patch b/SOURCES/0055-journald.conf-don-t-touch-current-audit-settings.patch new file mode 100644 index 0000000..fe1a827 --- /dev/null +++ b/SOURCES/0055-journald.conf-don-t-touch-current-audit-settings.patch @@ -0,0 +1,22 @@ +From b340b4c797599aa444f9dbf07c6ef7ea29021604 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 5 Aug 2021 15:26:13 +0200 +Subject: [PATCH] journald.conf: don't touch current audit settings + +RHEL-only: policy + +Related: RHEL-40924 +--- + src/journal/journald.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/journal/journald.conf b/src/journal/journald.conf +index 13cdd6300f..fc307c53c2 100644 +--- a/src/journal/journald.conf ++++ b/src/journal/journald.conf +@@ -47,4 +47,4 @@ + #MaxLevelSocket=debug + #LineMax=48K + #ReadKMsg=yes +-#Audit=yes ++Audit= diff --git a/SOURCES/0056-rules-add-elevator-kernel-command-line-parameter.patch b/SOURCES/0056-rules-add-elevator-kernel-command-line-parameter.patch new file mode 100644 index 0000000..58c8c31 --- /dev/null +++ b/SOURCES/0056-rules-add-elevator-kernel-command-line-parameter.patch @@ -0,0 +1,56 @@ +From 3847259c117fd511043a60400233ca9d1af1b5ce Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Tue, 12 Feb 2019 16:58:16 +0100 +Subject: [PATCH] rules: add elevator= kernel command line parameter + +Kernel removed the elevator= option, so let's reintroduce +it for rhel8 via udev rule. + +RHEL-only: feature + +Related: RHEL-40924 +--- + rules.d/40-elevator.rules | 20 ++++++++++++++++++++ + rules.d/meson.build | 1 + + 2 files changed, 21 insertions(+) + create mode 100644 rules.d/40-elevator.rules + +diff --git a/rules.d/40-elevator.rules b/rules.d/40-elevator.rules +new file mode 100644 +index 0000000000..dbe8fc81a4 +--- /dev/null ++++ b/rules.d/40-elevator.rules +@@ -0,0 +1,20 @@ ++# We aren't adding devices skip the elevator check ++ACTION!="add", GOTO="sched_out" ++ ++SUBSYSTEM!="block", GOTO="sched_out" ++ENV{DEVTYPE}!="disk", GOTO="sched_out" ++ ++# Technically, dm-multipath can be configured to use an I/O scheduler. ++# However, there are races between the 'add' uevent and the linking in ++# of the queue/scheduler sysfs file. For now, just skip dm- devices. ++KERNEL=="dm-*|md*", GOTO="sched_out" ++ ++# Skip bio-based devices, which don't support an I/O scheduler. ++ATTR{queue/scheduler}=="none", GOTO="sched_out" ++ ++# If elevator= is specified on the kernel command line, change the ++# scheduler to the one specified. ++IMPORT{cmdline}="elevator" ++ENV{elevator}!="", ATTR{queue/scheduler}="$env{elevator}" ++ ++LABEL="sched_out" +\ No newline at end of file +diff --git a/rules.d/meson.build b/rules.d/meson.build +index edf419f449..2b57322a12 100644 +--- a/rules.d/meson.build ++++ b/rules.d/meson.build +@@ -8,6 +8,7 @@ rules = [ + [files('40-redhat-hotplug.rules', + '40-redhat-s390.rules', + '40-redhat.rules', ++ '40-elevator.rules', + '60-autosuspend.rules', + '60-block.rules', + '60-cdrom_id.rules', diff --git a/SOURCES/0057-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch b/SOURCES/0057-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch new file mode 100644 index 0000000..a10993c --- /dev/null +++ b/SOURCES/0057-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch @@ -0,0 +1,59 @@ +From 5725d315940804ba80468e6e3b6ea4653587f109 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 1 Aug 2018 13:19:39 +0200 +Subject: [PATCH] pid1: bump DefaultTasksMax to 80% of the kernel pid.max value + +This should be hopefully high enough even for the very big deployments. + +RHEL-only: feature + +Related: RHEL-40924 +--- + man/systemd-system.conf.xml | 4 ++-- + src/core/manager.c | 2 +- + src/core/system.conf.in | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml +index ae5b61b149..22919842f5 100644 +--- a/man/systemd-system.conf.xml ++++ b/man/systemd-system.conf.xml +@@ -520,10 +520,10 @@ + Configure the default value for the per-unit TasksMax= setting. See + systemd.resource-control5 + for details. This setting applies to all unit types that support resource control settings, with the exception +- of slice units. Defaults to 15% of the minimum of kernel.pid_max=, kernel.threads-max= ++ of slice units. Defaults to 80% of the minimum of kernel.pid_max=, kernel.threads-max= + and root cgroup pids.max. + Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. +- For example, with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, ++ For example, with the default kernel.pid_max=, DefaultTasksMax= defaults to 26214, + but might be greater in other systems or smaller in OS containers. + + +diff --git a/src/core/manager.c b/src/core/manager.c +index 90e72b0c02..8ddf37fdad 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -117,7 +117,7 @@ + /* How many units and jobs to process of the bus queue before returning to the event loop. */ + #define MANAGER_BUS_MESSAGE_BUDGET 100U + +-#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 15U, 100U }) /* 15% */ ++#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 80U, 100U }) /* 80% */ + + static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); + static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 1c08aa4d22..4fe420c344 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -59,7 +59,7 @@ + #DefaultIPAccounting=no + #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} + #DefaultTasksAccounting=yes +-#DefaultTasksMax=15% ++#DefaultTasksMax=80% + #DefaultLimitCPU= + #DefaultLimitFSIZE= + #DefaultLimitDATA= diff --git a/SOURCES/0058-udev-net-setup-link-change-the-default-MACAddressPol.patch b/SOURCES/0058-udev-net-setup-link-change-the-default-MACAddressPol.patch new file mode 100644 index 0000000..4929912 --- /dev/null +++ b/SOURCES/0058-udev-net-setup-link-change-the-default-MACAddressPol.patch @@ -0,0 +1,53 @@ +From 2b9b38af0bd6f15d316869022ad296f5927f2d2b Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Tue, 21 Sep 2021 15:01:19 +0200 +Subject: [PATCH] udev/net-setup-link: change the default MACAddressPolicy to + "none" + +While stable MAC address for interface types that don't have the +address provided by HW could be useful it also breaks LACP based bonds. +Let's err on the side of caution and don't change the MAC address from +udev. + +RHEL-only: policy + +Related: RHEL-40924 +--- + man/systemd.link.xml | 2 +- + network/99-default.link | 2 +- + test/fuzz/fuzz-link-parser/99-default.link | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/systemd.link.xml b/man/systemd.link.xml +index 3991d91881..0002eb3617 100644 +--- a/man/systemd.link.xml ++++ b/man/systemd.link.xml +@@ -1386,7 +1386,7 @@ OriginalName=* + [Link] + NamePolicy=keep kernel database onboard slot path + AlternativeNamesPolicy=database onboard slot path +-MACAddressPolicy=persistent ++MACAddressPolicy=none + + + +diff --git a/network/99-default.link b/network/99-default.link +index 56030b62be..5628dcf845 100644 +--- a/network/99-default.link ++++ b/network/99-default.link +@@ -12,4 +12,4 @@ OriginalName=* + [Link] + NamePolicy=keep kernel database onboard slot path + AlternativeNamesPolicy=database onboard slot path +-MACAddressPolicy=persistent ++MACAddressPolicy=none +diff --git a/test/fuzz/fuzz-link-parser/99-default.link b/test/fuzz/fuzz-link-parser/99-default.link +index feb5b1fbb0..3d755898b4 100644 +--- a/test/fuzz/fuzz-link-parser/99-default.link ++++ b/test/fuzz/fuzz-link-parser/99-default.link +@@ -9,4 +9,4 @@ + + [Link] + NamePolicy=keep kernel database onboard slot path +-MACAddressPolicy=persistent ++MACAddressPolicy=none diff --git a/SOURCES/0059-core-decrease-log-level-of-messages-about-use-of-Kil.patch b/SOURCES/0059-core-decrease-log-level-of-messages-about-use-of-Kil.patch new file mode 100644 index 0000000..6422fc2 --- /dev/null +++ b/SOURCES/0059-core-decrease-log-level-of-messages-about-use-of-Kil.patch @@ -0,0 +1,40 @@ +From 74151c1fd19cbd73f2a6d1c2f84eac9bb73eac7e Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Tue, 22 Feb 2022 13:24:11 +0100 +Subject: [PATCH] core: decrease log level of messages about use of + KillMode=none + +RHEL-only: bugfix + +Related: RHEL-40924 +--- + src/core/load-fragment.c | 2 +- + src/core/unit.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index 5ae68886af..d4c006eb87 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -868,7 +868,7 @@ int config_parse_kill_mode( + } + + if (m == KILL_NONE) +- log_syntax(unit, LOG_WARNING, filename, line, 0, ++ log_syntax(unit, LOG_DEBUG, filename, line, 0, + "Unit uses KillMode=none. " + "This is unsafe, as it disables systemd's process lifecycle management for the service. " + "Please update the service to use a safer KillMode=, such as 'mixed' or 'control-group'. " +diff --git a/src/core/unit.c b/src/core/unit.c +index 2d40618fcb..0ec5dcaf75 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -5867,7 +5867,7 @@ int unit_log_leftover_process_start(const PidRef *pid, int sig, void *userdata) + + /* During start we print a warning */ + +- log_unit_warning(userdata, ++ log_unit_debug(userdata, + "Found left-over process " PID_FMT " (%s) in control group while starting unit. Ignoring.\n" + "This usually indicates unclean termination of a previous run, or service implementation deficiencies.", + pid->pid, strna(comm)); diff --git a/SOURCES/0060-meson-rename-libbasic-to-libbasic_static.patch b/SOURCES/0060-meson-rename-libbasic-to-libbasic_static.patch new file mode 100644 index 0000000..5f3a54b --- /dev/null +++ b/SOURCES/0060-meson-rename-libbasic-to-libbasic_static.patch @@ -0,0 +1,180 @@ +From 40527d91d2fb1d987473bb4bcf1c929a85ffe9a0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 3 Jul 2024 16:51:05 +0200 +Subject: [PATCH] meson: rename libbasic to libbasic_static + +Our variables for internal libraries are named 'libfoo' for the shared lib +variant, and 'libfoo_static' for the static lib variant. The only exception was +libbasic, because we didn't have a shared variant for it. But let's rename it +for consitency. This makes the build config easier to understand. + +see currently unmerged https://github.com/systemd/systemd/pull/33599 + +RHEL-only workaround + +Resolves: RHEL-46020 +--- + meson.build | 4 ++-- + src/basic/meson.build | 2 +- + src/libsystemd/meson.build | 2 +- + src/partition/meson.build | 2 +- + src/shared/meson.build | 2 +- + src/shutdown/meson.build | 2 +- + src/sysusers/meson.build | 2 +- + src/test/meson.build | 8 ++++---- + src/tmpfiles/meson.build | 2 +- + 9 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/meson.build b/meson.build +index e42151998b..18115cad5e 100644 +--- a/meson.build ++++ b/meson.build +@@ -2078,7 +2078,7 @@ libsystemd = shared_library( + # Make sure our library is never deleted from memory, so that our open logging fds don't leak on dlopen/dlclose cycles. + '-z', 'nodelete', + '-Wl,--version-script=' + libsystemd_sym_path], +- link_with : [libbasic], ++ link_with : [libbasic_static], + link_whole : [libsystemd_static], + dependencies : [librt, + threads, +@@ -2243,7 +2243,7 @@ nss_template = { + 'link_with' : [ + libsystemd_static, + libshared_static, +- libbasic, ++ libbasic_static, + ], + 'dependencies' : [ + librt, +diff --git a/src/basic/meson.build b/src/basic/meson.build +index 9a214575a5..b538775576 100644 +--- a/src/basic/meson.build ++++ b/src/basic/meson.build +@@ -274,7 +274,7 @@ filesystem_switch_case_h = custom_target( + + basic_sources += [filesystem_list_h, filesystem_switch_case_h, filesystems_gperf_h] + +-libbasic = static_library( ++libbasic_static = static_library( + 'basic', + basic_sources, + fundamental_sources, +diff --git a/src/libsystemd/meson.build b/src/libsystemd/meson.build +index 6d4337d1a7..243549299f 100644 +--- a/src/libsystemd/meson.build ++++ b/src/libsystemd/meson.build +@@ -118,7 +118,7 @@ libsystemd_static = static_library( + libsystemd_sources, + include_directories : libsystemd_includes, + c_args : libsystemd_c_args, +- link_with : [libbasic], ++ link_with : [libbasic_static], + dependencies : [threads, + librt, + userspace], +diff --git a/src/partition/meson.build b/src/partition/meson.build +index 52e1368116..2cfe43e029 100644 +--- a/src/partition/meson.build ++++ b/src/partition/meson.build +@@ -32,7 +32,7 @@ executables += [ + 'sources' : files('repart.c'), + 'c_args' : '-DSTANDALONE', + 'link_with' : [ +- libbasic, ++ libbasic_static, + libshared_fdisk, + libshared_static, + libsystemd_static, +diff --git a/src/shared/meson.build b/src/shared/meson.build +index c5106d87d5..e513c0ec1c 100644 +--- a/src/shared/meson.build ++++ b/src/shared/meson.build +@@ -358,7 +358,7 @@ libshared = shared_library( + '-Wl,--version-script=' + libshared_sym_path], + link_depends : libshared_sym_path, + link_whole : [libshared_static, +- libbasic, ++ libbasic_static, + libsystemd_static], + dependencies : [libshared_deps, + userspace], +diff --git a/src/shutdown/meson.build b/src/shutdown/meson.build +index 219f9fd308..9bc60f83e5 100644 +--- a/src/shutdown/meson.build ++++ b/src/shutdown/meson.build +@@ -20,7 +20,7 @@ executables += [ + 'sources' : systemd_shutdown_sources, + 'c_args' : '-DSTANDALONE', + 'link_with' : [ +- libbasic, ++ libbasic_static, + libshared_static, + libsystemd_static, + ], +diff --git a/src/sysusers/meson.build b/src/sysusers/meson.build +index 0f9c067d50..403d82a340 100644 +--- a/src/sysusers/meson.build ++++ b/src/sysusers/meson.build +@@ -14,7 +14,7 @@ executables += [ + 'sources' : files('sysusers.c'), + 'c_args' : '-DSTANDALONE', + 'link_with' : [ +- libbasic, ++ libbasic_static, + libshared_static, + libsystemd_static, + ], +diff --git a/src/test/meson.build b/src/test/meson.build +index 3abbb94d9f..9d3c7d675f 100644 +--- a/src/test/meson.build ++++ b/src/test/meson.build +@@ -274,7 +274,7 @@ executables += [ + # only static linking apart from libdl, to make sure that the + # module is linked to all libraries that it uses. + 'sources' : files('test-dlopen.c'), +- 'link_with' : libbasic, ++ 'link_with' : libbasic_static, + 'dependencies' : libdl, + 'install' : false, + 'type' : 'manual', +@@ -410,7 +410,7 @@ executables += [ + }, + test_template + { + 'sources' : files('test-sizeof.c'), +- 'link_with' : libbasic, ++ 'link_with' : libbasic_static, + }, + test_template + { + 'sources' : files('test-time-util.c'), +@@ -590,7 +590,7 @@ executables += [ + test_template + { + 'sources' : files('../libsystemd/sd-device/test-sd-device-thread.c'), + 'link_with' : [ +- libbasic, ++ libbasic_static, + libsystemd, + ], + 'dependencies' : threads, +@@ -598,7 +598,7 @@ executables += [ + test_template + { + 'sources' : files('../libudev/test-udev-device-thread.c'), + 'link_with' : [ +- libbasic, ++ libbasic_static, + libudev, + ], + 'dependencies' : threads, +diff --git a/src/tmpfiles/meson.build b/src/tmpfiles/meson.build +index 2e918509a7..09ad839586 100644 +--- a/src/tmpfiles/meson.build ++++ b/src/tmpfiles/meson.build +@@ -20,7 +20,7 @@ executables += [ + 'sources' : systemd_tmpfiles_sources, + 'c_args' : '-DSTANDALONE', + 'link_with' : [ +- libbasic, ++ libbasic_static, + libshared_static, + libsystemd_static, + ], diff --git a/SOURCES/0061-meson-build-libsystemd-core-via-an-intermediate-stat.patch b/SOURCES/0061-meson-build-libsystemd-core-via-an-intermediate-stat.patch new file mode 100644 index 0000000..d29e276 --- /dev/null +++ b/SOURCES/0061-meson-build-libsystemd-core-via-an-intermediate-stat.patch @@ -0,0 +1,63 @@ +From 9eccd6c09f06979003eb2ae1f159defc40213fe0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 3 Jul 2024 17:03:26 +0200 +Subject: [PATCH] meson: build libsystemd-core via an intermediate static + library + +By itself, this is not useful. I'm making this a separate commit to +make debugging easier. It turns out that meson does static libraries +using references, so the "static library" a tiny stub stub that refers +to the object files on disk and this has negligible cost: +$ ls -lhd build/src/core/libsystemd-core-257.{a,so} +-rw-r--r-- 1 zbyszek zbyszek 36K Jul 3 16:54 build/src/core/libsystemd-core-257.a +-rwxr-xr-x 1 zbyszek zbyszek 6.1M Jul 3 16:54 build/src/core/libsystemd-core-257.so + +see currently unmerged https://github.com/systemd/systemd/pull/33599 + +RHEL-only workaround + +Resolves: RHEL-46020 +--- + src/core/meson.build | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/core/meson.build b/src/core/meson.build +index 7a2012a372..1ef31cc529 100644 +--- a/src/core/meson.build ++++ b/src/core/meson.build +@@ -110,17 +110,13 @@ load_fragment_gperf_nulstr_c = custom_target( + + libcore_name = 'systemd-core-@0@'.format(shared_lib_tag) + +-libcore = shared_library( ++libcore_static = static_library( + libcore_name, + libcore_sources, + load_fragment_gperf_c, + load_fragment_gperf_nulstr_c, + include_directories : includes, + c_args : ['-fvisibility=default'], +- link_args : ['-shared', +- '-Wl,--version-script=' + libshared_sym_path], +- link_depends : libshared_sym_path, +- link_with : libshared, + dependencies : [libacl, + libapparmor, + libaudit, +@@ -135,6 +131,16 @@ libcore = shared_library( + libselinux, + threads, + userspace], ++ build_by_default : false) ++ ++libcore = shared_library( ++ libcore_name, ++ c_args : ['-fvisibility=default'], ++ link_args : ['-shared', ++ '-Wl,--version-script=' + libshared_sym_path], ++ link_depends : libshared_sym_path, ++ link_whole: libcore_static, ++ link_with : libshared, + install : true, + install_dir : pkglibdir) + diff --git a/SOURCES/0062-meson-add-option-to-build-systemd-executor-staticall.patch b/SOURCES/0062-meson-add-option-to-build-systemd-executor-staticall.patch new file mode 100644 index 0000000..a7464ff --- /dev/null +++ b/SOURCES/0062-meson-add-option-to-build-systemd-executor-staticall.patch @@ -0,0 +1,101 @@ +From f3b375da4cd070788b2b8a21fe678c15cb4babe8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 3 Jul 2024 17:05:31 +0200 +Subject: [PATCH] meson: add option to build systemd-executor "statically" + +The new link-executor-shared option is similar to the existing +link-udev-shared: when set to false, we link to the static versions of our +internal libraries. + +The resulting exuctor binary is fairly large, about as large as libsystemd-core +(14 MB without lto, 8 with lto). + +This is intended as a workaround for the fuckup with the pinned executor +binary: +when an upgrade is performed, the package manager will install new version of +the libraries and new version of the code, and some time later reexecute the +managers. This creates a window when the pinned executor binary will fail to +execute. There are two factors which make the issue easier to hit: + +- when the distribution uses a finely-grained shared-lib-tag. E.g. Fedora + uses version-release as the tag, which means that the issue occurs on + every package upgrade. This is the right thing to do, because the + ABI of our internal libraries is not stable at all, so replacing the + library from a different version in place creates a window where our + programs may crash or misbehave. + +- when the distribution doesn't immediately reexec all the managers after + upgrade. In early versions of systemd, we used to hammer the machine during + upgrade, doing daemon-reexecs repeatedly. This works, but is ugly and + wasteful. Doing the reexecs while the upgrade is in progres also creates a + window where a mix of old and new configs or both is loaded. Users are + particularly annoyed by those reloads if there is some issue in the + configuration causing us to emit warnings on every reexec. Doing the + reexecs once after the new configuration and libraries have been put + in place is nicer. + +The pinning of the executor binary breaks upgrades and in particular +it penalizes the distributions which make use of the features which +were previously added to avoid bugs and inefficiency during upgrades. + +When the executor is linked statically, there is a smaller chance that it'll +fail to load libraries. The issue can still occur because other libraries, not +our own, are linked dynamically. + +see currently unmerged https://github.com/systemd/systemd/pull/33599 + +RHEL-only workaround + +Resolves: RHEL-46020 +--- + meson_options.txt | 2 ++ + src/core/meson.build | 16 ++++++++++++---- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/meson_options.txt b/meson_options.txt +index d52ca4e4b5..3cce818392 100644 +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -21,6 +21,8 @@ option('rootprefix', type : 'string', deprecated: true, + description : '''This option is deprecated and will be removed in a future release''') + option('link-udev-shared', type : 'boolean', + description : 'link systemd-udevd and its helpers to libsystemd-shared.so') ++option('link-executor-shared', type : 'boolean', ++ description : 'link systemd-executor to libsystemd-shared.so and libsystemd-core.so') + option('link-systemctl-shared', type: 'boolean', + description : 'link systemctl against libsystemd-shared.so') + option('link-networkd-shared', type: 'boolean', +diff --git a/src/core/meson.build b/src/core/meson.build +index 1ef31cc529..dbeb752977 100644 +--- a/src/core/meson.build ++++ b/src/core/meson.build +@@ -156,6 +156,17 @@ systemd_executor_sources = files( + 'exec-invoke.c', + ) + ++executor_libs = get_option('link-executor-shared') ? \ ++ [ ++ libcore, ++ libshared, ++ ] : [ ++ libcore_static, ++ libshared_static, ++ libbasic_static, ++ libsystemd_static, ++ ] ++ + executables += [ + libexec_template + { + 'name' : 'systemd', +@@ -173,10 +184,7 @@ executables += [ + 'public' : true, + 'sources' : systemd_executor_sources, + 'include_directories' : core_includes, +- 'link_with' : [ +- libcore, +- libshared, +- ], ++ 'link_with' : executor_libs, + 'dependencies' : [ + libapparmor, + libpam, diff --git a/SOURCES/0063-taint-remove-unmerged-bin.patch b/SOURCES/0063-taint-remove-unmerged-bin.patch new file mode 100644 index 0000000..d73f29b --- /dev/null +++ b/SOURCES/0063-taint-remove-unmerged-bin.patch @@ -0,0 +1,86 @@ +From 13a07024f674e770844de29cd3d01cb7117f56d9 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Mon, 8 Jul 2024 14:44:45 +0200 +Subject: [PATCH] taint: remove unmerged-bin + +In rhel10 we will have separate bin and sbin + +RHEL-only: policy + +Resolves: RHEL-46277 +--- + catalog/systemd.catalog.in | 1 - + catalog/systemd.pl.catalog.in | 1 - + man/org.freedesktop.systemd1.xml | 9 --------- + src/core/taint.c | 7 +------ + 4 files changed, 1 insertion(+), 17 deletions(-) + +diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in +index 2831152763..66ffefd1c8 100644 +--- a/catalog/systemd.catalog.in ++++ b/catalog/systemd.catalog.in +@@ -560,7 +560,6 @@ Support: %SUPPORT_URL% + The following "tags" are possible: + - "unmerged-usr" - /bin, /sbin, /lib* are not symlinks to their counterparts + under /usr/ +-- "unmerged-bin" - /usr/sbin is not a symlink to /usr/bin/ + - "var-run-bad" — /var/run is not a symlink to /run/ + - "cgroupsv1" - the system is using the deprecated cgroup v1 hierarchy + - "local-hwclock" - the local hardware clock (RTC) is configured to be in +diff --git a/catalog/systemd.pl.catalog.in b/catalog/systemd.pl.catalog.in +index 75039e9fcd..fcba4b500a 100644 +--- a/catalog/systemd.pl.catalog.in ++++ b/catalog/systemd.pl.catalog.in +@@ -566,7 +566,6 @@ Support: %SUPPORT_URL% + Możliwe są następujące „etykiety”: + • „unmerged-usr” — /bin, /sbin, /lib* nie są dowiązaniami symbolicznymi + do swoich odpowiedników pod /usr/, +-• „unmerged-bin” — /usr/sbin nie jest dowiązaniem symbolicznym do /usr/bin/, + • „var-run-bad” — /var/run nie jest dowiązaniem symbolicznym do /run/, + • „cgroupsv1” — system używa przestarzałej hierarchii cgroup v1, + • „local-hwclock” — lokalny zegar sprzętowy (RTC) jest skonfigurowany +diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml +index b0b45097e3..f2b5ca39e7 100644 +--- a/man/org.freedesktop.systemd1.xml ++++ b/man/org.freedesktop.systemd1.xml +@@ -1666,15 +1666,6 @@ node /org/freedesktop/systemd1 { + + + +- +- unmerged-bin +- +- /usr/sbin is not a symlink to /usr/bin/. +- +- +- +- +- + + var-run-bad + +diff --git a/src/core/taint.c b/src/core/taint.c +index 969b37f209..4c98312f54 100644 +--- a/src/core/taint.c ++++ b/src/core/taint.c +@@ -32,7 +32,7 @@ static int short_uid_gid_range(UIDRangeUsernsMode mode) { + } + + char* taint_string(void) { +- const char *stage[12] = {}; ++ const char *stage[11] = {}; + size_t n = 0; + + /* Returns a "taint string", e.g. "local-hwclock:var-run-bad". Only things that are detected at +@@ -44,11 +44,6 @@ char* taint_string(void) { + if (readlink_malloc("/bin", &bin) < 0 || !PATH_IN_SET(bin, "usr/bin", "/usr/bin")) + stage[n++] = "unmerged-usr"; + +- /* Note that the check is different from default_PATH(), as we want to taint on uncanonical symlinks +- * too. */ +- if (readlink_malloc("/usr/sbin", &usr_sbin) < 0 || !PATH_IN_SET(usr_sbin, "bin", "/usr/bin")) +- stage[n++] = "unmerged-bin"; +- + if (readlink_malloc("/var/run", &var_run) < 0 || !PATH_IN_SET(var_run, "../run", "/run")) + stage[n++] = "var-run-bad"; + diff --git a/SOURCES/0064-presets-remove-resolved.patch b/SOURCES/0064-presets-remove-resolved.patch new file mode 100644 index 0000000..5ed7b6a --- /dev/null +++ b/SOURCES/0064-presets-remove-resolved.patch @@ -0,0 +1,28 @@ +From c2f507732264038dbef44b7652c8f5dee148e1e2 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Mon, 8 Jul 2024 13:13:10 +0200 +Subject: [PATCH] presets: remove resolved + +We noticed that some people are installing systemd* and then +have daemons they don't need running. So let's remove resolved +from presets so its usage is a bit more deliberate + +RHEL-only: policy + +Resolves: RHEL-46576 +--- + presets/90-systemd.preset | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset +index 004ea6fe14..676f14f0d3 100644 +--- a/presets/90-systemd.preset ++++ b/presets/90-systemd.preset +@@ -27,7 +27,6 @@ enable systemd-networkd.service + enable systemd-networkd-wait-online.service + enable systemd-nsresourced.socket + enable systemd-pstore.service +-enable systemd-resolved.service + enable systemd-sysext.service + enable systemd-timesyncd.service + enable systemd-userdbd.socket diff --git a/SOURCES/0065-doc-add-downstream-CONTRIBUTING-document.patch b/SOURCES/0065-doc-add-downstream-CONTRIBUTING-document.patch new file mode 100644 index 0000000..c28d26d --- /dev/null +++ b/SOURCES/0065-doc-add-downstream-CONTRIBUTING-document.patch @@ -0,0 +1,108 @@ +From f7c92899a77656a1bb7586f83c27b00cd5ea0707 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 27 Jun 2024 10:17:06 +0200 +Subject: [PATCH] doc: add downstream CONTRIBUTING document + +rhel-only: doc + +Related: RHEL-40924 +--- + CONTRIBUTING.md | 75 +++++++++++++++++++++++++++++++++++++++++++++++++ + README.md | 2 +- + 2 files changed, 76 insertions(+), 1 deletion(-) + create mode 100644 CONTRIBUTING.md + +diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md +new file mode 100644 +index 0000000000..28466facac +--- /dev/null ++++ b/CONTRIBUTING.md +@@ -0,0 +1,75 @@ ++# Contributing ++ ++Welcome to systemd source-git for CentOS Stream and RHEL. When contributing, please follow the guide below. ++ ++## Workflow ++ ++```mermaid ++flowchart LR ++ A(Issue) --> B{is fixed\nupstream} ++ B -->|YES| C(backport\nupstream patch) ++ B -->|NO| D(upstream\nsubmit issue or PR) ++ D --> E{accepted\nand fixed} ++ E -->|YES| C ++ E -->|NO| F(rhel-only patch) --> G ++ C --> G(submit PR) ++``` ++ ++## Filing issues ++ ++When you find an issue with systemd used in **CentOS Stream** or **RHEL**, please file an issue in Red Hat [Jira ticket system](https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12332745&issuetype=1&components=12380515). ++ ++GitHub Issues are not supported tracking system. If your issue is reproducible using the latest upstream version of systemd, please consider creating [upstream issue](https://github.com/systemd/systemd/issues/new/choose). ++ ++## Posting Pull Requests ++ ++Every Pull Request has to comply with the following rules: ++ ++- Each commit has to reference [upstream](https://github.com/systemd/systemd) commit. ++- Each commit has to reference the approved issue/tracker. ++- Pull requests have to pass mandatory CI validation and testing ++- Pull requests have to be approved by at least one systemd downstream maintainer ++ ++### Upstream reference ++ ++When doing a back-port of an upstream commit, always use `cherry-pick -x `. Consider proposing a change upstream first when an upstream commit doesn't exist. ++If the change isn't upstream relevant or accepted by upstream, mark the commit with the `rhel-only: ` string, where a `` is: ++ ++- `feature` - for feature-related commits (cross-version) ++- `bugfix` - for bugfix-related commits (cross-version) ++- `doc` - for documentation-related commits (usually version-specific) ++- `workaround` - for workaround-related commits (usually version-specific) ++- `ci` - for CI-related commits (version-specific) ++- `test` - for test-related commits (version-specific) ++- `other` - for commits that do not fit into any of the above categories (version-specific) ++ ++```md ++doc: Fix TYPO ++ ++rhel-only: doc ++ ++Resolves: RHEL-678 ++``` ++ ++### Issue reference ++ ++Each commit has to reference the relevant approved systemd issue (see: [Filling issues section](#filing-issues)). For referencing issues, we use the following keywords: ++ ++- **Resolves** for commits that directly resolve issues described in a referenced tracker ++- **Related** for commits related to the referenced issue, but they don't fix it. Usually, tests and documentation. ++- **Reverts** for commits that reverts previously merged commit ++ ++When referencing issues, use the following structure: `: `. See the example below: ++ ++```md ++doc: Fix TYPO ++ ++(cherry picked from commit c5afbac31bb33e7b1f4d59b253425af991a630a4) ++ ++Resolves: RHEL-678 ++``` ++ ++### Validation and testing ++ ++Each Pull Request has to pass all enabled tests that are automatically run using GitHub Actions, CentOS Stream CI, and others. ++If CI failure is unrelated to the change introduced in Pull Request, the downstream maintainer will set the `ci-waived` label and explain why CI was waived. +diff --git a/README.md b/README.md +index 12f1381f08..421a2e6572 100644 +--- a/README.md ++++ b/README.md +@@ -30,7 +30,7 @@ Please see the [Code Map](docs/ARCHITECTURE.md) for information about this repos + + Please see the [Hacking guide](docs/HACKING.md) for information on how to hack on systemd and test your modifications. + +-Please see our [Contribution Guidelines](docs/CONTRIBUTING.md) for more information about filing GitHub Issues and posting GitHub Pull Requests. ++Please see our [Contribution Guidelines](CONTRIBUTING.md) for more information about filing GitHub Issues and posting GitHub Pull Requests. + + When preparing patches for systemd, please follow our [Coding Style Guidelines](docs/CODING_STYLE.md). + diff --git a/SOURCES/0066-ci-allow-policy-as-rhel-only-keyword.patch b/SOURCES/0066-ci-allow-policy-as-rhel-only-keyword.patch new file mode 100644 index 0000000..76d27f3 --- /dev/null +++ b/SOURCES/0066-ci-allow-policy-as-rhel-only-keyword.patch @@ -0,0 +1,40 @@ +From 5d244e25b994f1db5988cf6de14fff9058a75bc2 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Mon, 15 Jul 2024 14:13:14 +0200 +Subject: [PATCH] ci: allow `policy` as rhel-only keyword + +rhel-only: ci + +Related: RHEL-40924 +--- + .github/advanced-commit-linter.yml | 4 ++-- + CONTRIBUTING.md | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/.github/advanced-commit-linter.yml b/.github/advanced-commit-linter.yml +index 3e3e3fe2bf..4a7e6542b4 100644 +--- a/.github/advanced-commit-linter.yml ++++ b/.github/advanced-commit-linter.yml +@@ -4,8 +4,8 @@ policy: + - github: systemd/systemd + exception: + note: +- - 'rhel-only: (feature|bugfix|doc|workaround|ci|test|other)' +- - 'RHEL-only: (feature|bugfix|doc|workaround|ci|test|other)' ++ - 'rhel-only: (feature|bugfix|policy|doc|workaround|ci|test|other)' ++ - 'RHEL-only: (feature|bugfix|policy|doc|workaround|ci|test|other)' + tracker: + - keyword: + - 'Resolves: ' +diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md +index 28466facac..c2e3a2d4d0 100644 +--- a/CONTRIBUTING.md ++++ b/CONTRIBUTING.md +@@ -37,6 +37,7 @@ If the change isn't upstream relevant or accepted by upstream, mark the commit w + + - `feature` - for feature-related commits (cross-version) + - `bugfix` - for bugfix-related commits (cross-version) ++- `policy` - for policy-related commits (cross-version) + - `doc` - for documentation-related commits (usually version-specific) + - `workaround` - for workaround-related commits (usually version-specific) + - `ci` - for CI-related commits (version-specific) diff --git a/SOURCES/0067-ci-run-mkosi-test-only-for-Fedora-and-CentOS-Stream.patch b/SOURCES/0067-ci-run-mkosi-test-only-for-Fedora-and-CentOS-Stream.patch new file mode 100644 index 0000000..d6d81ff --- /dev/null +++ b/SOURCES/0067-ci-run-mkosi-test-only-for-Fedora-and-CentOS-Stream.patch @@ -0,0 +1,68 @@ +From 1a643a20c5e772fc15a921ed81c7b010fa6bd4a7 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 16 Jul 2024 10:08:06 +0200 +Subject: [PATCH] ci: run mkosi test only for Fedora and CentOS Stream + +rhel-only: ci + +Related: RHEL-40924 +--- + .github/workflows/mkosi.yml | 24 ++---------------------- + 1 file changed, 2 insertions(+), 22 deletions(-) + +diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml +index 3a8dabd95c..9add22c2ea 100644 +--- a/.github/workflows/mkosi.yml ++++ b/.github/workflows/mkosi.yml +@@ -8,7 +8,7 @@ on: + push: + branches: + - main +- - v[0-9]+-stable ++ - rhel-10.* + paths: + - '**' + - '!README*' +@@ -26,7 +26,7 @@ on: + pull_request: + branches: + - main +- - v[0-9]+-stable ++ - rhel-10.* + paths: + - '**' + - '!README*' +@@ -54,21 +54,6 @@ jobs: + fail-fast: false + matrix: + include: +- - distro: arch +- release: rolling +- sanitizers: "" +- llvm: 0 +- cflags: "-O2 -D_FORTIFY_SOURCE=3" +- - distro: debian +- release: testing +- sanitizers: "" +- llvm: 0 +- cflags: "-Og" +- - distro: ubuntu +- release: noble +- sanitizers: "" +- llvm: 0 +- cflags: "-Og" + - distro: fedora + release: "40" + sanitizers: "" +@@ -79,11 +64,6 @@ jobs: + sanitizers: address,undefined + llvm: 1 + cflags: "-Og" +- - distro: opensuse +- release: tumbleweed +- sanitizers: "" +- llvm: 0 +- cflags: "-Og" + - distro: centos + release: "9" + sanitizers: "" diff --git a/SOURCES/0068-taint-remove-unused-variable-usr_sbin.patch b/SOURCES/0068-taint-remove-unused-variable-usr_sbin.patch new file mode 100644 index 0000000..5f0af4a --- /dev/null +++ b/SOURCES/0068-taint-remove-unused-variable-usr_sbin.patch @@ -0,0 +1,27 @@ +From 423af3467e66fd07a3a739b40af97b265bd4e45e Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 16 Jul 2024 10:09:23 +0200 +Subject: [PATCH] taint: remove unused variable `usr_sbin` + +follow-up to https://github.com/redhat-plumbers/systemd-rhel10/commit/13a07024f674e770844de29cd3d01cb7117f56d9 + +rhel-only: policy + +Related: RHEL-40924 +--- + src/core/taint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/taint.c b/src/core/taint.c +index 4c98312f54..370f0297e3 100644 +--- a/src/core/taint.c ++++ b/src/core/taint.c +@@ -39,7 +39,7 @@ char* taint_string(void) { + * runtime should be tagged here. For stuff that is known during compilation, emit a warning in the + * configuration phase. */ + +- _cleanup_free_ char *bin = NULL, *usr_sbin = NULL, *var_run = NULL; ++ _cleanup_free_ char *bin = NULL, *var_run = NULL; + + if (readlink_malloc("/bin", &bin) < 0 || !PATH_IN_SET(bin, "usr/bin", "/usr/bin")) + stage[n++] = "unmerged-usr"; diff --git a/SOURCES/0069-packit-drop-the-libarchive-workaround.patch b/SOURCES/0069-packit-drop-the-libarchive-workaround.patch new file mode 100644 index 0000000..c32dd65 --- /dev/null +++ b/SOURCES/0069-packit-drop-the-libarchive-workaround.patch @@ -0,0 +1,28 @@ +From fb422df08369fd10a4d3543697f09a7bd2f4c288 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 17 Jul 2024 12:19:03 +0200 +Subject: [PATCH] packit: drop the libarchive workaround + +As it's not needed anymore. + +rhel-only: ci + +Related: RHEL-40924 +--- + .packit.yml | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/.packit.yml b/.packit.yml +index 340c6992ec..03b3aae7d5 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -39,9 +39,6 @@ actions: + - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec' + # Ignore unpackaged standalone binaries + - "sed -i 's/assert False,.*/pass/' .packit_rpm/split-files.py" +- # Temporarily add libarchive-devel build dep and libarchive runtime dep +- # until the change propagates to Rawhide's specfile +- - "sed -ri '0,/^BuildRequires: .+$/s//&\\nBuildRequires: libarchive-devel\\nRequires: libarchive/' .packit_rpm/systemd.spec" + + # Available targets can be listed via `copr-cli list-chroots` + jobs: diff --git a/SOURCES/0070-packit-drop-the-dependency-on-python3-zstd.patch b/SOURCES/0070-packit-drop-the-dependency-on-python3-zstd.patch new file mode 100644 index 0000000..8b52cc0 --- /dev/null +++ b/SOURCES/0070-packit-drop-the-dependency-on-python3-zstd.patch @@ -0,0 +1,28 @@ +From 43bf3e1a42e2c1a6ecd0ca6fd72c9bc6fe904703 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 17 Jul 2024 12:22:55 +0200 +Subject: [PATCH] packit: drop the dependency on python3-zstd + +Since it's only in the RHEL buildroot repo. + +rhel-only: ci + +Related: RHEL-40924 +--- + .packit.yml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/.packit.yml b/.packit.yml +index 03b3aae7d5..48ba210947 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -39,6 +39,9 @@ actions: + - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec' + # Ignore unpackaged standalone binaries + - "sed -i 's/assert False,.*/pass/' .packit_rpm/split-files.py" ++ # Drop the python3dist(zstd) dependency, as it's only in the RHEL buildroot ++ # repo ++ - "sed -i '/python3dist(zstd)/d' .packit_rpm/systemd.spec" + + # Available targets can be listed via `copr-cli list-chroots` + jobs: diff --git a/SOURCES/0071-coredump-by-default-process-and-store-core-files-up-.patch b/SOURCES/0071-coredump-by-default-process-and-store-core-files-up-.patch new file mode 100644 index 0000000..0d1e230 --- /dev/null +++ b/SOURCES/0071-coredump-by-default-process-and-store-core-files-up-.patch @@ -0,0 +1,30 @@ +From 612afd332a5e647faed3c3acba03ca653bace41b Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 5 Apr 2024 15:56:58 +0200 +Subject: [PATCH] coredump: by default process and store core files up to 1GiB + +This brings policy inline with RHEL-9. + +rhel-only: policy + +Related: RHEL-46778 +--- + src/coredump/coredump.conf | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/coredump/coredump.conf b/src/coredump/coredump.conf +index ae341e40d7..3603edb782 100644 +--- a/src/coredump/coredump.conf ++++ b/src/coredump/coredump.conf +@@ -19,9 +19,8 @@ + [Coredump] + #Storage=external + #Compress=yes +-# On 32-bit, the default is 1G instead of 32G. +-#ProcessSizeMax=32G +-#ExternalSizeMax=32G ++ProcessSizeMax=1G ++ExternalSizeMax=1G + #JournalSizeMax=767M + #MaxUse= + #KeepFree= diff --git a/SOURCES/0072-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch b/SOURCES/0072-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch new file mode 100644 index 0000000..d4434cd --- /dev/null +++ b/SOURCES/0072-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch @@ -0,0 +1,23 @@ +From 352f8ad0bfdd8a41f6aa34e3e43038ae75eedf73 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 15 May 2018 09:24:20 +0200 +Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's will + +rhel-only: policy + +Related: RHEL-40924 +--- + units/basic.target | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/units/basic.target b/units/basic.target +index d8cdd5ac14..9eae0782a2 100644 +--- a/units/basic.target ++++ b/units/basic.target +@@ -19,4 +19,5 @@ After=sysinit.target sockets.target paths.target slices.target tmp.mount + # require /var and /var/tmp, but only add a Wants= type dependency on /tmp, as + # we support that unit being masked, and this should not be considered an error. + RequiresMountsFor=/var /var/tmp +-Wants=tmp.mount ++# RHEL-only: Disable /tmp on tmpfs. ++#Wants=tmp.mount diff --git a/SOURCES/0073-unit-don-t-add-Requires-for-tmp.mount.patch b/SOURCES/0073-unit-don-t-add-Requires-for-tmp.mount.patch new file mode 100644 index 0000000..c4e7c5a --- /dev/null +++ b/SOURCES/0073-unit-don-t-add-Requires-for-tmp.mount.patch @@ -0,0 +1,39 @@ +From e794e570a50392b503549befb65bc8cac0a29869 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Mon, 5 Sep 2016 12:47:09 +0200 +Subject: [PATCH] unit: don't add Requires for tmp.mount + +rhel-only: policy + +Related: RHEL-40924 +--- + src/core/mount.c | 2 +- + src/core/unit.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/mount.c b/src/core/mount.c +index ebafcafa92..9edb2d47eb 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -313,7 +313,7 @@ static int mount_add_mount_dependencies(Mount *m) { + if (r < 0) + return r; + +- if (UNIT(m)->fragment_path) { ++ if (UNIT(m)->fragment_path && !streq(UNIT(m)->id, "tmp.mount")) { + /* If we have fragment configuration, then make this dependency required/wanted */ + r = unit_add_dependency( + other, +diff --git a/src/core/unit.c b/src/core/unit.c +index 0ec5dcaf75..a5556ba462 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1544,7 +1544,7 @@ static int unit_add_mount_dependencies(Unit *u) { + return r; + changed = changed || r > 0; + +- if (m->fragment_path) { ++ if (m->fragment_path && !streq(m->id, "tmp.mount")) { + r = unit_add_dependency( + u, + unit_mount_dependency_type_to_dependency_type(t), diff --git a/SOURCES/0074-units-add-Install-section-to-tmp.mount.patch b/SOURCES/0074-units-add-Install-section-to-tmp.mount.patch new file mode 100644 index 0000000..9095578 --- /dev/null +++ b/SOURCES/0074-units-add-Install-section-to-tmp.mount.patch @@ -0,0 +1,24 @@ +From de0e2fde86a7eebbc5c11bb5e4d40d9ab6621ed1 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 22 Jan 2019 10:28:42 +0100 +Subject: [PATCH] units: add [Install] section to tmp.mount + +rhel-only: policy + +Related: RHEL-40924 +--- + units/tmp.mount | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/units/tmp.mount b/units/tmp.mount +index 896040524a..d7beaa8d14 100644 +--- a/units/tmp.mount ++++ b/units/tmp.mount +@@ -23,3 +23,7 @@ What=tmpfs + Where=/tmp + Type=tmpfs + Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m ++ ++# Make 'systemctl enable tmp.mount' work: ++[Install] ++WantedBy=local-fs.target diff --git a/SOURCES/0075-units-don-t-enable-tmp.mount-statically-in-local-fs..patch b/SOURCES/0075-units-don-t-enable-tmp.mount-statically-in-local-fs..patch new file mode 100644 index 0000000..b355b18 --- /dev/null +++ b/SOURCES/0075-units-don-t-enable-tmp.mount-statically-in-local-fs..patch @@ -0,0 +1,28 @@ +From 571c902adb894bfff481de4591a56a16add2670b Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 22 Sep 2021 14:38:00 +0200 +Subject: [PATCH] units: don't enable tmp.mount statically in local-fs.target + +rhel-only: policy + +Related: RHEL-40924 +--- + units/meson.build | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/units/meson.build b/units/meson.build +index b231341a1f..39fa6f42c0 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -761,10 +761,7 @@ units = [ + { 'file' : 'time-set.target' }, + { 'file' : 'time-sync.target' }, + { 'file' : 'timers.target' }, +- { +- 'file' : 'tmp.mount', +- 'symlinks' : ['local-fs.target.wants/'], +- }, ++ { 'file' : 'tmp.mount' }, + { 'file' : 'tpm2.target' }, + { 'file' : 'umount.target' }, + { 'file' : 'usb-gadget.target' }, diff --git a/SOURCES/0076-netif-naming-scheme-add-rhel-9.5-scheme.patch b/SOURCES/0076-netif-naming-scheme-add-rhel-9.5-scheme.patch new file mode 100644 index 0000000..69e96ab --- /dev/null +++ b/SOURCES/0076-netif-naming-scheme-add-rhel-9.5-scheme.patch @@ -0,0 +1,64 @@ +From fefc4bc15fe28d8f7def8bd75ada13ede21663cb Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 8 Aug 2024 13:12:58 +0200 +Subject: [PATCH] netif-naming-scheme: add rhel-9.5 scheme + +rhel-only: policy + +Resolves: RHEL-44416 +--- + man/systemd.net-naming-scheme.xml | 15 +++++++++++++++ + src/shared/netif-naming-scheme.c | 1 + + src/shared/netif-naming-scheme.h | 1 + + 3 files changed, 17 insertions(+) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index 690e3d2c27..b2d78c95ab 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -592,6 +592,21 @@ + + + ++ ++ ++ rhel-9.5 ++ ++ Never generate a slot name when a PCI bridge is detected. ++ ++ Since version "rhel-9.0", we have generated slot-based names ++ for PCI multifunction devices, because we assumed that it is enough to use function numbers ++ to distinguish between devices. However, name conflict can occur if these devices are not ++ children of the same PCI bridge, e.g. there are multiple PCI bridges in the same slot. ++ ++ ++ ++ ++ + + + +diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c +index e4d4c0ba88..149794e926 100644 +--- a/src/shared/netif-naming-scheme.c ++++ b/src/shared/netif-naming-scheme.c +@@ -40,6 +40,7 @@ static const NamingScheme naming_schemes[] = { + { "rhel-9.2", NAMING_RHEL_9_2 }, + { "rhel-9.3", NAMING_RHEL_9_3 }, + { "rhel-9.4", NAMING_RHEL_9_4 }, ++ { "rhel-9.5", NAMING_RHEL_9_5 }, + { "rhel-10.0", NAMING_RHEL_10_0 }, + /* … add more schemes here, as the logic to name devices is updated … */ + +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index b0697c141e..a55bb0b1cb 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -80,6 +80,7 @@ typedef enum NamingSchemeFlags { + NAMING_RHEL_9_2 = NAMING_RHEL_9_0, + NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R, + NAMING_RHEL_9_4 = NAMING_RHEL_9_3, ++ NAMING_RHEL_9_5 = NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT, + + NAMING_RHEL_10_0 = NAMING_V255, + diff --git a/SOURCES/0077-udev-builtin-net_id-use-firmware_node-sun-for-ID_NET.patch b/SOURCES/0077-udev-builtin-net_id-use-firmware_node-sun-for-ID_NET.patch new file mode 100644 index 0000000..ff6c617 --- /dev/null +++ b/SOURCES/0077-udev-builtin-net_id-use-firmware_node-sun-for-ID_NET.patch @@ -0,0 +1,197 @@ +From 45fe2e91e4f73c998ff4d29c316cc4fca9d25942 Mon Sep 17 00:00:00 2001 +From: Etienne Champetier +Date: Tue, 9 Jul 2024 11:53:50 -0400 +Subject: [PATCH] udev-builtin-net_id: use firmware_node/sun for + ID_NET_NAME_SLOT + +pci_get_hotplug_slot() has the following limitations: +- if slots are not hotpluggable, they are not in /sys/bus/pci/slots. +- the address at /sys/bus/pci/slots/X/addr doesn't contains the function part, + so on some system, 2 different slots with different _SUN end up with the same + hotplug_slot, leading to naming conflicts. +- it tries all parent devices until it finds a slot number, which is incorrect, + and what led to NAMING_BRIDGE_MULTIFUNCTION_SLOT being disabled. + +The use of PCI hotplug to find the slot (ACPI _SUN) was introduced in +https://github.com/systemd/systemd/commit/0035597a30d120f70df2dd7da3d6128fb8ba6051 +"udev: net_id - export PCI hotplug slot names" on 2012/11/26. +At the same time on the kernel side we got +https://github.com/torvalds/linux/commit/bb74ac23b10820d8722c3e1f4add9ef59e703f63 +"ACPI: create _SUN sysfs file" on 2012/11/16. + +Using PCI hotplug was the only way at the time, but now 12 years later we can use +firmware_node/sun sysfs file. +Looking at a small selection of server HW, for HPE (Gen10 DL325), the _SUN is attached +to the NIC device, whereas for Dell (R640/R6515/R6615) and Cisco (UCSC-C220-M5SX), +the _SUN is on the first parent pcieport. + +We still fallback to pci_get_hotplug_slot() to handle the s390 case and +maybe some other coner cases (_SUN on grand parent device that is not a +bridge ?). + +(cherry picked from commit 0a4ecc54cb9f2d3418b970c51bfadb69c34ae9eb) + +Related: RHEL-44416 +--- + man/systemd.net-naming-scheme.xml | 6 ++- + src/shared/netif-naming-scheme.h | 5 ++- + src/udev/udev-builtin-net_id.c | 72 ++++++++++++++++++++++++++----- + 3 files changed, 69 insertions(+), 14 deletions(-) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index b2d78c95ab..ea9a9c8d3c 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -528,7 +528,7 @@ + + rhel-10.0 + +- Same as naming scheme v255. ++ PCI slot number is now read from firmware_node/sun sysfs file + + + +@@ -604,6 +604,8 @@ + children of the same PCI bridge, e.g. there are multiple PCI bridges in the same slot. + + ++ PCI slot number is now read from firmware_node/sun sysfs file ++ + + + +@@ -798,7 +800,7 @@ ID_NET_NAME_ONBOARD_LABEL=Ethernet Port 1 + + + +- PCI Ethernet card in hotplug slot with firmware index number ++ PCI Ethernet card in slot with firmware index number + + # /sys/devices/pci0000:00/0000:00:1c.3/0000:05:00.0/net/ens1 + ID_NET_NAME_MAC=enx000000000466 +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index a55bb0b1cb..229232d452 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -43,6 +43,7 @@ typedef enum NamingSchemeFlags { + NAMING_DEVICETREE_ALIASES = 1 << 15, /* Generate names from devicetree aliases */ + NAMING_USB_HOST = 1 << 16, /* Generate names for usb host */ + NAMING_SR_IOV_R = 1 << 17, /* Use "r" suffix for SR-IOV VF representors */ ++ NAMING_FIRMWARE_NODE_SUN = 1 << 18, /* Use firmware_node/sun to get PCI slot number */ + + /* And now the masks that combine the features above */ + NAMING_V238 = 0, +@@ -80,9 +81,9 @@ typedef enum NamingSchemeFlags { + NAMING_RHEL_9_2 = NAMING_RHEL_9_0, + NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R, + NAMING_RHEL_9_4 = NAMING_RHEL_9_3, +- NAMING_RHEL_9_5 = NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT, ++ NAMING_RHEL_9_5 = (NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT) | NAMING_FIRMWARE_NODE_SUN, + +- NAMING_RHEL_10_0 = NAMING_V255, ++ NAMING_RHEL_10_0 = NAMING_V255 | NAMING_FIRMWARE_NODE_SUN, + + EXTRA_NET_NAMING_SCHEMES + +diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c +index 384a1f31cb..d34357fdb2 100644 +--- a/src/udev/udev-builtin-net_id.c ++++ b/src/udev/udev-builtin-net_id.c +@@ -566,6 +566,51 @@ static int pci_get_hotplug_slot(sd_device *dev, uint32_t *ret) { + return -ENOENT; + } + ++static int get_device_firmware_node_sun(sd_device *dev, uint32_t *ret) { ++ const char *attr; ++ int r; ++ ++ assert(dev); ++ assert(ret); ++ ++ r = device_get_sysattr_value_filtered(dev, "firmware_node/sun", &attr); ++ if (r < 0) ++ return log_device_debug_errno(dev, r, "Failed to read firmware_node/sun, ignoring: %m"); ++ ++ r = safe_atou32(attr, ret); ++ if (r < 0) ++ return log_device_warning_errno(dev, r, "Failed to parse firmware_node/sun '%s', ignoring: %m", attr); ++ ++ return 0; ++} ++ ++static int pci_get_slot_from_firmware_node_sun(sd_device *dev, uint32_t *ret) { ++ int r; ++ sd_device *slot_dev; ++ ++ assert(dev); ++ assert(ret); ++ ++ /* Try getting the ACPI _SUN for the device */ ++ if (get_device_firmware_node_sun(dev, ret) >= 0) ++ return 0; ++ ++ r = sd_device_get_parent_with_subsystem_devtype(dev, "pci", NULL, &slot_dev); ++ if (r < 0) ++ return log_device_debug_errno(dev, r, "Failed to find pci parent, ignoring: %m"); ++ ++ if (is_pci_bridge(slot_dev) && is_pci_multifunction(dev) <= 0) ++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(ESTALE), ++ "Not using slot information because the parent pcieport " ++ "is a bridge and the PCI device is not multifunction."); ++ ++ /* Try getting the ACPI _SUN from the parent pcieport */ ++ if (get_device_firmware_node_sun(slot_dev, ret) >= 0) ++ return 0; ++ ++ return -ENOENT; ++} ++ + static int get_pci_slot_specifiers( + sd_device *dev, + char **ret_domain, +@@ -616,7 +661,7 @@ static int get_pci_slot_specifiers( + + static int names_pci_slot(sd_device *dev, sd_device *pci_dev, const char *prefix, const char *suffix, EventMode mode) { + _cleanup_free_ char *domain = NULL, *bus_and_slot = NULL, *func = NULL, *port = NULL; +- uint32_t hotplug_slot = 0; /* avoid false maybe-uninitialized warning */ ++ uint32_t slot = 0; /* avoid false maybe-uninitialized warning */ + char str[ALTIFNAMSIZ]; + int r; + +@@ -641,20 +686,27 @@ static int names_pci_slot(sd_device *dev, sd_device *pci_dev, const char *prefix + strna(domain), bus_and_slot, strna(func), strna(port), + special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), empty_to_na(str)); + +- r = pci_get_hotplug_slot(pci_dev, &hotplug_slot); +- if (r < 0) +- return r; +- if (r > 0) +- /* If the hotplug slot is found through the function ID, then drop the domain from the name. +- * See comments in parse_hotplug_slot_from_function_id(). */ +- domain = mfree(domain); ++ if (naming_scheme_has(NAMING_FIRMWARE_NODE_SUN)) ++ r = pci_get_slot_from_firmware_node_sun(pci_dev, &slot); ++ else ++ r = -1; ++ /* If we don't find a slot using firmware_node/sun, fallback to hotplug_slot */ ++ if (r < 0) { ++ r = pci_get_hotplug_slot(pci_dev, &slot); ++ if (r < 0) ++ return r; ++ if (r > 0) ++ /* If the hotplug slot is found through the function ID, then drop the domain from the name. ++ * See comments in parse_hotplug_slot_from_function_id(). */ ++ domain = mfree(domain); ++ } + + if (snprintf_ok(str, sizeof str, "%s%ss%"PRIu32"%s%s%s", +- prefix, strempty(domain), hotplug_slot, strempty(func), strempty(port), strempty(suffix))) ++ prefix, strempty(domain), slot, strempty(func), strempty(port), strempty(suffix))) + udev_builtin_add_property(dev, mode, "ID_NET_NAME_SLOT", str); + + log_device_debug(dev, "Slot identifier: domain=%s slot=%"PRIu32" func=%s port=%s %s %s", +- strna(domain), hotplug_slot, strna(func), strna(port), ++ strna(domain), slot, strna(func), strna(port), + special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), empty_to_na(str)); + + return 0; diff --git a/SOURCES/0078-man-net-naming-scheme-add-missing-period.patch b/SOURCES/0078-man-net-naming-scheme-add-missing-period.patch new file mode 100644 index 0000000..5a04788 --- /dev/null +++ b/SOURCES/0078-man-net-naming-scheme-add-missing-period.patch @@ -0,0 +1,36 @@ +From f5470e9076138ccf69fb6576e950a75da4b89717 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 2 Aug 2024 16:51:15 +0900 +Subject: [PATCH] man/net-naming-scheme: add missing period + +Follow-up for 0a4ecc54cb9f2d3418b970c51bfadb69c34ae9eb. + +(cherry picked from commit 2bb72aadb8169c9310c8ca0d586d277a4a71e2f8) + +Related: RHEL-44416 +--- + man/systemd.net-naming-scheme.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index ea9a9c8d3c..e458b5dd6b 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -528,7 +528,7 @@ + + rhel-10.0 + +- PCI slot number is now read from firmware_node/sun sysfs file ++ PCI slot number is now read from firmware_node/sun sysfs file. + + + +@@ -604,7 +604,7 @@ + children of the same PCI bridge, e.g. there are multiple PCI bridges in the same slot. + + +- PCI slot number is now read from firmware_node/sun sysfs file ++ PCI slot number is now read from firmware_node/sun sysfs file. + + + diff --git a/SOURCES/0079-Revert-packit-drop-the-dependency-on-python3-zstd.patch b/SOURCES/0079-Revert-packit-drop-the-dependency-on-python3-zstd.patch new file mode 100644 index 0000000..c3f26af --- /dev/null +++ b/SOURCES/0079-Revert-packit-drop-the-dependency-on-python3-zstd.patch @@ -0,0 +1,28 @@ +From 6bec94d825960a39bed6429531e722fd1571664b Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 14 Aug 2024 12:21:59 +0200 +Subject: [PATCH] Revert "packit: drop the dependency on python3-zstd" + +This reverts commit 43bf3e1a42e2c1a6ecd0ca6fd72c9bc6fe904703. + +rhel-only: ci + +Related: RHEL-36636 +--- + .packit.yml | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/.packit.yml b/.packit.yml +index 48ba210947..03b3aae7d5 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -39,9 +39,6 @@ actions: + - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec' + # Ignore unpackaged standalone binaries + - "sed -i 's/assert False,.*/pass/' .packit_rpm/split-files.py" +- # Drop the python3dist(zstd) dependency, as it's only in the RHEL buildroot +- # repo +- - "sed -i '/python3dist(zstd)/d' .packit_rpm/systemd.spec" + + # Available targets can be listed via `copr-cli list-chroots` + jobs: diff --git a/SOURCES/0080-systemctl-do-not-try-to-acquire-triggering-units-for.patch b/SOURCES/0080-systemctl-do-not-try-to-acquire-triggering-units-for.patch new file mode 100644 index 0000000..8ab3b20 --- /dev/null +++ b/SOURCES/0080-systemctl-do-not-try-to-acquire-triggering-units-for.patch @@ -0,0 +1,48 @@ +From a81dc0cad9c24df7c005378fe2c438a98054a7d3 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sun, 30 Jun 2024 13:12:45 +0200 +Subject: [PATCH] systemctl: do not try to acquire triggering units for + template units + +(cherry picked from commit 09d6038d833468ba7c24c658597387ef699ca4fd) + +Resolves: RHEL-55132 +--- + src/systemctl/systemctl-util.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/systemctl/systemctl-util.c b/src/systemctl/systemctl-util.c +index 2482b7ccb2..08a3ebe128 100644 +--- a/src/systemctl/systemctl-util.c ++++ b/src/systemctl/systemctl-util.c +@@ -327,14 +327,15 @@ int get_active_triggering_units(sd_bus *bus, const char *unit, bool ignore_maske + if (r < 0) + return r; + ++ if (unit_name_is_valid(name, UNIT_NAME_TEMPLATE)) ++ goto skip; ++ + if (ignore_masked) { + r = unit_is_masked(bus, name); + if (r < 0) + return r; +- if (r > 0) { +- *ret = NULL; +- return 0; +- } ++ if (r > 0) ++ goto skip; + } + + dbus_path = unit_dbus_path_from_name(name); +@@ -370,6 +371,10 @@ int get_active_triggering_units(sd_bus *bus, const char *unit, bool ignore_maske + + *ret = TAKE_PTR(active); + return 0; ++ ++skip: ++ *ret = NULL; ++ return 0; + } + + void warn_triggering_units(sd_bus *bus, const char *unit, const char *operation, bool ignore_masked) { diff --git a/SOURCES/0081-core-unit-add-one-assertion-for-u-manager.patch b/SOURCES/0081-core-unit-add-one-assertion-for-u-manager.patch new file mode 100644 index 0000000..9986235 --- /dev/null +++ b/SOURCES/0081-core-unit-add-one-assertion-for-u-manager.patch @@ -0,0 +1,24 @@ +From dee8164e2d136efb7bac04775c8bef255f659766 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 22 Jun 2024 12:08:39 +0200 +Subject: [PATCH] core/unit: add one assertion for u->manager + +(cherry picked from commit 8b17371b6185c9829bb21a813aadb2225ccfc4de) + +Resolves: RHEL-55734 +--- + src/core/unit.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/core/unit.c b/src/core/unit.c +index a5556ba462..c668c45ee9 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -6103,6 +6103,7 @@ int unit_test_trigger_loaded(Unit *u) { + + void unit_destroy_runtime_data(Unit *u, const ExecContext *context) { + assert(u); ++ assert(u->manager); + assert(context); + + /* EXEC_PRESERVE_RESTART is handled via unit_release_resources()! */ diff --git a/SOURCES/0082-core-service-destroy-runtime-data-when-Type-oneshot-.patch b/SOURCES/0082-core-service-destroy-runtime-data-when-Type-oneshot-.patch new file mode 100644 index 0000000..1529c48 --- /dev/null +++ b/SOURCES/0082-core-service-destroy-runtime-data-when-Type-oneshot-.patch @@ -0,0 +1,88 @@ +From 45d326633b32f4dee739ca38a67347c828c1c136 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 22 Jun 2024 12:03:50 +0200 +Subject: [PATCH] core/service: destroy runtime data when Type=oneshot services + exit + +Currently, we have a bunch of Type=oneshot + RemainAfterExit=yes +services that make use of credentials. When those exits, the cred mounts +remain established, which is pointless and quite annoying. Let's +instead destroy the runtime data on SERVICE_EXITED, if no process +will be spawned for the unit again. + +(cherry picked from commit c26948c6dae1d2ca13499b36f193b13a0760834c) + +Resolves: RHEL-55734 +--- + src/core/service.c | 37 ++++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index 6e81460ad0..60cc902745 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -1206,13 +1206,12 @@ static void service_search_main_pid(Service *s) { + } + + static void service_set_state(Service *s, ServiceState state) { ++ Unit *u = UNIT(ASSERT_PTR(s)); + ServiceState old_state; + const UnitActiveState *table; + +- assert(s); +- + if (s->state != state) +- bus_unit_send_pending_change_signal(UNIT(s), false); ++ bus_unit_send_pending_change_signal(u, false); + + table = s->type == SERVICE_IDLE ? state_translation_table_idle : state_translation_table; + +@@ -1246,8 +1245,8 @@ static void service_set_state(Service *s, ServiceState state) { + SERVICE_DEAD, SERVICE_FAILED, + SERVICE_DEAD_BEFORE_AUTO_RESTART, SERVICE_FAILED_BEFORE_AUTO_RESTART, SERVICE_AUTO_RESTART, SERVICE_AUTO_RESTART_QUEUED, + SERVICE_DEAD_RESOURCES_PINNED)) { +- unit_unwatch_all_pids(UNIT(s)); +- unit_dequeue_rewatch_pids(UNIT(s)); ++ unit_unwatch_all_pids(u); ++ unit_dequeue_rewatch_pids(u); + } + + if (state != SERVICE_START) +@@ -1256,15 +1255,31 @@ static void service_set_state(Service *s, ServiceState state) { + if (!IN_SET(state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY)) + service_stop_watchdog(s); + +- /* For the inactive states unit_notify() will trim the cgroup, +- * but for exit we have to do that ourselves... */ +- if (state == SERVICE_EXITED && !MANAGER_IS_RELOADING(UNIT(s)->manager)) +- unit_prune_cgroup(UNIT(s)); ++ if (state == SERVICE_EXITED && !MANAGER_IS_RELOADING(u->manager)) { ++ /* For the inactive states unit_notify() will trim the cgroup. But for exit we have to ++ * do that ourselves... */ ++ unit_prune_cgroup(u); ++ ++ /* If none of ExecReload= and ExecStop*= is used, we can safely destroy runtime data ++ * as soon as the service enters SERVICE_EXITED. This saves us from keeping the credential mount ++ * for the whole duration of the oneshot service while no processes are actually running, ++ * among other things. */ ++ ++ bool start_only = true; ++ for (ServiceExecCommand c = SERVICE_EXEC_RELOAD; c < _SERVICE_EXEC_COMMAND_MAX; c++) ++ if (s->exec_command[c]) { ++ start_only = false; ++ break; ++ } ++ ++ if (start_only) ++ unit_destroy_runtime_data(u, &s->exec_context); ++ } + + if (old_state != state) +- log_unit_debug(UNIT(s), "Changed %s -> %s", service_state_to_string(old_state), service_state_to_string(state)); ++ log_unit_debug(u, "Changed %s -> %s", service_state_to_string(old_state), service_state_to_string(state)); + +- unit_notify(UNIT(s), table[old_state], table[state], s->reload_result == SERVICE_SUCCESS); ++ unit_notify(u, table[old_state], table[state], s->reload_result == SERVICE_SUCCESS); + } + + static usec_t service_coldplug_timeout(Service *s) { diff --git a/SOURCES/0083-cgroup-util-Ignore-kernel-threads-in-cg_kill_items.patch b/SOURCES/0083-cgroup-util-Ignore-kernel-threads-in-cg_kill_items.patch new file mode 100644 index 0000000..a0ad409 --- /dev/null +++ b/SOURCES/0083-cgroup-util-Ignore-kernel-threads-in-cg_kill_items.patch @@ -0,0 +1,34 @@ +From 05c29b1e58784c87ecb4ae7b56425af786e1cd05 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Tue, 30 Jul 2024 11:53:32 +0200 +Subject: [PATCH] cgroup-util: Ignore kernel threads in cg_kill_items() + +Similar to the implementation of cgroup.kill in the kernel, let's +skip kernel threads in cg_kill_items() as trying to kill kernel +threads as an unprivileged process will fail with EPERM and doesn't +do anything when running privileged. + +(cherry picked from commit 0fbb569de1dcc06118dba006cf7a40caf6cd94d0) + +Resolves: RHEL-55746 +--- + src/basic/cgroup-util.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c +index 553ee6075a..1fc83a656a 100644 +--- a/src/basic/cgroup-util.c ++++ b/src/basic/cgroup-util.c +@@ -369,6 +369,12 @@ static int cg_kill_items( + if (set_get(s, PID_TO_PTR(pidref.pid)) == PID_TO_PTR(pidref.pid)) + continue; + ++ /* Ignore kernel threads to mimick the behavior of cgroup.kill. */ ++ if (pidref_is_kernel_thread(&pidref) > 0) { ++ log_debug("Ignoring kernel thread with pid " PID_FMT " in cgroup '%s'", pidref.pid, path); ++ continue; ++ } ++ + if (log_kill) + ret_log_kill = log_kill(&pidref, sig, userdata); + diff --git a/SOURCES/0084-cgroup-util-Don-t-try-to-open-pidfd-for-kernel-threa.patch b/SOURCES/0084-cgroup-util-Don-t-try-to-open-pidfd-for-kernel-threa.patch new file mode 100644 index 0000000..f89482c --- /dev/null +++ b/SOURCES/0084-cgroup-util-Don-t-try-to-open-pidfd-for-kernel-threa.patch @@ -0,0 +1,30 @@ +From 418d2192e0e2bcdc7fe10f4f331231a2ad5a5c00 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 31 Jul 2024 13:38:50 +0200 +Subject: [PATCH] cgroup-util: Don't try to open pidfd for kernel threads + +The kernel might start returning -EINVAL when trying to open pidfd's +for kernel threads so let's not try to open pidfd's for kernel threads. + +(cherry picked from commit ead48ec35c863650944352a3455f26ce3b393058) + +Resolves: RHEL-55746 +--- + src/basic/cgroup-util.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c +index 1fc83a656a..b0fe0ecbe8 100644 +--- a/src/basic/cgroup-util.c ++++ b/src/basic/cgroup-util.c +@@ -149,7 +149,9 @@ int cg_read_pidref(FILE *f, PidRef *ret, CGroupFlags flags) { + if (pid == 0) + return -EREMOTE; + +- if (FLAGS_SET(flags, CGROUP_NO_PIDFD)) { ++ /* We might read kernel thread pids from cgroup.procs for which we cannot create a pidfd so ++ * catch those and don't try to create a pidfd for them. */ ++ if (FLAGS_SET(flags, CGROUP_NO_PIDFD) || pid_is_kernel_thread(pid) > 0) { + *ret = PIDREF_MAKE_FROM_PID(pid); + return 1; + } diff --git a/SOURCES/0085-cgroup-util-fix-typo.patch b/SOURCES/0085-cgroup-util-fix-typo.patch new file mode 100644 index 0000000..e98aa10 --- /dev/null +++ b/SOURCES/0085-cgroup-util-fix-typo.patch @@ -0,0 +1,27 @@ +From d41b2bdf876e0d46486c1800d5ee12a6f641a9d4 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 3 Aug 2024 05:48:51 +0900 +Subject: [PATCH] cgroup-util: fix typo + +Follow-up for 0fbb569de1dcc06118dba006cf7a40caf6cd94d0. + +(cherry picked from commit ec4964692ae0e080c596610adee2ddb83008c839) + +Resolves: RHEL-55746 +--- + src/basic/cgroup-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c +index b0fe0ecbe8..2c64a54906 100644 +--- a/src/basic/cgroup-util.c ++++ b/src/basic/cgroup-util.c +@@ -371,7 +371,7 @@ static int cg_kill_items( + if (set_get(s, PID_TO_PTR(pidref.pid)) == PID_TO_PTR(pidref.pid)) + continue; + +- /* Ignore kernel threads to mimick the behavior of cgroup.kill. */ ++ /* Ignore kernel threads to mimic the behavior of cgroup.kill. */ + if (pidref_is_kernel_thread(&pidref) > 0) { + log_debug("Ignoring kernel thread with pid " PID_FMT " in cgroup '%s'", pidref.pid, path); + continue; diff --git a/SOURCES/0086-netif-naming-scheme-rename-rhel-10.0-to-rhel-10.0.be.patch b/SOURCES/0086-netif-naming-scheme-rename-rhel-10.0-to-rhel-10.0.be.patch new file mode 100644 index 0000000..57a24af --- /dev/null +++ b/SOURCES/0086-netif-naming-scheme-rename-rhel-10.0-to-rhel-10.0.be.patch @@ -0,0 +1,75 @@ +From c3300ddbcdd138da8bd3fb31d0f35a20f5b6ca13 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Thu, 22 Aug 2024 13:42:11 +0200 +Subject: [PATCH] netif-naming-scheme: rename rhel-10.0 to rhel-10.0.beta + +rhel-only: policy +Related: RHEL-55728 +--- + man/systemd.net-naming-scheme.xml | 6 +++--- + man/version-info.xml | 1 + + src/shared/netif-naming-scheme.c | 2 +- + src/shared/netif-naming-scheme.h | 2 +- + 4 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index e458b5dd6b..610a05485b 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -526,15 +526,15 @@ + + + +- rhel-10.0 ++ rhel-10.0-beta + + PCI slot number is now read from firmware_node/sun sysfs file. + +- ++ + + + +- By default rhel-10.0 is used. ++ By default rhel-10.0-beta is used. + + + RHEL-9 schemes +diff --git a/man/version-info.xml b/man/version-info.xml +index 274450d408..c05cebfbe2 100644 +--- a/man/version-info.xml ++++ b/man/version-info.xml +@@ -103,6 +103,7 @@ + Added in rhel-9.8. + Added in rhel-9.9. + Added in rhel-9.10. ++ Added in rhel-10.0-beta. + Added in rhel-10.0. + Added in rhel-10.1. + Added in rhel-10.2. +diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c +index 149794e926..cb5f8c5d38 100644 +--- a/src/shared/netif-naming-scheme.c ++++ b/src/shared/netif-naming-scheme.c +@@ -41,7 +41,7 @@ static const NamingScheme naming_schemes[] = { + { "rhel-9.3", NAMING_RHEL_9_3 }, + { "rhel-9.4", NAMING_RHEL_9_4 }, + { "rhel-9.5", NAMING_RHEL_9_5 }, +- { "rhel-10.0", NAMING_RHEL_10_0 }, ++ { "rhel-10.0-beta", NAMING_RHEL_10_0_BETA }, + /* … add more schemes here, as the logic to name devices is updated … */ + + EXTRA_NET_NAMING_MAP +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index 229232d452..2e2023ba5b 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -83,7 +83,7 @@ typedef enum NamingSchemeFlags { + NAMING_RHEL_9_4 = NAMING_RHEL_9_3, + NAMING_RHEL_9_5 = (NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT) | NAMING_FIRMWARE_NODE_SUN, + +- NAMING_RHEL_10_0 = NAMING_V255 | NAMING_FIRMWARE_NODE_SUN, ++ NAMING_RHEL_10_0_BETA = NAMING_V255 | NAMING_FIRMWARE_NODE_SUN, + + EXTRA_NET_NAMING_SCHEMES + diff --git a/SOURCES/0087-net-naming-scheme-disable-NAMING_FIRMWARE_NODE_SUN.patch b/SOURCES/0087-net-naming-scheme-disable-NAMING_FIRMWARE_NODE_SUN.patch new file mode 100644 index 0000000..2fa6969 --- /dev/null +++ b/SOURCES/0087-net-naming-scheme-disable-NAMING_FIRMWARE_NODE_SUN.patch @@ -0,0 +1,43 @@ +From 8da695b27c2620e6410e0b1a4d8dda4747d89b5f Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Thu, 22 Aug 2024 13:47:56 +0200 +Subject: [PATCH] net-naming-scheme: disable NAMING_FIRMWARE_NODE_SUN + +It seems that virtio devices always have "0" in +the firmware_node/sun. And because of that, udev will +always name the device ens0, which leads to collisions. +So let's disable it for now. + +rhel-only: policy +Resolves: RHEL-55728 +--- + man/systemd.net-naming-scheme.xml | 2 +- + src/shared/netif-naming-scheme.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index 610a05485b..8be24e4243 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -528,7 +528,7 @@ + + rhel-10.0-beta + +- PCI slot number is now read from firmware_node/sun sysfs file. ++ Same as naming scheme v255. + + + +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index 2e2023ba5b..fb733ba768 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -83,7 +83,7 @@ typedef enum NamingSchemeFlags { + NAMING_RHEL_9_4 = NAMING_RHEL_9_3, + NAMING_RHEL_9_5 = (NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT) | NAMING_FIRMWARE_NODE_SUN, + +- NAMING_RHEL_10_0_BETA = NAMING_V255 | NAMING_FIRMWARE_NODE_SUN, ++ NAMING_RHEL_10_0_BETA = NAMING_V255, + + EXTRA_NET_NAMING_SCHEMES + diff --git a/SOURCES/0088-net-naming-scheme-remove-NAMING_FIRMWARE_NODE_SUN-fr.patch b/SOURCES/0088-net-naming-scheme-remove-NAMING_FIRMWARE_NODE_SUN-fr.patch new file mode 100644 index 0000000..8096f5d --- /dev/null +++ b/SOURCES/0088-net-naming-scheme-remove-NAMING_FIRMWARE_NODE_SUN-fr.patch @@ -0,0 +1,38 @@ +From 6a8e030c0a8481e42ee60a52e7a91f736537f5e3 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Thu, 22 Aug 2024 14:31:54 +0200 +Subject: [PATCH] net-naming-scheme: remove NAMING_FIRMWARE_NODE_SUN from 9.5 + +rhel-only: policy +Resolves: RHEL-55728 +--- + man/systemd.net-naming-scheme.xml | 2 -- + src/shared/netif-naming-scheme.h | 2 +- + 2 files changed, 1 insertion(+), 3 deletions(-) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index 8be24e4243..246c6509e3 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -604,8 +604,6 @@ + children of the same PCI bridge, e.g. there are multiple PCI bridges in the same slot. + + +- PCI slot number is now read from firmware_node/sun sysfs file. +- + + + +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index fb733ba768..b2b2ee648f 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -81,7 +81,7 @@ typedef enum NamingSchemeFlags { + NAMING_RHEL_9_2 = NAMING_RHEL_9_0, + NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R, + NAMING_RHEL_9_4 = NAMING_RHEL_9_3, +- NAMING_RHEL_9_5 = (NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT) | NAMING_FIRMWARE_NODE_SUN, ++ NAMING_RHEL_9_5 = NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT, + + NAMING_RHEL_10_0_BETA = NAMING_V255, + diff --git a/SOURCES/0089-Revert-cgroup-util-Don-t-try-to-open-pidfd-for-kerne.patch b/SOURCES/0089-Revert-cgroup-util-Don-t-try-to-open-pidfd-for-kerne.patch new file mode 100644 index 0000000..2b96897 --- /dev/null +++ b/SOURCES/0089-Revert-cgroup-util-Don-t-try-to-open-pidfd-for-kerne.patch @@ -0,0 +1,33 @@ +From 38623336fb84eb0df1f72ef8d472a36bb5d60822 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 21 Aug 2024 11:25:46 +0200 +Subject: [PATCH] Revert "cgroup-util: Don't try to open pidfd for kernel + threads" + +The kernel patch was reverted so let's try again to open pidfds +for kernel threads. + +This reverts commit ead48ec35c863650944352a3455f26ce3b393058. + +(cherry picked from commit 1ce69e06615e69692a6d02d447acfd77f5d44631) + +Related: RHEL-52634 +--- + src/basic/cgroup-util.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c +index 2c64a54906..a6ad711ac0 100644 +--- a/src/basic/cgroup-util.c ++++ b/src/basic/cgroup-util.c +@@ -149,9 +149,7 @@ int cg_read_pidref(FILE *f, PidRef *ret, CGroupFlags flags) { + if (pid == 0) + return -EREMOTE; + +- /* We might read kernel thread pids from cgroup.procs for which we cannot create a pidfd so +- * catch those and don't try to create a pidfd for them. */ +- if (FLAGS_SET(flags, CGROUP_NO_PIDFD) || pid_is_kernel_thread(pid) > 0) { ++ if (FLAGS_SET(flags, CGROUP_NO_PIDFD)) { + *ret = PIDREF_MAKE_FROM_PID(pid); + return 1; + } diff --git a/SOURCES/0090-ukify-Skip-test-on-architectures-without-UEFI.patch b/SOURCES/0090-ukify-Skip-test-on-architectures-without-UEFI.patch new file mode 100644 index 0000000..e502a96 --- /dev/null +++ b/SOURCES/0090-ukify-Skip-test-on-architectures-without-UEFI.patch @@ -0,0 +1,30 @@ +From 65dbacdb67ae94f7481a413dfea651b2d8a74d13 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 28 Aug 2024 14:08:30 +0200 +Subject: [PATCH] ukify: Skip test on architectures without UEFI + +(cherry picked from commit 5121f7c45b37afca53c89f42123b1dd6a04fa80f) + +Related: RHEL-52634 +--- + src/ukify/test/test_ukify.py | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py +index 0e3f932890..15d1578695 100755 +--- a/src/ukify/test/test_ukify.py ++++ b/src/ukify/test/test_ukify.py +@@ -35,6 +35,13 @@ except ImportError as e: + sys.path.append(os.path.dirname(__file__) + '/..') + import ukify + ++# Skip if we're running on an architecture that does not use UEFI. ++try: ++ ukify.guess_efi_arch() ++except ValueError as e: ++ print(str(e), file=sys.stderr) ++ sys.exit(77) ++ + build_root = os.getenv('PROJECT_BUILD_ROOT') + try: + slow_tests = bool(int(os.getenv('SYSTEMD_SLOW_TESTS', '1'))) diff --git a/SOURCES/10-map-count.conf b/SOURCES/10-map-count.conf new file mode 100644 index 0000000..5cf5677 --- /dev/null +++ b/SOURCES/10-map-count.conf @@ -0,0 +1,3 @@ +# Increase the number of virtual memory areas that one process may request +# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount +vm.max_map_count=1048576 diff --git a/SOURCES/10-oomd-defaults.conf b/SOURCES/10-oomd-defaults.conf new file mode 100644 index 0000000..0254657 --- /dev/null +++ b/SOURCES/10-oomd-defaults.conf @@ -0,0 +1,2 @@ +[OOM] +DefaultMemoryPressureDurationSec=20s diff --git a/SOURCES/10-oomd-per-slice-defaults.conf b/SOURCES/10-oomd-per-slice-defaults.conf new file mode 100644 index 0000000..63d8162 --- /dev/null +++ b/SOURCES/10-oomd-per-slice-defaults.conf @@ -0,0 +1,3 @@ +[Slice] +ManagedOOMMemoryPressure=kill +ManagedOOMMemoryPressureLimit=80% diff --git a/SOURCES/20-yama-ptrace.conf b/SOURCES/20-yama-ptrace.conf new file mode 100644 index 0000000..4fbaf97 --- /dev/null +++ b/SOURCES/20-yama-ptrace.conf @@ -0,0 +1,42 @@ +# The ptrace system call is used for interprocess services, +# communication and introspection (like synchronisation, signaling, +# debugging, tracing and profiling) of processes. +# +# Usage of ptrace is restricted by normal user permissions. Normal +# unprivileged processes cannot use ptrace on processes that they +# cannot send signals to or processes that are running set-uid or +# set-gid. Nevertheless, processes running under the same uid will +# usually be able to ptrace one another. +# +# Fedora enables the Yama security mechanism which restricts ptrace +# even further. Sysctl setting kernel.yama.ptrace_scope can have one +# of the following values: +# +# 0 - Normal ptrace security permissions. +# 1 - Restricted ptrace. Only child processes plus normal permissions. +# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE. +# 3 - No attach. No process may call ptrace at all. Irrevocable. +# +# For more information see Documentation/security/Yama.txt in the +# kernel sources. +# +# The default is 1., which allows tracing of child processes, but +# forbids tracing of arbitrary processes. This allows programs like +# gdb or strace to work when the most common way of having the +# debugger start the debuggee is used: +# gdb /path/to/program ... +# Attaching to already running programs is NOT allowed: +# gdb -p ... +# This default setting is suitable for the common case, because it +# reduces the risk that one hacked process can be used to attack other +# processes. (For example, a hacked firefox process in a user session +# will not be able to ptrace the keyring process and extract passwords +# stored only in memory.) +# +# Developers and administrators might want to disable those protections +# to be able to attach debuggers to existing processes. Use +# sysctl kernel.yama.ptrace_scope=0 +# for change the setting temporarily, or copy this file to +# /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots. + +kernel.yama.ptrace_scope = 0 diff --git a/SOURCES/98-default-mac-none.link b/SOURCES/98-default-mac-none.link new file mode 100644 index 0000000..8440f98 --- /dev/null +++ b/SOURCES/98-default-mac-none.link @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: MIT-0 +# +# This config file is installed as part of systemd. +# It may be freely copied and edited (following the MIT No Attribution license). +# +# To make local modifications, one of the following methods may be used: +# 1. add a drop-in file that extends this file by creating the +# /etc/systemd/network/98-default-mac-none.link.d/ directory and creating a +# new .conf file there. +# 2. copy this file into /etc/systemd/network or one of the other paths checked +# by systemd-udevd and edit it there. +# This file should not be edited in place, because it'll be overwritten on upgrades. + +[Match] +Kind=bridge bond team + +[Link] +NamePolicy=keep kernel database onboard slot path +AlternativeNamesPolicy=database onboard slot path +MACAddressPolicy=none diff --git a/SOURCES/inittab b/SOURCES/inittab new file mode 100644 index 0000000..3f5e83c --- /dev/null +++ b/SOURCES/inittab @@ -0,0 +1,16 @@ +# inittab is no longer used. +# +# ADDING CONFIGURATION HERE WILL HAVE NO EFFECT ON YOUR SYSTEM. +# +# Ctrl-Alt-Delete is handled by /usr/lib/systemd/system/ctrl-alt-del.target +# +# systemd uses 'targets' instead of runlevels. By default, there are two main targets: +# +# multi-user.target: analogous to runlevel 3 +# graphical.target: analogous to runlevel 5 +# +# To view current default target, run: +# systemctl get-default +# +# To set a default target, run: +# systemctl set-default TARGET.target diff --git a/SOURCES/macros.sysusers b/SOURCES/macros.sysusers new file mode 100644 index 0000000..d8d8c1d --- /dev/null +++ b/SOURCES/macros.sysusers @@ -0,0 +1,10 @@ +# RPM macros for packages creating system accounts +# +# Turn a sysusers.d file into macros specified by +# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation + +%sysusers_requires_compat Requires(pre): shadow-utils + +%sysusers_create_compat() \ +%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \ +%{nil} diff --git a/SOURCES/purge-nobody-user b/SOURCES/purge-nobody-user new file mode 100755 index 0000000..66404fe --- /dev/null +++ b/SOURCES/purge-nobody-user @@ -0,0 +1,101 @@ +#!/bin/bash -eu + +if [ $UID -ne 0 ]; then + echo "WARNING: This script needs to run as root to be effective" + exit 1 +fi + +export SYSTEMD_NSS_BYPASS_SYNTHETIC=1 + +if [ "${1:-}" = "--ignore-journal" ]; then + shift + ignore_journal=1 +else + ignore_journal=0 +fi + +echo "Checking processes..." +if ps h -u 99 | grep .; then + echo "ERROR: ps reports processes with UID 99!" + exit 2 +fi +echo "... not found" + +echo "Checking UTMP..." +if w -h 199 | grep . ; then + echo "ERROR: w reports UID 99 as active!" + exit 2 +fi +if w -h nobody | grep . ; then + echo "ERROR: w reports user nobody as active!" + exit 2 +fi +echo "... not found" + +echo "Checking the journal..." +if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then + echo "ERROR: journalctl reports messages from UID 99 in current boot!" + exit 2 +fi +echo "... not found" + +echo "Looking for files in /etc, /run, /tmp, and /var..." +if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then + echo "ERROR: found files belonging to UID 99" + exit 2 +fi +echo "... not found" + +echo "Checking if nobody is defined correctly..." +if getent passwd nobody | + grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin'; +then + echo "OK, nothing to do." + exit 0 +else + echo "NOTICE: User nobody is not defined correctly" +fi + +echo "Checking if nfsnobody or something else is using the uid..." +if getent passwd 65534 | grep . ; then + echo "NOTICE: will have to remove this user" +else + echo "... not found" +fi + +if [ "${1:-}" = "-x" ]; then + if getent passwd nobody >/dev/null; then + # this will remove both the user and the group. + ( set -x + userdel nobody + ) + fi + + if getent passwd 65534 >/dev/null; then + # Make sure the uid is unused. This should free gid too. + name="$(getent passwd 65534 | cut -d: -f1)" + ( set -x + userdel "$name" + ) + fi + + if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then + echo "Sleeping, so sss can catch up" + sleep 3 + fi + + if getent group 65534; then + # Make sure the gid is unused, even if uid wasn't. + name="$(getent group 65534 | cut -d: -f1)" + ( set -x + groupdel "$name" + ) + fi + + # systemd-sysusers uses the same gid and uid + ( set -x + systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin' + ) +else + echo "Pass '-x' to perform changes" +fi diff --git a/SOURCES/split-files.py b/SOURCES/split-files.py new file mode 100644 index 0000000..5337c1a --- /dev/null +++ b/SOURCES/split-files.py @@ -0,0 +1,233 @@ +import re, sys, os, collections + +buildroot = sys.argv[1] +no_bootloader = '--no-bootloader' in sys.argv + +known_files = ''' +%ghost %config(noreplace) /etc/crypttab +%ghost %attr(0444,root,root) /etc/udev/hwdb.bin +/etc/inittab +/usr/lib/systemd/purge-nobody-user +# This directory is owned by openssh-server, but we don't want to introduce +# a dependency. So let's copy the config and co-own the directory. +%dir %attr(0700,root,root) /etc/ssh/sshd_config.d +%ghost %config(noreplace) /etc/vconsole.conf +%ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf +%ghost %attr(0664,root,root) %verify(not group) /run/utmp +%ghost %attr(0664,root,root) %verify(not group) /var/log/wtmp +%ghost %attr(0660,root,root) %verify(not group) /var/log/btmp +%ghost %attr(0664,root,root) %verify(not md5 size mtime group) /var/log/lastlog +%ghost %config(noreplace) /etc/hostname +%ghost %config(noreplace) /etc/localtime +%ghost %config(noreplace) /etc/locale.conf +%ghost %attr(0444,root,root) %config(noreplace) /etc/machine-id +%ghost %config(noreplace) /etc/machine-info +%ghost %attr(0700,root,root) %dir /var/cache/private +%ghost %attr(0700,root,root) %dir /var/lib/private +%ghost %dir /var/lib/private/systemd +%ghost %dir /var/lib/private/systemd/journal-upload +%ghost /var/lib/private/systemd/journal-upload/state +%ghost %dir /var/lib/systemd/timesync +%ghost /var/lib/systemd/timesync/clock +%ghost %dir /var/lib/systemd/backlight +%ghost /var/lib/systemd/catalog/database +%ghost %dir /var/lib/systemd/coredump +%ghost /var/lib/systemd/journal-upload +%ghost %dir /var/lib/systemd/linger +%ghost %attr(0600,root,root) /var/lib/systemd/random-seed +%ghost %dir /var/lib/systemd/rfkill +%ghost %dir %verify(not mode group) /var/log/journal +%ghost %dir /var/log/journal/remote +%ghost %attr(0700,root,root) %dir /var/log/private +''' + +known_files = {line.split()[-1]:line for line in known_files.splitlines() + if line and not line.startswith('#')} + +def files(root): + os.chdir(root) + todo = collections.deque(['.']) + while todo: + n = todo.pop() + files = os.scandir(n) + for file in files: + yield file + if file.is_dir() and not file.is_symlink(): + todo.append(file) + +outputs = {suffix: open(f'.file-list-{suffix}', 'w') + for suffix in ( + 'libs', + 'udev', + 'ukify', + 'boot', + 'pam', + 'rpm-macros', + 'devel', + 'container', + 'oomd', + 'remote', + 'resolve', + 'main', + )} + +for file in files(buildroot): + n = file.path[1:] + if re.match(r'''/usr/(share|include)$| + /usr/share/man(/man.|)$| + /usr/share/zsh(/site-functions|)$| + /usr/share/dbus-1$| + /usr/share/dbus-1/system.d$| + /usr/share/dbus-1/(system-|)services$| + /usr/share/polkit-1(/actions|/rules.d|)$| + /usr/share/pkgconfig$| + /usr/share/bash-completion(/completions|)$| + /usr(/lib|/lib64|/bin|/sbin|)$| + /usr/lib.*/(security|pkgconfig)$| + /usr/lib/rpm(/macros.d|)$| + /usr/lib/firewalld(/services|)$| + /usr/share/(locale|licenses|doc)| # no $ + /etc(/pam\.d|/xdg|/X11|/X11/xinit|/X11.*\.d|)$| + /etc/(dnf|dnf/protected.d)$| + /usr/(src|lib/debug)| # no $ + /run$| + /var(/cache|/log|/lib|/run|)$ + ''', n, re.X): + continue + + if '/security/pam_' in n or '/man8/pam_' in n: + o = outputs['pam'] + elif '/rpm/' in n: + o = outputs['rpm-macros'] + elif 'ukify' in n: + o = outputs['ukify'] + elif re.search(r'/libsystemd-(shared|core)-.*\.so$', n): + o = outputs['main'] + elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n): + o = outputs['udev'] + elif re.search(r'/lib.*\.pc|/man3/|/usr/include|\.so$', n): + o = outputs['devel'] + elif re.search(r'''journal-(remote|gateway|upload)| + systemd-remote\.conf| + /usr/share/systemd/gatewayd| + /var/log/journal/remote + ''', n, re.X): + o = outputs['remote'] + + elif re.search(r'''mymachines| + machinectl| + systemd-nspawn| + systemd-vmspawn| + import-pubring.gpg| + systemd-(machined|import|pull)| + /machine.slice| + /machines.target| + var-lib-machines.mount| + org.freedesktop.(import|machine)1 + ''', n, re.X): + o = outputs['container'] + + elif '.so.' in n: + o = outputs['libs'] + + elif re.search(r'''10-oomd-.*defaults\.conf| + oomd\.conf| + oomctl| + org.freedesktop.oom1| + systemd-oomd| + systemd-oom\.conf + ''', n, re.X): + o = outputs['oomd'] + + elif re.search(r'''udev(?!\.pc)| + hwdb| + bootctl| + boot-update| + bless-boot| + boot-system-token| + bsod| + kernel-install| + installkernel| + vconsole| + backlight| + rfkill| + random-seed| + modules-load| + timesync| + crypttab| + cryptenroll| + cryptsetup| + kmod| + quota| + pstore| + sleep|suspend|hibernate| + systemd-tmpfiles-setup-dev| + network/98-default-mac-none.link| + network/99-default.link| + growfs|makefs|makeswap|mkswap| + fsck| + repart| + gpt-auto| + volatile-root| + veritysetup| + integritysetup| + integritytab| + remount-fs| + /initrd| + systemd-pcr| + systemd-measure| + /boot$| + /kernel/| + /kernel$| + /modprobe.d| + binfmt| + sysctl| + coredump| + homed|home1| + oomd| + portabled|portable1 + ''', n, re.X): # coredumpctl, homectl, portablectl are included in the main package because + # they can be used to interact with remote daemons. Also, the user could be + # confused if those user-facing binaries are not available. + o = outputs['udev'] + + elif re.search(r'''/boot/efi| + /usr/lib/systemd/boot| + sd-boot|systemd-boot\.|loader.conf + ''', n, re.X): + o = outputs['boot'] + + elif re.search(r'''resolved|resolve1| + systemd-resolve| + resolvconf| + systemd\.(positive|negative) + ''', n, re.X): # resolvectl and nss-resolve are in the main package. + o = outputs['resolve'] + + else: + o = outputs['main'] + + if n in known_files: + prefix = known_files[n].split()[:-1] + elif file.is_dir() and not file.is_symlink(): + prefix = ['%dir'] + elif 'README' in n: + prefix = ['%doc'] + elif n.startswith('/etc'): + prefix = ['%config(noreplace)'] + if file.stat().st_size == 0: + prefix += ['%ghost'] + else: + prefix = [] + prefix = ' '.join(prefix + ['']) if prefix else '' + + suffix = '*' if '/man/' in n else '' + + print(f'{prefix}{n}{suffix}', file=o) + +if [print(f'ERROR: no file names were written to {o.name}') + for name, o in outputs.items() + if (o.tell() == 0 and + not (no_bootloader and name == 'boot')) + ]: + sys.exit(1) diff --git a/SOURCES/sysctl.conf.README b/SOURCES/sysctl.conf.README new file mode 100644 index 0000000..41c0c41 --- /dev/null +++ b/SOURCES/sysctl.conf.README @@ -0,0 +1,10 @@ +# sysctl settings are defined through files in +# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. +# +# Vendors settings live in /usr/lib/sysctl.d/. +# To override a whole file, create a new file with the same in +# /etc/sysctl.d/ and put new settings there. To override +# only specific settings, add a file with a lexically later +# name in /etc/sysctl.d/ and put new settings there. +# +# For more information, see sysctl.conf(5) and sysctl.d(5). diff --git a/SOURCES/systemd-journal-gatewayd.xml b/SOURCES/systemd-journal-gatewayd.xml new file mode 100644 index 0000000..a1b400c --- /dev/null +++ b/SOURCES/systemd-journal-gatewayd.xml @@ -0,0 +1,6 @@ + + + systemd-journal-gatewayd + Journal Gateway Service + + diff --git a/SOURCES/systemd-journal-remote.xml b/SOURCES/systemd-journal-remote.xml new file mode 100644 index 0000000..e115a12 --- /dev/null +++ b/SOURCES/systemd-journal-remote.xml @@ -0,0 +1,6 @@ + + + systemd-journal-remote + Journal Remote Sink + + diff --git a/SOURCES/systemd-udev-trigger-no-reload.conf b/SOURCES/systemd-udev-trigger-no-reload.conf new file mode 100644 index 0000000..c879427 --- /dev/null +++ b/SOURCES/systemd-udev-trigger-no-reload.conf @@ -0,0 +1,3 @@ +[Unit] +# https://bugzilla.redhat.com/show_bug.cgi?id=1378974#c17 +RefuseManualStop=true diff --git a/SOURCES/sysusers.attr b/SOURCES/sysusers.attr new file mode 100644 index 0000000..367c137 --- /dev/null +++ b/SOURCES/sysusers.attr @@ -0,0 +1,2 @@ +%__sysusers_provides %{_rpmconfigdir}/sysusers.prov +%__sysusers_path ^%{_sysusersdir}/.*\\.conf$ diff --git a/SOURCES/sysusers.generate-pre.sh b/SOURCES/sysusers.generate-pre.sh new file mode 100755 index 0000000..4a87d53 --- /dev/null +++ b/SOURCES/sysusers.generate-pre.sh @@ -0,0 +1,96 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: true; tab-width: 4; -*- + +# This script turns sysuser.d files into scriptlets mandated by Fedora +# packaging guidelines. The general idea is to define users using the +# declarative syntax but to turn this into traditional scriptlets. + +user() { + user="$1" + uid="$2" + desc="$3" + group="$4" + home="$5" + shell="$6" + + [ "$desc" = '-' ] && desc= + { [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/ + { [ "$shell" = '-' ] || [ "$shell" = '' ]; } && shell=/usr/sbin/nologin + + if [ "$uid" = '-' ] || [ "$uid" = '' ]; then + cat <<-EOF + getent passwd '$user' >/dev/null || \\ + useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || : + EOF + else + cat <<-EOF + if ! getent passwd ${user@Q} >/dev/null; then + if ! getent passwd ${uid@Q} >/dev/null; then + useradd -r -u ${uid@Q} -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || : + else + useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || : + fi + fi + + EOF + fi +} + +group() { + group="$1" + gid="$2" + + if [ "$gid" = '-' ]; then + cat <<-EOF + getent group ${group@Q} >/dev/null || groupadd -r ${group@Q} || : + EOF + else + cat <<-EOF + getent group ${group@Q} >/dev/null || groupadd -f -g ${gid@Q} -r ${group@Q} || : + EOF + fi +} + +usermod() { + user="$1" + group="$2" + + cat <<-EOF + if getent group ${group@Q} >/dev/null; then + usermod -a -G ${group@Q} '$user' || : + fi + EOF +} + +parse() { + while read -r line || [ -n "$line" ] ; do + { [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue + line="${line## *}" + [ -z "$line" ] && continue + eval "arr=( $line )" + case "${arr[0]}" in + ('u') + if [[ "${arr[2]}" == *":"* ]]; then + user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}" + else + group "${arr[1]}" "${arr[2]}" + user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}" + fi + ;; + ('g') + group "${arr[1]}" "${arr[2]}" + ;; + ('m') + group "${arr[2]}" "-" + user "${arr[1]}" "-" "" "${arr[1]}" "" "" + usermod "${arr[1]}" "${arr[2]}" + ;; + esac + done +} + +for fn in "$@"; do + [ -e "$fn" ] || continue + echo "# generated from $(basename "$fn")" + parse <"$fn" +done diff --git a/SOURCES/sysusers.prov b/SOURCES/sysusers.prov new file mode 100755 index 0000000..f12e929 --- /dev/null +++ b/SOURCES/sysusers.prov @@ -0,0 +1,61 @@ +#!/bin/bash + +process_u() { + if [ ! -z "${2##*[!0-9]*}" ]; then + # Single shared static ID. + echo "user($1) = $2" + echo "group($1) = $2" + elif [[ $2 == *:* ]]; then + # UID:. + uid=$(echo $2 | cut -d':' -f1 -) + group=$(echo $2 | cut -d':' -f2 -) + if [ ! -z "${group##*[!0-9]*}" ]; then + # UID:GID. + echo "user($1) = ${uid}" + echo "group($1) = ${group}" + else + # UID:. + echo "user($1) = ${uid}" + echo "group(${group})" + fi + else + # Dynamic (or something else uninteresting). + echo "user($1)" + echo "group($1)" + fi +} + +process_g() { + if [ ! -z "${2##*[!0-9]*}" ]; then + # Static GID. + echo "group($1) = $2" + else + # Dynamic (or something else uninteresting). + echo "group($1)" + fi +} + +parse() { + while read line; do + [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue + line="${line## *}" + [ -z "$line" ] && continue + set -- $line + case "$1" in + ('u') + process_u "$2" "$3" + ;; + ('g') + process_g "$2" "$3" + ;; + ('m') + echo "user($2)" + echo "group($3)" + ;; + esac + done +} + +while read fn; do + parse < "$fn" +done diff --git a/SOURCES/test_sysusers_defined.py b/SOURCES/test_sysusers_defined.py new file mode 100755 index 0000000..2754578 --- /dev/null +++ b/SOURCES/test_sysusers_defined.py @@ -0,0 +1,34 @@ +#!/usr/bin/python + +import sys + +def parse_sysusers_file(filename): + users, groups = set(), set() + + for line in open(filename): + line = line.strip() + if not line or line.startswith('#'): + continue + words = line.split() + match words[0]: + case 'u': + users.add(words[1]) + case 'g': + groups.add(words[1]) + case 'm'|'r': + continue + case _: + assert False + return users, groups + +setup_users, setup_groups = parse_sysusers_file(sys.argv[1]) +setup_users2, setup_groups2 = parse_sysusers_file(sys.argv[2]) +setup_users |= setup_users2 +setup_groups |= setup_groups2 + +basic_users, basic_groups = parse_sysusers_file(sys.argv[3]) + +if d := basic_users - setup_users: + exit(f'We have new users: {d}') +if d := basic_groups - setup_groups: + exit(f'We have new groups: {d}') diff --git a/SOURCES/triggers.systemd b/SOURCES/triggers.systemd new file mode 100644 index 0000000..f8bb078 --- /dev/null +++ b/SOURCES/triggers.systemd @@ -0,0 +1,87 @@ +# -*- Mode: rpm-spec; indent-tabs-mode: nil -*- */ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# Copyright 2018 Neal Gompa + +# The contents of this are an example to be copied into systemd.spec. +# +# Minimum rpm version supported: 4.14.0 + +%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system +# This script will run after any package is initially installed or +# upgraded. We care about the case where a package is initially +# installed, because other cases are covered by the *un scriptlets, +# so sometimes we will reload needlessly. +/usr/lib/systemd/systemd-update-helper system-reload-restart || : + +%transfiletriggerin -P 900899 -- /usr/lib/systemd/user /etc/systemd/user +/usr/lib/systemd/systemd-update-helper user-reload-restart || : + +%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system +# On removal, we need to run daemon-reload after any units have been +# removed. +# On upgrade, we need to run daemon-reload after any new unit files +# have been installed, but before %postun scripts in packages get +# executed. +/usr/lib/systemd/systemd-update-helper system-reload || : + +%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user /etc/systemd/user +# Execute daemon-reload in user managers. +/usr/lib/systemd/systemd-update-helper user-reload || : + +%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system /etc/systemd/system +# We restart remaining system services that should be restarted here. +/usr/lib/systemd/systemd-update-helper system-restart || : + +%transfiletriggerpostun -P 9999 -- /usr/lib/systemd/user /etc/systemd/user +# We restart remaining user services that should be restarted here. +/usr/lib/systemd/systemd-update-helper user-restart || : + +%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d +# This script will process files installed in /usr/lib/sysusers.d to create +# specified users automatically. The priority is set such that it +# will run before the tmpfiles file trigger. +systemd-sysusers || : + +%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d +# This script will automatically invoke hwdb update if files have been +# installed or updated in /usr/lib/udev/hwdb.d. +systemd-hwdb update || : + +%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog +# This script will automatically invoke journal catalog update if files +# have been installed or updated in /usr/lib/systemd/catalog. +journalctl --update-catalog || : + +%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d +# This script will automatically apply binfmt rules if files have been +# installed or updated in /usr/lib/binfmt.d. +if test -d "/run/systemd/system"; then + # systemd-binfmt might fail if binfmt_misc kernel module is not loaded + # during install + /usr/lib/systemd/systemd-binfmt || : +fi + +%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d +# This script will process files installed in /usr/lib/tmpfiles.d to create +# tmpfiles automatically. The priority is set such that it will run +# after the sysusers file trigger, but before any other triggers. +if test -d "/run/systemd/system"; then + systemd-tmpfiles --create || : +fi + +%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d +# This script will automatically update udev with new rules if files +# have been installed or updated in /usr/lib/udev/rules.d. +if test -e /run/udev/control; then + udevadm control --reload || : +fi + +%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d +# This script will automatically apply sysctl rules if files have been +# installed or updated in /usr/lib/sysctl.d. +if test -d "/run/systemd/system"; then + /usr/lib/systemd/systemd-sysctl || : +fi diff --git a/SOURCES/yum-protect-systemd.conf b/SOURCES/yum-protect-systemd.conf new file mode 100644 index 0000000..39426d7 --- /dev/null +++ b/SOURCES/yum-protect-systemd.conf @@ -0,0 +1,2 @@ +systemd +systemd-udev diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec new file mode 100644 index 0000000..8f8fea9 --- /dev/null +++ b/SPECS/systemd.spec @@ -0,0 +1,1231 @@ +#global commit 1781de18ab8ebc3e42a607851d8effb3b0355c87 +%{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})} + +# We ship a .pc file but don't want to have a dep on pkg-config. We +# strip the automatically generated dep here and instead co-own the +# directory. +%global __requires_exclude pkg-config + +%global pkgdir %{_prefix}/lib/systemd +%global system_unit_dir %{pkgdir}/system +%global user_unit_dir %{pkgdir}/user + +%if 0%{?__isa_bits} == 64 +%global elf_bits (64bit) +%global elf_suffix ()%{elf_bits} +%endif + +%bcond bzip2 1 +%bcond gnutls 1 +%bcond lz4 1 +%bcond xz 1 +%bcond zlib 1 +%bcond zstd 1 + +# Bootstrap may be needed to break circular dependencies with cryptsetup, +# e.g. when re-building cryptsetup on a json-c SONAME-bump. +%bcond bootstrap 0 +%bcond tests 1 +%bcond lto 1 +%bcond docs 1 + +# Build from git main +%bcond upstream 0 + +# When bootstrap, libcryptsetup is disabled +# but auto-features causes many options to be turned on +# that depend on libcryptsetup (e.g. libcryptsetup-plugins) +%if %{with bootstrap} +%global __meson_auto_features disabled +%endif + +# Override %%autorelease. This is ugly, but rpmautospec doesn't implement +# autorelease correctly if the macro is conditionalized in the Release field. +%{?release_override:%global autorelease %{release_override}%{?dist}} + +Name: systemd +Url: https://systemd.io +# Allow users to specify the version and release when building the rpm by +# setting the %%version_override and %%release_override macros. +Version: %{?version_override}%{!?version_override:256} +Release: 14%{?dist} + +%global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?) + +# For a breakdown of the licensing, see README +License: LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later +Summary: System and Service Manager + +# download tarballs with "spectool -g systemd.spec" +%if %{defined commit} +Source0: https://github.com/systemd/systemd/archive/%{commit}/%{name}-%{shortcommit}.tar.gz +%else +Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz +%endif +# This file must be available before %%prep. +# It is generated during systemd build and can be found in build/src/core/. +Source1: triggers.systemd +Source2: split-files.py +Source3: purge-nobody-user +Source4: test_sysusers_defined.py + +# Prevent accidental removal of the systemd package +Source5: yum-protect-systemd.conf + +Source6: inittab +Source7: sysctl.conf.README +Source8: systemd-journal-remote.xml +Source9: systemd-journal-gatewayd.xml +Source10: 20-yama-ptrace.conf +Source11: systemd-udev-trigger-no-reload.conf +# https://fedoraproject.org/wiki/How_to_filter_libabigail_reports +Source13: .abignore + +Source14: 10-oomd-defaults.conf +Source15: 10-oomd-per-slice-defaults.conf + +Source17: 10-map-count.conf + +Source21: macros.sysusers +Source22: sysusers.attr +Source23: sysusers.prov +Source24: sysusers.generate-pre.sh + +Source25: 98-default-mac-none.link + +%if 0 +GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable +i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip +GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[67]* hwdb/parse_hwdb.py >hwdb.patch +%endif + +# Backports of patches from upstream (0000–0499) +# +# Any patches which are "in preparation" upstream should be listed here, rather +# than in the next section. Packit CI will drop any patches in this range before +# applying upstream pull requests. + +# RHEL-specific +Patch0001: 0001-Create-CNAME.patch +Patch0002: 0002-man-systemd-reorder-content-a-bit.patch +Patch0003: 0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch +Patch0004: 0004-sd-dhcp-server-clear-buffer-before-receive.patch +Patch0005: 0005-rules-Limit-the-number-of-device-units-generated-for.patch +Patch0006: 0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch +Patch0007: 0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch +Patch0008: 0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch +Patch0009: 0009-repart-Use-crypt_reencrypt_run-if-available.patch +Patch0010: 0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch +Patch0011: 0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch +Patch0012: 0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch +Patch0013: 0013-shell-completion-only-offer-devices-for-completion.patch +Patch0014: 0014-CODING_STYLE-document-reterr_-return-parameters.patch +Patch0015: 0015-analyze-show-pcrs-also-in-sha384-bank.patch +Patch0016: 0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch +Patch0017: 0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch +Patch0018: 0018-man-units-drop-temporary-from-description-of-systemd.patch +Patch0019: 0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch +Patch0020: 0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch +Patch0021: 0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch +Patch0022: 0022-test-check-the-skip-condition-before-installing-addi.patch +Patch0023: 0023-test-drop-unneeded-firmware-uefi-setting.patch +Patch0024: 0024-test-drop-obsolete-comment.patch +Patch0025: 0025-test-support-TEST_NO_KVM.patch +Patch0026: 0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch +Patch0027: 0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch +Patch0028: 0028-core-service-fix-accept-socket-deserialization.patch +Patch0029: 0029-test-network-mention-that-the-captive-portal-option-.patch +Patch0030: 0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch +Patch0031: 0031-mkosi-bump-to-latest.patch +Patch0032: 0032-NEWS-fix-typo.patch +Patch0033: 0033-install-allow-removing-symlinks-even-for-units-that-.patch +Patch0034: 0034-tmpfiles-honour-dry-run-when-removing-directories.patch +Patch0035: 0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch +Patch0036: 0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch +Patch0037: 0037-mkosi-restrict-noble-backports-to-noble-builds.patch +Patch0038: 0038-repart-fix-memory-leak.patch +Patch0039: 0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch +Patch0040: 0040-ci-update-workflows-to-run-on-source-git-setup.patch +Patch0041: 0041-ci-setup-source-git-automation.patch +Patch0042: 0042-ci-deploy-systemd-man-to-GitHub-Pages.patch +Patch0043: 0043-ci-reconfigure-Packit-for-RHEL-10.patch +Patch0044: 0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch +Patch0045: 0045-journal-again-create-user-journals-for-users-with-hi.patch +Patch0046: 0046-tmpfiles-make-purge-hard-to-mis-use.patch +Patch0047: 0047-fedora-use-system-auth-in-pam-systemd-user.patch +Patch0048: 0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch +Patch0049: 0049-rules-copy-40-redhat.rules-from-RHEL-9.patch +Patch0050: 0050-logind-set-RemoveIPC-to-false-by-default.patch +Patch0051: 0051-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch +Patch0052: 0052-rc-local-order-after-network-online.target.patch +Patch0053: 0053-random-util-increase-random-seed-size-to-1024.patch +Patch0054: 0054-journal-don-t-enable-systemd-journald-audit.socket-b.patch +Patch0055: 0055-journald.conf-don-t-touch-current-audit-settings.patch +Patch0056: 0056-rules-add-elevator-kernel-command-line-parameter.patch +Patch0057: 0057-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch +Patch0058: 0058-udev-net-setup-link-change-the-default-MACAddressPol.patch +Patch0059: 0059-core-decrease-log-level-of-messages-about-use-of-Kil.patch +Patch0060: 0060-meson-rename-libbasic-to-libbasic_static.patch +Patch0061: 0061-meson-build-libsystemd-core-via-an-intermediate-stat.patch +Patch0062: 0062-meson-add-option-to-build-systemd-executor-staticall.patch +Patch0063: 0063-taint-remove-unmerged-bin.patch +Patch0064: 0064-presets-remove-resolved.patch +Patch0065: 0065-doc-add-downstream-CONTRIBUTING-document.patch +Patch0066: 0066-ci-allow-policy-as-rhel-only-keyword.patch +Patch0067: 0067-ci-run-mkosi-test-only-for-Fedora-and-CentOS-Stream.patch +Patch0068: 0068-taint-remove-unused-variable-usr_sbin.patch +Patch0069: 0069-packit-drop-the-libarchive-workaround.patch +Patch0070: 0070-packit-drop-the-dependency-on-python3-zstd.patch +Patch0071: 0071-coredump-by-default-process-and-store-core-files-up-.patch +Patch0072: 0072-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch +Patch0073: 0073-unit-don-t-add-Requires-for-tmp.mount.patch +Patch0074: 0074-units-add-Install-section-to-tmp.mount.patch +Patch0075: 0075-units-don-t-enable-tmp.mount-statically-in-local-fs..patch +Patch0076: 0076-netif-naming-scheme-add-rhel-9.5-scheme.patch +Patch0077: 0077-udev-builtin-net_id-use-firmware_node-sun-for-ID_NET.patch +Patch0078: 0078-man-net-naming-scheme-add-missing-period.patch +Patch0079: 0079-Revert-packit-drop-the-dependency-on-python3-zstd.patch +Patch0080: 0080-systemctl-do-not-try-to-acquire-triggering-units-for.patch +Patch0081: 0081-core-unit-add-one-assertion-for-u-manager.patch +Patch0082: 0082-core-service-destroy-runtime-data-when-Type-oneshot-.patch +Patch0083: 0083-cgroup-util-Ignore-kernel-threads-in-cg_kill_items.patch +Patch0084: 0084-cgroup-util-Don-t-try-to-open-pidfd-for-kernel-threa.patch +Patch0085: 0085-cgroup-util-fix-typo.patch +Patch0086: 0086-netif-naming-scheme-rename-rhel-10.0-to-rhel-10.0.be.patch +Patch0087: 0087-net-naming-scheme-disable-NAMING_FIRMWARE_NODE_SUN.patch +Patch0088: 0088-net-naming-scheme-remove-NAMING_FIRMWARE_NODE_SUN-fr.patch +Patch0089: 0089-Revert-cgroup-util-Don-t-try-to-open-pidfd-for-kerne.patch +Patch0090: 0090-ukify-Skip-test-on-architectures-without-UEFI.patch + +# Downstream-only patches (9000–9999) + +%ifarch %{ix86} x86_64 aarch64 riscv64 +%global want_bootloader 1 +%endif + +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: clang +BuildRequires: coreutils +BuildRequires: libcap-devel +BuildRequires: libmount-devel +BuildRequires: libfdisk-devel +BuildRequires: libpwquality-devel +BuildRequires: pam-devel +BuildRequires: libselinux-devel +BuildRequires: audit-libs-devel +%if %{without bootstrap} +BuildRequires: cryptsetup-devel +%endif +BuildRequires: dbus-devel +BuildRequires: util-linux +# /usr/bin/getfacl is needed by test-acl-util +BuildRequires: acl +BuildRequires: libacl-devel +BuildRequires: gobject-introspection-devel +BuildRequires: libblkid-devel +%if %{with xz} +BuildRequires: xz-devel +BuildRequires: xz +%endif +%if %{with lz4} +BuildRequires: lz4-devel +BuildRequires: lz4 +%endif +%if %{with bzip2} +BuildRequires: bzip2-devel +%endif +%if %{with zstd} +BuildRequires: libzstd-devel +%endif +BuildRequires: libidn2-devel +BuildRequires: libcurl-devel +BuildRequires: kmod-devel +BuildRequires: elfutils-devel +BuildRequires: openssl-devel +%if %{with gnutls} +BuildRequires: gnutls-devel +%endif +%if %{undefined rhel} +BuildRequires: qrencode-devel +%endif +BuildRequires: libmicrohttpd-devel +BuildRequires: libxkbcommon-devel +BuildRequires: iptables-devel +BuildRequires: pkgconfig(bash-completion) +BuildRequires: pkgconfig(libarchive) +BuildRequires: pkgconfig(libfido2) +BuildRequires: pkgconfig(tss2-esys) +BuildRequires: pkgconfig(tss2-rc) +BuildRequires: pkgconfig(tss2-mu) +BuildRequires: pkgconfig(libbpf) +BuildRequires: systemtap-sdt-devel +%if %{with docs} +BuildRequires: libxslt +BuildRequires: docbook-style-xsl +%endif +BuildRequires: pkgconfig +BuildRequires: gperf +BuildRequires: gawk +BuildRequires: tree +BuildRequires: hostname +BuildRequires: python3 +BuildRequires: python3-devel +BuildRequires: python3dist(jinja2) +BuildRequires: python3dist(lxml) +BuildRequires: python3dist(pefile) +%if %{undefined rhel} +BuildRequires: python3dist(pillow) +BuildRequires: python3dist(pytest-flakes) +%endif +BuildRequires: python3dist(pytest) +BuildRequires: python3dist(zstd) +%if 0%{?want_bootloader} +BuildRequires: python3dist(pyelftools) +%endif +# gzip and lzma are provided by the stdlib +BuildRequires: firewalld-filesystem +BuildRequires: libseccomp-devel +BuildRequires: meson >= 0.43 +BuildRequires: gettext +# We use RUNNING_ON_VALGRIND in tests, so the headers need to be available +%ifarch %{valgrind_arches} +BuildRequires: valgrind-devel +%endif + +%ifnarch %ix86 +# bpftool is not built for i368 +BuildRequires: bpftool +%global have_bpf 1 +%endif + +%if 0%{?fedora} +%ifarch x86_64 aarch64 +%global have_xen 1 +# That package is only built for those two architectures +BuildRequires: xen-devel +%endif +%endif + +Requires(post): coreutils +Requires(post): grep +# systemd-machine-id-setup requires libssl +Requires(post): openssl-libs +Requires: dbus >= 1.9.18 +Requires: %{name}-pam%{_isa} = %{version}-%{release} +Requires(meta): (%{name}-rpm-macros = %{version}-%{release} if rpm-build) +Requires: %{name}-libs%{_isa} = %{version}-%{release} +%{?fedora:Recommends: %{name}-resolved = %{version}-%{release}} +Recommends: diffutils +Requires: (util-linux-core or util-linux) +Recommends: libxkbcommon%{_isa} +Provides: /bin/systemctl +Provides: /sbin/shutdown +Provides: syslog +Provides: systemd-units = %{version}-%{release} +Obsoletes: system-setup-keyboard < 0.9 +Provides: system-setup-keyboard = 0.9 +# systemd-sysv-convert was removed in f20: https://fedorahosted.org/fpc/ticket/308 +Obsoletes: systemd-sysv < 206 +# self-obsoletes so that dnf will install new subpackages on upgrade (#1260394) +Obsoletes: %{name} < 249~~ +Provides: systemd-sysv = 206 +Conflicts: initscripts < 9.56.1 +%if 0%{?fedora} +Conflicts: fedora-release < 23-0.12 +%endif +%if 0%{?fedora} >= 41 +BuildRequires: setup >= 2.15.0-3 +BuildRequires: python3 +Conflicts: setup < 2.15.0-3 +Conflicts: selinux-policy-any < 41.1 +%endif + +%if 0%{?fedora} >= 41 +# Make sure that dracut supports systemd-executor and the renames done for v255, +# and dlopen libraries and read-only fs in initrd. +Conflicts: dracut < 060-2 +%else +# Make sure that dracut supports systemd-executor and the renames done for v255. +Conflicts: dracut < 059-16 +%endif + +Obsoletes: timedatex < 0.6-3 +Provides: timedatex = 0.6-3 +Provides: %{name}-tmpfiles = %{version}-%{release} +Provides: %{name}-sysusers = %{version}-%{release} +Provides: %{name}-shutdown = %{version}-%{release} + +# Recommends to replace normal Requires deps for stuff that is dlopen()ed +Recommends: libidn2.so.0%{?elf_suffix} +Recommends: libidn2.so.0(IDN2_0.0.0)%{?elf_bits} +Recommends: libpcre2-8.so.0%{?elf_suffix} +Recommends: libpwquality.so.1%{?elf_suffix} +Recommends: libpwquality.so.1(LIBPWQUALITY_1.0)%{?elf_bits} +%if %{undefined rhel} +Recommends: libqrencode.so.4%{?elf_suffix} +%endif +Recommends: libbpf.so.1%{?elf_suffix} +Recommends: libbpf.so.1(LIBBPF_0.4.0)%{?elf_bits} + +# used by systemd-coredump and systemd-analyze +Recommends: libdw.so.1%{?elf_suffix} +Recommends: libdw.so.1(ELFUTILS_0.186)%{?elf_bits} +Recommends: libelf.so.1%{?elf_suffix} +Recommends: libelf.so.1(ELFUTILS_1.7)%{?elf_bits} + +# used by dissect, integritysetup, veritysetyp, growfs, repart, cryptenroll, home +Recommends: libcryptsetup.so.12%{?elf_suffix} +Recommends: libcryptsetup.so.12(CRYPTSETUP_2.4)%{?elf_bits} + +# Libkmod is used to load modules. +Recommends: libkmod.so.2%{?elf_suffix} +# kmod_list_next, kmod_load_resources, kmod_module_get_initstate, +# kmod_module_get_module, kmod_module_get_name, kmod_module_new_from_lookup, +# kmod_module_probe_insert_module, kmod_module_unref, kmod_module_unref_list, +# kmod_new, kmod_set_log_fn, kmod_unref, kmod_validate_resources +# are part of LIBKMOD_5. +Recommends: libkmod.so.2(LIBKMOD_5)%{?elf_bits} + +Recommends: libarchive.so.13%{?elf_suffix} + +%description +systemd is a system and service manager that runs as PID 1 and starts the rest +of the system. It provides aggressive parallelization capabilities, uses socket +and D-Bus activation for starting services, offers on-demand starting of +daemons, keeps track of processes using Linux control groups, maintains mount +and automount points, and implements an elaborate transactional dependency-based +service control logic. systemd supports SysV and LSB init scripts and works as a +replacement for sysvinit. Other parts of this package are a logging daemon, +utilities to control basic system configuration like the hostname, date, locale, +maintain a list of logged-in users, system accounts, runtime directories and +settings, and a logging daemons. +%if 0%{?stable} +This package was built from the %(c=%version; echo "v${c%.*}-stable") branch of systemd. +%endif + +%package libs +Summary: systemd libraries +License: LGPL-2.1-or-later AND MIT +Obsoletes: libudev < 183 +Obsoletes: systemd < 185-4 +Conflicts: systemd < 185-4 +Obsoletes: systemd-compat-libs < 230 +Obsoletes: nss-myhostname < 0.4 +Provides: nss-myhostname = 0.4 +Provides: nss-myhostname%{_isa} = 0.4 + +%description libs +Libraries for systemd and udev. + +%package pam +Summary: systemd PAM module +Requires: %{name} = %{version}-%{release} + +%description pam +Systemd PAM module registers the session with systemd-logind. + +%package rpm-macros +Summary: Macros that define paths and scriptlets related to systemd +BuildArch: noarch + +%description rpm-macros +Just the definitions of rpm macros. + +See +https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd +for information how to use those macros. + +%package devel +Summary: Development headers for systemd +License: LGPL-2.1-or-later AND MIT +Requires: %{name}-libs%{_isa} = %{version}-%{release} +Requires(meta): (%{name}-rpm-macros = %{version}-%{release} if rpm-build) +Provides: libudev-devel = %{version} +Provides: libudev-devel%{_isa} = %{version} +Obsoletes: libudev-devel < 183 + +%description devel +Development headers and auxiliary files for developing applications linking +to libudev or libsystemd. + +%package udev +Summary: Rule-based device node and kernel event manager +License: LGPL-2.1-or-later + +Requires: systemd%{_isa} = %{version}-%{release} +Requires(post): systemd%{_isa} = %{version}-%{release} +Requires(preun): systemd%{_isa} = %{version}-%{release} +Requires(postun): systemd%{_isa} = %{version}-%{release} +Requires(post): grep +Requires: kmod >= 18-4 +# https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1 +Obsoletes: systemd < 245.6-1 +Provides: udev = %{version} +Provides: udev%{_isa} = %{version} +Obsoletes: udev < 183 +Requires: (grubby > 8.40-72 if grubby) +Requires: (sdubby > 1.0-3 if sdubby) + +# Libkmod is used to load modules. Assume that if we need udevd, we certainly +# want to load modules, so make this into a hard dependency here. +Requires: libkmod.so.2%{?elf_suffix} +Requires: libkmod.so.2(LIBKMOD_5)%{?elf_bits} + +# Recommends to replace normal Requires deps for stuff that is dlopen()ed +# used by dissect, integritysetup, veritysetyp, growfs, repart, cryptenroll, home +Recommends: libcryptsetup.so.12%{?elf_suffix} +Recommends: libcryptsetup.so.12(CRYPTSETUP_2.4)%{?elf_bits} + +# used by systemd-coredump and systemd-analyze +Recommends: libdw.so.1%{?elf_suffix} +Recommends: libdw.so.1(ELFUTILS_0.186)%{?elf_bits} +Recommends: libelf.so.1%{?elf_suffix} +Recommends: libelf.so.1(ELFUTILS_1.7)%{?elf_bits} + +# used by home, cryptsetup, cryptenroll, logind +Recommends: libfido2.so.1%{?elf_suffix} +Recommends: libp11-kit.so.0%{?elf_suffix} +Recommends: libtss2-esys.so.0%{?elf_suffix} +Recommends: libtss2-mu.so.0%{?elf_suffix} +Recommends: libtss2-rc.so.0%{?elf_suffix} + +# https://bugzilla.redhat.com/show_bug.cgi?id=1377733#c9 +Suggests: systemd-bootchart +# https://bugzilla.redhat.com/show_bug.cgi?id=1408878 +Requires: kbd + +# https://bugzilla.redhat.com/show_bug.cgi?id=1753381 +Provides: u2f-hidraw-policy = 1.0.2-40 +Obsoletes: u2f-hidraw-policy < 1.0.2-40 + +# self-obsoletes to install both packages after split of systemd-boot +Obsoletes: systemd-udev < 252.2^ + +Provides: %{name}-repart = %{version}-%{release} + +%description udev +This package contains systemd-udev and the rules and hardware database needed to +manage device nodes. This package is necessary on physical machines and in +virtual machines, but not in containers. + +This package also provides systemd-timesyncd, a network time protocol daemon. + +It also contains tools to manage encrypted home areas and secrets bound to the +machine, and to create or grow partitions and make file systems automatically. + +%package ukify +Summary: Tool to build Unified Kernel Images +Requires: %{name} = %{version}-%{release} + +Requires: (systemd-boot if %{shrink:( + filesystem(x86-32) or + filesystem(x86-64) or + filesystem(aarch64) or + filesystem(riscv64) +)}) +Requires: python3dist(pefile) +Requires: python3dist(zstd) +Requires: python3dist(cryptography) +Recommends: python3dist(pillow) + +# for tests +%ifarch riscv64 +# 2.42 received support for riscv64 + efi targets +%global binutils_version_req >= 2.42 +%endif +BuildRequires: binutils %{?binutils_version_req} + +BuildArch: noarch + +%description ukify +This package provides ukify, a script that combines a kernel image, an initrd, +with a command line, and possibly PCR measurements and other metadata, into a +Unified Kernel Image (UKI). + +%if 0%{?want_bootloader} +%package boot-unsigned +Summary: UEFI boot manager (unsigned version) + +Provides: systemd-boot-unsigned-%{efi_arch} = %version-%release +Provides: systemd-boot = %version-%release +Provides: systemd-boot%{_isa} = %version-%release +# A provides with just the version, no release or dist, used to build systemd-boot +Provides: version(systemd-boot-unsigned) = %version +Provides: version(systemd-boot-unsigned)%{_isa} = %version + +# self-obsoletes to install both packages after split of systemd-boot +Obsoletes: systemd-udev < 252.2^ + +%description boot-unsigned +systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a +graphical menu to select the entry to boot and an editor for the kernel command +line. systemd-boot supports systems with UEFI firmware only. + +This package contains the unsigned version. Install systemd-boot instead to get +the version that works with Secure Boot. +%endif + +%package container +# Name is the same as in Debian +Summary: Tools for containers and VMs +Requires: %{name}%{_isa} = %{version}-%{release} +Requires(post): systemd%{_isa} = %{version}-%{release} +Requires(preun): systemd%{_isa} = %{version}-%{release} +Requires(postun): systemd%{_isa} = %{version}-%{release} +# obsolete parent package so that dnf will install new subpackage on upgrade (#1260394) +Obsoletes: %{name} < 229-5 +# Bias the system towards libcurl-minimal if nothing pulls in full libcurl (#1997040) +Suggests: libcurl-minimal +License: LGPL-2.1-or-later + +%description container +Systemd tools to spawn and manage containers and virtual machines. + +This package contains systemd-nspawn, systemd-vmspawn, machinectl, +systemd-machined, and systemd-importd. + +%package journal-remote +# Name is the same as in Debian +Summary: Tools to send journal events over the network +Requires: %{name}%{_isa} = %{version}-%{release} +License: LGPL-2.1-or-later +Requires: firewalld-filesystem +Provides: %{name}-journal-gateway = %{version}-%{release} +Provides: %{name}-journal-gateway%{_isa} = %{version}-%{release} +Obsoletes: %{name}-journal-gateway < 227-7 +# Bias the system towards libcurl-minimal if nothing pulls in full libcurl (#1997040) +Suggests: libcurl-minimal + +%description journal-remote +Programs to forward journal entries over the network, using encrypted HTTP, and +to write journal files from serialized journal contents. + +This package contains systemd-journal-gatewayd, systemd-journal-remote, and +systemd-journal-upload. + +%package resolved +Summary: Network Name Resolution manager +Requires: %{name}%{_isa} = %{version}-%{release} +Obsoletes: %{name} < 249~~ +Requires: libidn2.so.0%{?elf_suffix} +Requires: libidn2.so.0(IDN2_0.0.0)%{?elf_bits} +Requires(posttrans): grep + +%description resolved +systemd-resolved is a system service that provides network name resolution to +local applications. It implements a caching and validating DNS/DNSSEC stub +resolver, as well as an LLMNR and MulticastDNS resolver and responder. + +%package oomd +Summary: A userspace out-of-memory (OOM) killer +Requires: %{name}-udev = %{version}-%{release} +Provides: %{name}-oomd-defaults = %{version}-%{release} +License: LGPL-2.1-or-later + +%description oomd +systemd-oomd is a system service that uses cgroups-v2 and pressure stall +information (PSI) to monitor and take action on processes before an OOM +occurs in kernel space. + +%prep +%autosetup -n %{?commit:%{name}-%{commit}}%{!?commit:%{name}-%{version_no_tilde}} -p1 + +%build +%global ntpvendor %(source /etc/os-release; echo ${ID}) +%{!?ntpvendor: echo 'NTP vendor zone is not set!'; exit 1} + +CONFIGURE_OPTS=( + -Dmode=%[%{with upstream}?"developer":"release"] + -Dsysvinit-path=/etc/rc.d/init.d + -Drc-local=/etc/rc.d/rc.local + -Ddns-servers= + -Duser-path=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin + -Dservice-watchdog=3min + -Ddev-kvm-mode=0666 + -Dkmod=enabled + -Dxkbcommon=enabled + -Dblkid=enabled + -Dfdisk=enabled + -Dseccomp=enabled + -Dima=true + -Dselinux=enabled + -Dbpf-framework=%[0%{?have_bpf}?"enabled":"disabled"] + -Dapparmor=disabled + -Dpolkit=enabled + -Dxz=%[%{with xz}?"enabled":"disabled"] + -Dzlib=%[%{with zlib}?"enabled":"disabled"] + -Dbzip2=%[%{with bzip2}?"enabled":"disabled"] + -Dlz4=%[%{with lz4}?"enabled":"disabled"] + -Dzstd=%[%{with zstd}?"enabled":"disabled"] + -Dpam=enabled + -Dacl=enabled + -Dsmack=true + -Dopenssl=enabled + -Dcryptolib=openssl + -Dp11kit=enabled + -Dgcrypt=disabled + -Daudit=enabled + -Delfutils=enabled + -Dlibcryptsetup=%[%{with bootstrap}?"disabled":"enabled"] + -Delfutils=enabled + -Drepart=enabled + -Dpwquality=enabled + -Dqrencode=%[%{defined rhel}?"disabled":"enabled"] + -Dmicrohttpd=enabled + -Dlibiptc=disabled + -Dlibcurl=enabled + -Dlibfido2=enabled + -Dxenctrl=%[0%{?have_xen}?"enabled":"disabled"] + -Defi=true + -Dtpm=true + -Dtpm2=enabled + -Dhwdb=true + -Dsysusers=true + -Ddefault-kill-user-processes=false + -Dfirst-boot-full-preset=true + -Ddefault-network=true + -Dtests=unsafe + -Dinstall-tests=false + -Dnobody-user=nobody + -Dnobody-group=nobody + -Dcompat-mutable-uid-boundaries=true + -Dsplit-bin=true + -Db_ndebug=false + -Dman=%[%{with docs}?"enabled":"disabled"] + -Dversion-tag=%{version}%[%{without upstream}?"-%{release}":""] + # https://bugzilla.redhat.com/show_bug.cgi?id=1906010 + -Dshared-lib-tag=%{version_no_tilde}%[%{without upstream}?"-%{release}":""] + -Dlink-executor-shared=false + -Dfallback-hostname="localhost" + -Ddefault-dnssec=no + -Ddefault-dns-over-tls=no + # https://bugzilla.redhat.com/show_bug.cgi?id=1867830 + -Ddefault-mdns=no + # https://bugzilla.redhat.com/show_bug.cgi?id=2028169 + -Dstatus-unit-format-default=combined + -Dconfigfiledir=/usr/lib + -Doomd=true + + -Dadm-gid=4 + -Dtty-gid=5 + -Ddisk-gid=6 + -Dlp-gid=7 + -Dkmem-gid=9 + -Dwheel-gid=10 + -Dcdrom-gid=11 + -Ddialout-gid=18 + -Dutmp-gid=22 + -Dtape-gid=33 + -Dkvm-gid=36 + -Dvideo-gid=39 + -Daudio-gid=63 + -Dusers-gid=100 + -Dinput-gid=104 + -Drender-gid=105 + -Dsgx-gid=106 + -Dsystemd-journal-gid=190 + -Dsystemd-network-uid=192 + -Dsystemd-resolve-uid=193 + # -Dsystemd-timesync-uid=, not set yet + + # For now, let's build the bootloader in the same places where we + # built with gnu-efi. Later on, we might want to extend coverage, but + # considering that that support is untested, let's not do this now. + -Dbootloader=%[%{?want_bootloader}?"enabled":"disabled"] + -Dukify=enabled + + # RHEL10 bootstrapping + -Dstandalone-binaries=false + -Dnscd=false + -Dportabled=false + -Dmountfsd=false + -Dhomed=disabled + -Dnetworkd=false + -Dtimesyncd=false + -Dcreate-log-dirs=false + -Dnsresourced=false + -Dfirstboot=true + -Dvmspawn=disabled + -Dstoragetm=false + -Dhtml=disabled + -Ddefault-net-naming-scheme=rhel-10.0-beta + -Ddefault-llmnr=no + -Ddns-over-tls=openssl + -Dntp-servers= + -Dsupport-url=https://access.redhat.com/support + -Dlibidn=disabled + -Dgnutls=disabled + -Ddefault-compression=zstd + # https://issues.redhat.com/browse/RHEL-16810 + -Dsbat-distro-url=mailto:secalert@redhat.com + -Dsshconfdir=no + -Dsshdconfdir=no + -Duserdb=false +) + +%if %{without lto} +%global _lto_cflags %nil +%endif + +{ %meson "${CONFIGURE_OPTS[@]}" %{?meson_extra_configure_options} ; } + +%meson_build + +new_triggers=%{_vpath_builddir}/src/rpm/triggers.systemd.sh +if ! diff -u %{SOURCE1} ${new_triggers}; then + echo -e "\n\n\nWARNING: triggers.systemd in Source1 is different!" + echo -e " cp $PWD/${new_triggers} %{SOURCE1}\n\n\n" + sleep 5 +fi + +%install +%meson_install + +# udev links +mkdir -p %{buildroot}/%{_sbindir} +ln -sf ../bin/udevadm %{buildroot}%{_sbindir}/udevadm + +# Compatiblity and documentation files +touch %{buildroot}/etc/crypttab +chmod 600 %{buildroot}/etc/crypttab + +# Config files that were moved under /usr. +# We need to %ghost them so that they are not removed on upgrades. +touch %{buildroot}/etc/systemd/coredump.conf \ + %{buildroot}/etc/systemd/journald.conf \ + %{buildroot}/etc/systemd/journal-remote.conf \ + %{buildroot}/etc/systemd/journal-upload.conf \ + %{buildroot}/etc/systemd/logind.conf \ + %{buildroot}/etc/systemd/oomd.conf \ + %{buildroot}/etc/systemd/pstore.conf \ + %{buildroot}/etc/systemd/resolved.conf \ + %{buildroot}/etc/systemd/sleep.conf \ + %{buildroot}/etc/systemd/system.conf \ + %{buildroot}/etc/systemd/user.conf \ + %{buildroot}/etc/udev/udev.conf \ + %{buildroot}/etc/udev/iocost.conf + +install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3} + +# /etc/initab +install -Dm0644 -t %{buildroot}/etc/ %{SOURCE6} + +# /etc/sysctl.conf compat +install -Dm0644 %{SOURCE7} %{buildroot}/etc/sysctl.conf +ln -s ../sysctl.conf %{buildroot}/etc/sysctl.d/99-sysctl.conf + +# Make sure these directories are properly owned +mkdir -p %{buildroot}%{system_unit_dir}/basic.target.wants +mkdir -p %{buildroot}%{system_unit_dir}/default.target.wants +mkdir -p %{buildroot}%{system_unit_dir}/dbus.target.wants +mkdir -p %{buildroot}%{system_unit_dir}/syslog.target.wants +mkdir -p %{buildroot}/run +mkdir -p %{buildroot}%{_localstatedir}/log +touch %{buildroot}%{_localstatedir}/log/lastlog +chmod 0664 %{buildroot}%{_localstatedir}/log/lastlog +touch %{buildroot}/run/utmp +touch %{buildroot}%{_localstatedir}/log/{w,b}tmp + +# Make sure the user generators dir exists too +mkdir -p %{buildroot}%{pkgdir}/system-generators +mkdir -p %{buildroot}%{pkgdir}/user-generators + +# Create new-style configuration files so that we can ghost-own them +touch %{buildroot}%{_sysconfdir}/hostname +touch %{buildroot}%{_sysconfdir}/vconsole.conf +touch %{buildroot}%{_sysconfdir}/locale.conf +touch %{buildroot}%{_sysconfdir}/machine-id +touch %{buildroot}%{_sysconfdir}/machine-info +touch %{buildroot}%{_sysconfdir}/localtime +mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d +touch %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/00-keyboard.conf + +# Make sure the shutdown/sleep drop-in dirs exist +mkdir -p %{buildroot}%{pkgdir}/system-shutdown/ +mkdir -p %{buildroot}%{pkgdir}/system-sleep/ + +# Make sure directories in /var exist +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/coredump +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/catalog +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/backlight +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/rfkill +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/linger +mkdir -p %{buildroot}%{_localstatedir}/lib/private +mkdir -p %{buildroot}%{_localstatedir}/log/private +mkdir -p %{buildroot}%{_localstatedir}/cache/private +mkdir -p %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload +ln -s ../private/systemd/journal-upload %{buildroot}%{_localstatedir}/lib/systemd/journal-upload +mkdir -p %{buildroot}%{_localstatedir}/log/journal +touch %{buildroot}%{_localstatedir}/lib/systemd/catalog/database +touch %{buildroot}%{_sysconfdir}/udev/hwdb.bin +touch %{buildroot}%{_localstatedir}/lib/systemd/random-seed +touch %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload/state + +# Install yum protection fragment +install -Dm0644 %{SOURCE5} %{buildroot}/etc/dnf/protected.d/systemd.conf + +install -Dm0644 -t %{buildroot}/usr/lib/firewalld/services/ %{SOURCE8} %{SOURCE9} + +# Install additional docs +# https://bugzilla.redhat.com/show_bug.cgi?id=1234951 +install -Dm0644 -t %{buildroot}%{_pkgdocdir}/ %{SOURCE10} + +# https://bugzilla.redhat.com/show_bug.cgi?id=1378974 +install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d/ %{SOURCE11} + +install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/ %{SOURCE13} + +# systemd-oomd default configuration +install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/oomd.conf.d/ %{SOURCE14} +install -Dm0644 -t %{buildroot}%{system_unit_dir}/system.slice.d/ %{SOURCE15} +install -Dm0644 -t %{buildroot}%{user_unit_dir}/slice.d/ %{SOURCE15} + +# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount +install -Dm0644 -t %{buildroot}%{_prefix}/lib/sysctl.d/ %{SOURCE17} + +sed -i 's|#!/usr/bin/env python3|#!%{__python3}|' %{buildroot}/usr/lib/systemd/tests/run-unit-tests.py || : + +install -m 0644 -D -t %{buildroot}%{_rpmconfigdir}/macros.d/ %{SOURCE21} +# Use rpm's own sysusers provides where available +%if ! (0%{?fedora} >= 39 || 0%{?rhel} >= 10) +install -m 0644 -D -t %{buildroot}%{_rpmconfigdir}/fileattrs/ %{SOURCE22} +install -m 0755 -D -t %{buildroot}%{_rpmconfigdir}/ %{SOURCE23} +%endif +install -m 0755 -D -t %{buildroot}%{_rpmconfigdir}/ %{SOURCE24} + +# https://bugzilla.redhat.com/show_bug.cgi?id=2107754 +install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/network/ %{SOURCE25} + +ln -s --relative %{buildroot}%{_bindir}/kernel-install %{buildroot}%{_sbindir}/installkernel + +%if "%{_sbindir}" == "%{_bindir}" +# Systemd has the split-sbin option which is also used to select the directory +# for alias symlinks. We need to keep split-sbin=true for now, to support +# unmerged systems. Move the symlinks here instead. +mv -v %{buildroot}/usr/sbin/* %{buildroot}%{_bindir}/ +%endif + +%if 0%{?fedora} >= 41 +# This requires https://pagure.io/setup/pull-request/50 +# and https://src.fedoraproject.org/rpms/setup/pull-request/10. +%{python3} %{SOURCE4} /usr/lib/sysusers.d/20-setup-{users,groups}.conf %{buildroot}/usr/lib/sysusers.d/basic.conf +rm %{buildroot}/usr/lib/sysusers.d/basic.conf +%endif + +# We don't want to ship systemd-ssh-generator and it is not possible to disable it via meson_options.txt +# OpenScanHub doesn't build man pages, so let's not fail when they are not present +rm %{buildroot}%{_prefix}/lib/systemd/system-generators/systemd-ssh-generator +rm %{buildroot}%{_prefix}/lib/systemd/system/ssh-access.target +rm %{buildroot}%{_prefix}/lib/systemd/systemd-ssh-proxy +rm %{buildroot}%{_mandir}/man1/systemd-ssh-proxy.1 || : +rm %{buildroot}%{_mandir}/man8/systemd-ssh-generator.8 || : + +%find_lang %{name} + +# Split files in build root into rpms +python3 %{SOURCE2} %buildroot %{!?want_bootloader:--no-bootloader} + +%check +%if %{with tests} +meson test -C %{_vpath_builddir} -t 6 --print-errorlogs +%endif + +############################################################################################# + +%include %{SOURCE1} + +%post +systemd-machine-id-setup &>/dev/null || : + +[ $1 -eq 1 ] || exit 0 + +[ -w %{_localstatedir} ] && journalctl --update-catalog || : +systemd-sysusers || : +systemd-tmpfiles --create &>/dev/null || : + +# We reset the enablement of all services upon initial installation +# https://bugzilla.redhat.com/show_bug.cgi?id=1118740#c23 +# This will fix up enablement of any preset services that got installed +# before systemd due to rpm ordering problems: +# https://bugzilla.redhat.com/show_bug.cgi?id=1647172. +# We also do this for user units, see +# https://fedoraproject.org/wiki/Changes/Systemd_presets_for_user_units. +systemctl preset-all &>/dev/null || : +systemctl --global preset-all &>/dev/null || : + +%postun +if [ $1 -ge 1 ]; then + [ -w %{_localstatedir} ] && journalctl --update-catalog || : + + systemctl daemon-reexec || : + + systemd-tmpfiles --create &>/dev/null || : +fi + +%systemd_postun_with_restart systemd-timedated.service systemd-hostnamed.service systemd-journald.service systemd-localed.service + +# FIXME: systemd-logind.service is excluded (https://github.com/systemd/systemd/pull/17558) + +# This is the expanded form of %%systemd_user_daemon_reexec. We +# can't use the macro because we define it ourselves. +if [ $1 -ge 1 ] && [ -x "/usr/lib/systemd/systemd-update-helper" ]; then + # Package upgrade, not uninstall + /usr/lib/systemd/systemd-update-helper user-reexec || : +fi + +%triggerun -- systemd < 256 +# This is for upgrades from previous versions before systemd restart was moved to %%postun +systemctl daemon-reexec || : + +%triggerpostun -- systemd < 256-9 +if [ -L /etc/ssh/sshd_config.d/20-systemd-userdb.conf ] && \ + [ "$(readlink -m /etc/ssh/sshd_config.d/20-systemd-userdb.conf)" = "/usr/lib/systemd/sshd_config.d/20-systemd-userdb.conf" ] ; then + rm -f /etc/ssh/sshd_config.d/20-systemd-userdb.conf || : +fi + +%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket %{?want_bootloader:systemd-boot-update.service} systemd-pstore.service remote-cryptsetup.target + +%post udev +# Move old stuff around in /var/lib +mv %{_localstatedir}/lib/random-seed %{_localstatedir}/lib/systemd/random-seed &>/dev/null +mv %{_localstatedir}/lib/backlight %{_localstatedir}/lib/systemd/backlight &>/dev/null + +udevadm hwdb --update &>/dev/null + +%systemd_post %udev_services + +# Try to save the random seed, but don't complain if /dev/urandom is unavailable +/usr/lib/systemd/systemd-random-seed save 2>&1 | \ + grep -v 'Failed to open /dev/urandom' || : + +# Replace obsolete keymaps +# https://bugzilla.redhat.com/show_bug.cgi?id=1151958 +grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null && + sed -i.rpm.bak -r 's/^KEYMAP="?fi-latin[19]"?/KEYMAP="fi"/' /etc/vconsole.conf || : + +%preun udev +%systemd_preun %udev_services + +%postun udev +# Restart some services. +# Others are either oneshot services, or sockets, and restarting them causes issues (#1378974) +%systemd_postun_with_restart systemd-udevd.service + + +%global journal_remote_units_restart systemd-journal-gatewayd.service systemd-journal-remote.service systemd-journal-upload.service +%global journal_remote_units_norestart systemd-journal-gatewayd.socket systemd-journal-remote.socket +%post journal-remote +%systemd_post %journal_remote_units_restart %journal_remote_units_norestart +%firewalld_reload + +%preun journal-remote +%systemd_preun %journal_remote_units_restart %journal_remote_units_norestart +if [ $1 -eq 1 ] ; then + if [ -f %{_localstatedir}/lib/systemd/journal-upload/state -a ! -L %{_localstatedir}/lib/systemd/journal-upload ] ; then + mkdir -p %{_localstatedir}/lib/private/systemd/journal-upload + mv %{_localstatedir}/lib/systemd/journal-upload/state %{_localstatedir}/lib/private/systemd/journal-upload/. + rmdir %{_localstatedir}/lib/systemd/journal-upload || : + fi +fi + +%postun journal-remote +%systemd_postun_with_restart %journal_remote_units_restart +%firewalld_reload + +%post resolved +%systemd_post systemd-resolved.service + +%preun resolved +if [ $1 -eq 0 ] ; then + systemctl disable --quiet \ + systemd-resolved.service \ + >/dev/null || : + if [ -L /etc/resolv.conf ] && \ + realpath /etc/resolv.conf | grep ^/run/systemd/resolve/; then + rm -f /etc/resolv.conf # no longer useful + # if network manager is enabled, move to it instead + [ -f /run/NetworkManager/resolv.conf ] && \ + systemctl -q is-enabled NetworkManager.service &>/dev/null && \ + ln -fsv ../run/NetworkManager/resolv.conf /etc/resolv.conf + fi +fi + +%postun resolved +%systemd_postun_with_restart systemd-resolved.service + +%pre +getent group systemd-oom &>/dev/null || groupadd -r systemd-oom 2>&1 || : +getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /sbin/nologin -c "systemd Userspace OOM Killer" systemd-oom &>/dev/null || : + +%preun oomd +%systemd_preun systemd-oomd.service + +%post oomd +%systemd_post systemd-oomd.service + +%postun oomd +%systemd_postun_with_restart systemd-oomd.service + +%global _docdir_fmt %{name} + +%files -f %{name}.lang -f .file-list-main +%doc %{_pkgdocdir} +%exclude %{_pkgdocdir}/LICENSE* +# Only the licenses texts for the licenses in License line are included. +%license LICENSE.GPL2 +%license LICENSES/MIT.txt +%ghost %dir %attr(0755,-,-) /etc/systemd/system/basic.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/bluetooth.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/default.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/getty.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/graphical.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/local-fs.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/machines.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/multi-user.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/network-online.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/printer.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/remote-fs.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/sockets.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/sysinit.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/system-update.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/timers.target.wants +%ghost %dir %attr(0700,-,-) /var/lib/portables +%ghost %dir %attr(0755,-,-) /var/lib/rpm-state/systemd + +%files libs -f .file-list-libs +%license LICENSE.LGPL2.1 + +%files pam -f .file-list-pam + +%files rpm-macros -f .file-list-rpm-macros + +%files resolved -f .file-list-resolve + +%files devel -f .file-list-devel + +%files udev -f .file-list-udev + +%files ukify -f .file-list-ukify +%if 0%{?want_bootloader} +%files boot-unsigned -f .file-list-boot +%endif + +%files container -f .file-list-container +%ghost %dir %attr(0700,-,-) /var/lib/machines + +%files journal-remote -f .file-list-remote + +%files oomd -f .file-list-oomd + +%clean +rm -rf $RPM_BUILD_ROOT +rm -f 10-timeout-abort.conf.user +rm -f .file-list-* +rm -f %{name}.lang + +%changelog +* Fri Oct 25 2024 MSVSphere Packaging Team - 256-14 +- Rebuilt for MSVSphere 10 + +* Fri Aug 30 2024 systemd maintenance team - 256-14 +- Revert "cgroup-util: Don't try to open pidfd for kernel threads" (RHEL-52634) +- ukify: Skip test on architectures without UEFI (RHEL-52634) + +* Thu Aug 22 2024 systemd maintenance team - 256-13 +- systemctl: do not try to acquire triggering units for template units (RHEL-55132) +- core/unit: add one assertion for u->manager (RHEL-55734) +- core/service: destroy runtime data when Type=oneshot services exit (RHEL-55734) +- cgroup-util: Ignore kernel threads in cg_kill_items() (RHEL-55746) +- cgroup-util: Don't try to open pidfd for kernel threads (RHEL-55746) +- cgroup-util: fix typo (RHEL-55746) +- netif-naming-scheme: rename rhel-10.0 to rhel-10.0.beta (RHEL-55728) +- net-naming-scheme: disable NAMING_FIRMWARE_NODE_SUN (RHEL-55728) +- net-naming-scheme: remove NAMING_FIRMWARE_NODE_SUN from 9.5 (RHEL-55728) +- make systemd-ukify subpackage arch dependent (RHEL-52634) + +* Thu Aug 15 2024 systemd maintenance team - 256-12 +- netif-naming-scheme: add rhel-9.5 scheme (RHEL-44416) +- udev-builtin-net_id: use firmware_node/sun for ID_NET_NAME_SLOT (RHEL-44416) +- man/net-naming-scheme: add missing period (RHEL-44416) +- Revert "packit: drop the dependency on python3-zstd" (RHEL-36636) + +* Tue Jul 30 2024 systemd maintenance team - 256-11 +- fix OpenScanHub builds (RHEL-40924) + +* Mon Jul 29 2024 systemd maintenance team - 256-10 +- fix updgrade from versions before removal of systemd-ssh-generator - follow-up (RHEL-50131) + +* Thu Jul 25 2024 systemd maintenance team - 256-9 +- fix updgrade from versions before removal of systemd-ssh-generator (RHEL-50131) + +* Tue Jul 23 2024 systemd maintenance team - 256-8 +- Avoid /tmp being mounted as tmpfs without the user's will (RHEL-40924) +- unit: don't add Requires for tmp.mount (RHEL-40924) +- units: add [Install] section to tmp.mount (RHEL-40924) +- units: don't enable tmp.mount statically in local-fs.target (RHEL-40924) + +* Mon Jul 22 2024 systemd maintenance team - 256-7 +- drop 10-timeout-abort.conf snippet (RHEL-46280) +- don't ship systemd-userdbd (RHEL-46280) + +* Fri Jul 19 2024 systemd maintenance team - 256-6 +- doc: add downstream CONTRIBUTING document (RHEL-40924) +- ci: allow `policy` as rhel-only keyword (RHEL-40924) +- ci: run mkosi test only for Fedora and CentOS Stream (RHEL-40924) +- taint: remove unused variable `usr_sbin` (RHEL-40924) +- packit: drop the libarchive workaround (RHEL-40924) +- packit: drop the dependency on python3-zstd (RHEL-40924) +- coredump: by default process and store core files up to 1GiB (RHEL-46778) +- don't ship systemd-ssh-generator harder (RHEL-40924) + +* Wed Jul 17 2024 systemd maintenance team - 256-5 +- don't ship systemd-ssh-generator (RHEL-40924) + +* Tue Jul 16 2024 systemd maintenance team - 256-4 +- reenable systemd-firstboot (RHEL-48822) +- don't create /var/log/journal (RHEL-40924) + +* Mon Jul 08 2024 systemd maintenance team - 256-3 +- taint: remove unmerged-bin (RHEL-46277) +- presets: remove resolved (RHEL-46576) +- remove resolved scriptlets +- don't install tests + +* Thu Jul 04 2024 systemd maintenance team - 256-2 +- logind: set RemoveIPC to false by default (RHEL-40924) +- tmpfiles: don't create resolv.conf -> stub-resolv.conf symlink (RHEL-40924) +- rc-local: order after network-online.target (RHEL-40924) +- random-util: increase random seed size to 1024 (RHEL-40924) +- journal: don't enable systemd-journald-audit.socket by default (RHEL-40924) +- journald.conf: don't touch current audit settings (RHEL-40924) +- rules: add elevator= kernel command line parameter (RHEL-40924) +- pid1: bump DefaultTasksMax to 80% of the kernel pid.max value (RHEL-40924) +- udev/net-setup-link: change the default MACAddressPolicy to "none" (RHEL-40924) +- core: decrease log level of messages about use of KillMode=none (RHEL-40924) +- meson: rename libbasic to libbasic_static (RHEL-46020) +- meson: build libsystemd-core via an intermediate static library (RHEL-46020) +- meson: add option to build systemd-executor "statically" (RHEL-46020) + +* Wed Jun 26 2024 Jan Macku - 256-1 +- Initial import and bootsprap from Fedora + * remove standalone packages + * remove networkd package + * remove homed + * remove portabled + * remove timesyncd + * remove tests package + * move oomd to separate package + * revert bin-sbin merge related changes +- remove autorelease stuff + * for changelog history see changelog file +- rules: copy 40-redhat.rules from RHEL 9 (RHEL-40360) +- net-naming-scheme: start rhel10 naming and include rhel8 and rhel9 ones (RHEL-22621) +- fedora: use system-auth in pam systemd-user (RHEL-40924) +- tmpfiles: make --purge hard to (mis-)use (RHEL-40924) +- journal: again create user journals for users with high uids (RHEL-40924) +- (origin/rhel-10.0.beta, rhel-10.0.beta) ci: allow to pass parameters together with rhel-only note (RHEL-36636) +- ci: reconfigure Packit for RHEL 10 (RHEL-36636) +- ci: deploy systemd man to GitHub Pages (RHEL-36636) +- ci: setup source-git automation (RHEL-36636) +- ci: update workflows to run on source-git setup (RHEL-36636)