rpms
/
systemd
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i8
rpms:i8c
rpms:c8
rpms:i10-beta
rpms:i10cs
rpms:cs10
rpms:i10c-beta
rpms:c10-beta
rpms:i9
rpms:i9c
rpms:c9
rpms:i9-beta
rpms:i8-beta
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta
...
pull from: rpms:c10-beta
Branches Tags
rpms:i8
rpms:i8c
rpms:c8
rpms:i10-beta
rpms:i10cs
rpms:cs10
rpms:i10c-beta
rpms:c10-beta
rpms:i9
rpms:i9c
rpms:c9
rpms:i9-beta
rpms:i8-beta
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta

No commits in common. 'c9' and 'c10-beta' have entirely different histories.
c9 ... c10-beta

1134 changed files with 5404 additions and 3565311 deletions
Show Stats

4
.gitignore vendored
Unescape View File

@ -1,3 +1 @@
SOURCES/rhel-net-naming-sysattrs-v0.5.tar.gz
SOURCES/systemd-252.tar.gz
SOURCES/systemd-container-coredump.pp.bz2
SOURCES/systemd-256.tar.gz

4
.systemd.metadata
Unescape View File

@ -1,3 +1 @@
9ce6834429dbb9cb049de1bdf77bc8c84763709c SOURCES/rhel-net-naming-sysattrs-v0.5.tar.gz
7c961dc6e8bb950825b85129f59dc80f4536cabb SOURCES/systemd-252.tar.gz
36eac49c362dc6e142f23b570a9a6b75f7547250 SOURCES/systemd-container-coredump.pp.bz2
0d5b0f0799d3a803ba1fe03e4136cecdbf3837db SOURCES/systemd-256.tar.gz

3
SOURCES/.abignore
Unescape View File

@ -0,0 +1,3 @@
[suppress_file]
# Those shared objects are private to systemd
file_name_regexp=libsystemd-(shared|core)-.*.so

7
SOURCES/0040-Create-CNAME.patch → SOURCES/0001-Create-CNAME.patch
Unescape View File

@ -1,9 +1,8 @@
From d9328ee5e53d1901af9396ae3e0b2dd05f731781 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 14 Nov 2022 09:25:37 +0100
From 1c27c902ad8316f490648a0e4415abd51b450b1a Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Tue, 11 Jun 2024 23:04:12 +0100
Subject: [PATCH] Create CNAME
Related: #2138081
---
docs/CNAME | 1 +
1 file changed, 1 insertion(+)

78
SOURCES/0001-macro-Simply-case-macros-for-IN_SET.patch
Unescape View File

@ -1,78 +0,0 @@
From 87bf366c97be1c811c4bfdf80b48d6c3e35da76a Mon Sep 17 00:00:00 2001
From: Jan Janssen <medhefgo@web.de>
Date: Tue, 25 Oct 2022 19:55:08 +0200
Subject: [PATCH] macro: Simply case macros for IN_SET
The CASE param would normally provide the operation for the compiler to
do in this macro magic. But in this case CASE_F_1 was hardcoding the
operation, making the parameter moot.
This just removes the somewhat pointless parameter instead of fixing
the one case. These macros are used for IN_SET case labels only and
not named generically anyways.
(cherry picked from commit 790f4dda74d7ecdb4e57101a37cc9f2f9236bef6)
Related #2138081
---
src/fundamental/macro-fundamental.h | 43 ++++++++++++++---------------
1 file changed, 21 insertions(+), 22 deletions(-)
diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
index 2536c741c6..63f4c49e78 100644
--- a/src/fundamental/macro-fundamental.h
+++ b/src/fundamental/macro-fundamental.h
@@ -251,33 +251,32 @@
(UNIQ_T(X, xq) / UNIQ_T(Y, yq) + !!(UNIQ_T(X, xq) % UNIQ_T(Y, yq))); \
})
-#define CASE_F(X) case X:
-#define CASE_F_1(CASE, X) CASE_F(X)
-#define CASE_F_2(CASE, X, ...) CASE(X) CASE_F_1(CASE, __VA_ARGS__)
-#define CASE_F_3(CASE, X, ...) CASE(X) CASE_F_2(CASE, __VA_ARGS__)
-#define CASE_F_4(CASE, X, ...) CASE(X) CASE_F_3(CASE, __VA_ARGS__)
-#define CASE_F_5(CASE, X, ...) CASE(X) CASE_F_4(CASE, __VA_ARGS__)
-#define CASE_F_6(CASE, X, ...) CASE(X) CASE_F_5(CASE, __VA_ARGS__)
-#define CASE_F_7(CASE, X, ...) CASE(X) CASE_F_6(CASE, __VA_ARGS__)
-#define CASE_F_8(CASE, X, ...) CASE(X) CASE_F_7(CASE, __VA_ARGS__)
-#define CASE_F_9(CASE, X, ...) CASE(X) CASE_F_8(CASE, __VA_ARGS__)
-#define CASE_F_10(CASE, X, ...) CASE(X) CASE_F_9(CASE, __VA_ARGS__)
-#define CASE_F_11(CASE, X, ...) CASE(X) CASE_F_10(CASE, __VA_ARGS__)
-#define CASE_F_12(CASE, X, ...) CASE(X) CASE_F_11(CASE, __VA_ARGS__)
-#define CASE_F_13(CASE, X, ...) CASE(X) CASE_F_12(CASE, __VA_ARGS__)
-#define CASE_F_14(CASE, X, ...) CASE(X) CASE_F_13(CASE, __VA_ARGS__)
-#define CASE_F_15(CASE, X, ...) CASE(X) CASE_F_14(CASE, __VA_ARGS__)
-#define CASE_F_16(CASE, X, ...) CASE(X) CASE_F_15(CASE, __VA_ARGS__)
-#define CASE_F_17(CASE, X, ...) CASE(X) CASE_F_16(CASE, __VA_ARGS__)
-#define CASE_F_18(CASE, X, ...) CASE(X) CASE_F_17(CASE, __VA_ARGS__)
-#define CASE_F_19(CASE, X, ...) CASE(X) CASE_F_18(CASE, __VA_ARGS__)
-#define CASE_F_20(CASE, X, ...) CASE(X) CASE_F_19(CASE, __VA_ARGS__)
+#define CASE_F_1(X) case X:
+#define CASE_F_2(X, ...) case X: CASE_F_1( __VA_ARGS__)
+#define CASE_F_3(X, ...) case X: CASE_F_2( __VA_ARGS__)
+#define CASE_F_4(X, ...) case X: CASE_F_3( __VA_ARGS__)
+#define CASE_F_5(X, ...) case X: CASE_F_4( __VA_ARGS__)
+#define CASE_F_6(X, ...) case X: CASE_F_5( __VA_ARGS__)
+#define CASE_F_7(X, ...) case X: CASE_F_6( __VA_ARGS__)
+#define CASE_F_8(X, ...) case X: CASE_F_7( __VA_ARGS__)
+#define CASE_F_9(X, ...) case X: CASE_F_8( __VA_ARGS__)
+#define CASE_F_10(X, ...) case X: CASE_F_9( __VA_ARGS__)
+#define CASE_F_11(X, ...) case X: CASE_F_10( __VA_ARGS__)
+#define CASE_F_12(X, ...) case X: CASE_F_11( __VA_ARGS__)
+#define CASE_F_13(X, ...) case X: CASE_F_12( __VA_ARGS__)
+#define CASE_F_14(X, ...) case X: CASE_F_13( __VA_ARGS__)
+#define CASE_F_15(X, ...) case X: CASE_F_14( __VA_ARGS__)
+#define CASE_F_16(X, ...) case X: CASE_F_15( __VA_ARGS__)
+#define CASE_F_17(X, ...) case X: CASE_F_16( __VA_ARGS__)
+#define CASE_F_18(X, ...) case X: CASE_F_17( __VA_ARGS__)
+#define CASE_F_19(X, ...) case X: CASE_F_18( __VA_ARGS__)
+#define CASE_F_20(X, ...) case X: CASE_F_19( __VA_ARGS__)
#define GET_CASE_F(_1,_2,_3,_4,_5,_6,_7,_8,_9,_10,_11,_12,_13,_14,_15,_16,_17,_18,_19,_20,NAME,...) NAME
#define FOR_EACH_MAKE_CASE(...) \
GET_CASE_F(__VA_ARGS__,CASE_F_20,CASE_F_19,CASE_F_18,CASE_F_17,CASE_F_16,CASE_F_15,CASE_F_14,CASE_F_13,CASE_F_12,CASE_F_11, \
CASE_F_10,CASE_F_9,CASE_F_8,CASE_F_7,CASE_F_6,CASE_F_5,CASE_F_4,CASE_F_3,CASE_F_2,CASE_F_1) \
- (CASE_F,__VA_ARGS__)
+ (__VA_ARGS__)
#define IN_SET(x, ...) \
({ \

25
SOURCES/0002-macro-fix-indentation.patch
Unescape View File

@ -1,25 +0,0 @@
From 0c372e24bb30c25beccd76c071baca22258e71c9 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 26 Oct 2022 03:28:08 +0900
Subject: [PATCH] macro: fix indentation
(cherry picked from commit e967926b092d8635b3da28fc4ca492009e32228f)
Related #2138081
---
src/fundamental/macro-fundamental.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
index 63f4c49e78..faab16ab31 100644
--- a/src/fundamental/macro-fundamental.h
+++ b/src/fundamental/macro-fundamental.h
@@ -290,7 +290,7 @@
switch (x) { \
FOR_EACH_MAKE_CASE(__VA_ARGS__) \
_found = true; \
- break; \
+ break; \
default: \
break; \
} \

103
SOURCES/0002-man-systemd-reorder-content-a-bit.patch
Unescape View File

@ -0,0 +1,103 @@
From d918804408801bf46a49018e374ebdfbeae08805 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Jun 2024 11:28:21 +0200
Subject: [PATCH] man/systemd: reorder content a bit
Section "Description" didn't actually say what systemd does. And we had a giant
"Concepts" section that actually described units types and other details about
them. So let's move the basic description of functionality to "Description" and
rename the following section to "Units".
The link to the Original Design Document is moved to "See Also", it is of
historical interest mostly at this point.
The only actual change is that when talking about API filesystems, /dev is also
mentioned. (I think /sys+/proc+/dev are the canonical set and should be always
listed on one breath.)
(cherry picked from commit f11aaf7dfb295de429b1567282b19caaba036bba)
---
man/systemd.xml | 49 ++++++++++++++++++++++++-------------------------
1 file changed, 24 insertions(+), 25 deletions(-)
diff --git a/man/systemd.xml b/man/systemd.xml
index 66db5bbf25..f4aa7e06ca 100644
--- a/man/systemd.xml
+++ b/man/systemd.xml
@@ -62,10 +62,29 @@
<filename>user.conf.d</filename> directories. See
<citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information.</para>
+
+ <para><command>systemd</command> contains native implementations of various tasks that need to be
+ executed as part of the boot process. For example, it sets the hostname or configures the loopback
+ network device. It also sets up and mounts various API file systems, such as <filename>/sys/</filename>,
+ <filename>/proc/</filename>, and <filename>/dev/</filename>.</para>
+
+ <para>Note that some but not all interfaces provided by systemd are covered by the
+ <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para>
+
+ <para>The D-Bus API of <command>systemd</command> is described in
+ <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ and
+ <citerefentry><refentrytitle>org.freedesktop.LogControl1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+
+ <para>Systems which invoke systemd in a container or initrd environment should implement the <ulink
+ url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> or
+ <ulink url="https://systemd.io/INITRD_INTERFACE/">initrd Interface</ulink>
+ specifications, respectively.</para>
</refsect1>
<refsect1>
- <title>Concepts</title>
+ <title>Units</title>
<para>systemd provides a dependency system between various
entities called "units" of 11 different types. Units encapsulate
@@ -261,34 +280,10 @@
example, start jobs for any of those inactive units getting queued as
well.</para>
- <para>systemd contains native implementations of various tasks
- that need to be executed as part of the boot process. For example,
- it sets the hostname or configures the loopback network device. It
- also sets up and mounts various API file systems, such as
- <filename>/sys/</filename> or <filename>/proc/</filename>.</para>
-
- <para>For more information about the concepts and
- ideas behind systemd, please refer to the
- <ulink url="https://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para>
-
- <para>Note that some but not all interfaces provided by systemd are covered by the
- <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para>
-
<para>Units may be generated dynamically at boot and system
manager reload time, for example based on other configuration
files or parameters passed on the kernel command line. For details, see
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
-
- <para>The D-Bus API of <command>systemd</command> is described in
- <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- and
- <citerefentry><refentrytitle>org.freedesktop.LogControl1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- </para>
-
- <para>Systems which invoke systemd in a container or initrd environment should implement the <ulink
- url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> or
- <ulink url="https://systemd.io/INITRD_INTERFACE/">initrd Interface</ulink>
- specifications, respectively.</para>
</refsect1>
<refsect1>
@@ -1558,6 +1553,10 @@
<member><citerefentry project='man-pages'><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
</simplelist></para>
+
+ <para>For more information about the concepts and
+ ideas behind systemd, please refer to the
+ <ulink url="https://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para>
</refsect1>
</refentry>

43
SOURCES/0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch
Unescape View File

@ -0,0 +1,43 @@
From f2b5c1ff51b7c7876036c6c722e2a47b696695d9 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 8 May 2024 10:38:11 +0200
Subject: [PATCH] hostnamed: don't allow hostnamed to exit on idle if varlink
connections are still ongoing
And while we are at it, ongoing PK authorizations are also a reason to
block exit on idle.
(cherry picked from commit ac908152b3b43a49f793d225c075423422cd3e33)
---
src/hostname/hostnamed.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
index 82d08803fa..fe1216fc1c 100644
--- a/src/hostname/hostnamed.c
+++ b/src/hostname/hostnamed.c
@@ -1682,6 +1682,13 @@ static int connect_varlink(Context *c) {
return 0;
}
+static bool context_check_idle(void *userdata) {
+ Context *c = ASSERT_PTR(userdata);
+
+ return varlink_server_current_connections(c->varlink_server) == 0 &&
+ hashmap_isempty(c->polkit_registry);
+}
+
static int run(int argc, char *argv[]) {
_cleanup_(context_destroy) Context context = {
.hostname_source = _HOSTNAME_INVALID, /* appropriate value will be set later */
@@ -1731,8 +1738,8 @@ static int run(int argc, char *argv[]) {
context.bus,
"org.freedesktop.hostname1",
DEFAULT_EXIT_USEC,
- /* check_idle= */ NULL,
- /* userdata= */ NULL);
+ context_check_idle,
+ &context);
if (r < 0)
return log_error_errno(r, "Failed to run event loop: %m");

61
SOURCES/0003-test-add-a-couple-of-sanity-tests-for-journalctl.patch
Unescape View File

@ -1,61 +0,0 @@
From 5ac8c56f111f2875467422c851a05891c0ec7d1b Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Mon, 31 Oct 2022 12:11:59 +0100
Subject: [PATCH] test: add a couple of sanity tests for journalctl
(cherry picked from commit ca46781c5ffa3aaa7a8fb6f09976357d003c4aae)
Related #2138081
---
test/units/testsuite-04.sh | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/test/units/testsuite-04.sh b/test/units/testsuite-04.sh
index b5468cbea4..fdc3273fea 100755
--- a/test/units/testsuite-04.sh
+++ b/test/units/testsuite-04.sh
@@ -119,6 +119,44 @@ systemctl start silent-success
journalctl --sync
[[ -z "$(journalctl -b -q -u silent-success.service)" ]]
+# Exercise the matching machinery
+SYSTEMD_LOG_LEVEL=debug journalctl -b -n 1 /dev/null /dev/zero /dev/null /dev/null /dev/null
+journalctl -b -n 1 /bin/true /bin/false
+journalctl -b -n 1 /bin/true + /bin/false
+journalctl -b -n 1 -r --unit "systemd*"
+
+systemd-run --user -M "testuser@.host" /bin/echo hello
+journalctl --sync
+journalctl -b -n 1 -r --user-unit "*"
+
+(! journalctl -b /dev/lets-hope-this-doesnt-exist)
+(! journalctl -b /dev/null /dev/zero /dev/this-also-shouldnt-exist)
+(! journalctl -b --unit "this-unit-should-not-exist*")
+
+# Facilities & priorities
+journalctl --facility help
+journalctl --facility kern -n 1
+journalctl --facility syslog --priority 0..3 -n 1
+journalctl --facility syslog --priority 3..0 -n 1
+journalctl --facility user --priority 0..0 -n 1
+journalctl --facility daemon --priority warning -n 1
+journalctl --facility daemon --priority warning..info -n 1
+journalctl --facility daemon --priority notice..crit -n 1
+journalctl --facility daemon --priority 5..crit -n 1
+
+(! journalctl --facility hopefully-an-unknown-facility)
+(! journalctl --priority hello-world)
+(! journalctl --priority 0..128)
+(! journalctl --priority 0..systemd)
+
+# Other options
+journalctl --disk-usage
+journalctl --dmesg -n 1
+journalctl --fields
+journalctl --list-boots
+journalctl --update-catalog
+journalctl --list-catalog
+
# Add new tests before here, the journald restarts below
# may make tests flappy.

25
SOURCES/0004-man-fix-typo-found-by-Lintian.patch
Unescape View File

@ -1,25 +0,0 @@
From b1a2687cf5b419d6928d024f26aabe1de8ff7727 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 31 Oct 2022 21:17:47 +0000
Subject: [PATCH] man: fix typo found by Lintian
(cherry picked from commit 84033dd40588dbf4f57a746c141fe7d111247a93)
Related #2138081
---
man/loader.conf.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/man/loader.conf.xml b/man/loader.conf.xml
index 3ee42cdb73..7f173aec61 100644
--- a/man/loader.conf.xml
+++ b/man/loader.conf.xml
@@ -236,7 +236,7 @@
<para>The different sets of variables can be set up under <filename>/loader/keys/<replaceable>NAME</replaceable></filename>
where <replaceable>NAME</replaceable> is the name that is going to be used as the name of the entry.
- This allows to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime.</para>
+ This allows one to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime.</para>
<para>Supported secure boot variables are one database for authorized images, one key exchange key (KEK)
and one platform key (PK). For more information, refer to the <ulink url="https://uefi.org/specifications">UEFI specification</ulink>,

30
SOURCES/0004-sd-dhcp-server-clear-buffer-before-receive.patch
Unescape View File

@ -0,0 +1,30 @@
From 0d573787ea1610ba57a359cf437841f62b186e77 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 12 Jun 2024 00:48:56 +0900
Subject: [PATCH] sd-dhcp-server: clear buffer before receive
I do not think this is necessary, but all other places in
libsystemd-network we clear buffer before receive. Without this,
Coverity warns about use-of-uninitialized-values.
Let's silence Coverity.
Closes CID#1469721.
(cherry picked from commit 40f9fa0af4c3094d93e833e62f7e301cd453da62)
---
src/libsystemd-network/sd-dhcp-server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
index c3b0f82dc4..4967f066dc 100644
--- a/src/libsystemd-network/sd-dhcp-server.c
+++ b/src/libsystemd-network/sd-dhcp-server.c
@@ -1252,7 +1252,7 @@ static int server_receive_message(sd_event_source *s, int fd,
/* Preallocate the additional size for DHCP Relay Agent Information Option if needed */
buflen += relay_agent_information_length(server->agent_circuit_id, server->agent_remote_id) + 2;
- message = malloc(buflen);
+ message = malloc0(buflen);
if (!message)
return -ENOMEM;

29
SOURCES/0005-rules-Limit-the-number-of-device-units-generated-for.patch
Unescape View File

@ -0,0 +1,29 @@
From a3d94332a2b5128697373d3093c1cfa56649ec61 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 10 Jun 2024 12:59:58 +0200
Subject: [PATCH] rules: Limit the number of device units generated for serial
ttys
As per the suggestion in https://github.com/systemd/systemd/issues/33242.
This reduces the number of /dev/ttySXX device units generated in
mkosi from 32 to 4.
(cherry picked from commit dc38f9addd04c34d1fd743efc407bdebb3573d05)
---
rules.d/99-systemd.rules.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in
index ad0c7e2fb5..8ba6f177f8 100644
--- a/rules.d/99-systemd.rules.in
+++ b/rules.d/99-systemd.rules.in
@@ -10,6 +10,8 @@
ACTION=="remove", GOTO="systemd_end"
SUBSYSTEM=="tty", KERNEL=="tty[a-zA-Z]*|hvc*|xvc*|hvsi*|ttysclp*|sclp_line*|3270/tty[0-9]*", TAG+="systemd"
+# Exclude 8250 serial ports with a zero IO port, as they are not usable until "setserial /dev/ttySxxx port …" is invoked.
+SUBSYSTEM=="tty", KERNEL=="ttyS*", DRIVERS=="serial8250", ATTR{port}=="0x0", ENV{SYSTEMD_READY}="0"
KERNEL=="vport*", TAG+="systemd"
SUBSYSTEM=="ptp", TAG+="systemd"

19
SOURCES/0005-test-add-x-to-assert.sh.patch
Unescape View File

@ -1,19 +0,0 @@
From 3d2fc0517d43ff2c5c6fc03ebb68ef9429be5fd4 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 31 Oct 2022 21:18:53 +0000
Subject: [PATCH] test: add +x to assert.sh
The script has a shebang and .sh extension, so make it executable
W: systemd-tests: script-not-executable [usr/lib/systemd/tests/testdata/units/assert.sh]
(cherry picked from commit fb4f7271d9f75a44756b110706cdb53b82f407ce)
Related #2138081
---
test/units/assert.sh | 0
1 file changed, 0 insertions(+), 0 deletions(-)
mode change 100644 => 100755 test/units/assert.sh
diff --git a/test/units/assert.sh b/test/units/assert.sh
old mode 100644
new mode 100755

25
SOURCES/0006-parse_hwdb-allow-negative-value-for-EVDEV_ABS_-prope.patch
Unescape View File

@ -1,25 +0,0 @@
From a2cb8467652ca36bd5420dc685d5e6b76014c3e1 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 1 Nov 2022 13:10:20 +0900
Subject: [PATCH] parse_hwdb: allow negative value for EVDEV_ABS_ properties
(cherry picked from commit f0b75cda5a3eac3fe953fd1a429a39e077387997)
Related #2138081
---
hwdb.d/parse_hwdb.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hwdb.d/parse_hwdb.py b/hwdb.d/parse_hwdb.py
index c0dde75650..5a1ae5a6a0 100755
--- a/hwdb.d/parse_hwdb.py
+++ b/hwdb.d/parse_hwdb.py
@@ -202,7 +202,7 @@ def property_grammar():
]
abs_props = [Regex(r'EVDEV_ABS_[0-9a-f]{2}')('NAME')
- Suppress('=') -
- Word(nums + ':')('VALUE')
+ Word('-' + nums + ':')('VALUE')
]
grammar = Or(fixed_props + kbd_props + abs_props) + EOL

81
SOURCES/0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch
Unescape View File

@ -0,0 +1,81 @@
From 514ef0f93b76cbe0ba6b4de07a7b21fd0c2b7bae Mon Sep 17 00:00:00 2001
From: q66 <q66@chimera-linux.org>
Date: Thu, 6 Jun 2024 13:45:48 +0200
Subject: [PATCH] strbuf: use GREEDY_REALLOC to grow the buffer
This allows us to reserve a bunch of capacity ahead of time,
improving the performance of hwdb significantly thanks to not
having to reallocate so many times.
Before:
```
$ sudo time valgrind --leak-check=full ./systemd-hwdb update
==113297== Memcheck, a memory error detector
==113297== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==113297== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info
==113297== Command: ./systemd-hwdb update
==113297==
==113297==
==113297== HEAP SUMMARY:
==113297== in use at exit: 0 bytes in 0 blocks
==113297== total heap usage: 1,412,640 allocs, 1,412,640 frees, 117,920,009,195 bytes allocated
==113297==
==113297== All heap blocks were freed -- no leaks are possible
==113297==
==113297== For lists of detected and suppressed errors, rerun with: -s
==113297== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
132.44user 21.15system 2:35.61elapsed 98%CPU (0avgtext+0avgdata 228560maxresident)k
0inputs+25296outputs (0major+6886930minor)pagefaults 0swaps
```
After:
```
$ sudo time valgrind --leak-check=full ./systemd-hwdb update
==112572== Memcheck, a memory error detector
==112572== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==112572== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info
==112572== Command: ./systemd-hwdb update
==112572==
==112572==
==112572== HEAP SUMMARY:
==112572== in use at exit: 0 bytes in 0 blocks
==112572== total heap usage: 1,320,113 allocs, 1,320,113 frees, 70,614,501 bytes allocated
==112572==
==112572== All heap blocks were freed -- no leaks are possible
==112572==
==112572== For lists of detected and suppressed errors, rerun with: -s
==112572== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
21.94user 0.19system 0:22.23elapsed 99%CPU (0avgtext+0avgdata 229876maxresident)k
0inputs+25264outputs (0major+57275minor)pagefaults 0swaps
```
Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>
(cherry picked from commit 621b10fe2c3203c537996e84c7c89b0ff994ad93)
---
src/basic/strbuf.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/basic/strbuf.c b/src/basic/strbuf.c
index 0617acc8d2..6d43955bb1 100644
--- a/src/basic/strbuf.c
+++ b/src/basic/strbuf.c
@@ -107,7 +107,6 @@ static void bubbleinsert(struct strbuf_node *node,
/* add string, return the index/offset into the buffer */
ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) {
uint8_t c;
- char *buf_new;
struct strbuf_child_entry *child;
struct strbuf_node *node;
ssize_t off;
@@ -147,10 +146,8 @@ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) {
}
/* add new string */
- buf_new = realloc(str->buf, str->len + len+1);
- if (!buf_new)
+ if (!GREEDY_REALLOC(str->buf, str->len + len + 1))
return -ENOMEM;
- str->buf = buf_new;
off = str->len;
memcpy(str->buf + off, s, len);
str->len += len;

24
SOURCES/0007-resolved-fix-typo-in-feature-level-table.patch
Unescape View File

@ -1,24 +0,0 @@
From 07aa3fcbb7b4e4cca7b2e9be6e038ab92bfc5fdc Mon Sep 17 00:00:00 2001
From: Youfu Zhang <1315097+zhangyoufu@users.noreply.github.com>
Date: Tue, 1 Nov 2022 13:18:25 +0800
Subject: [PATCH] resolved: fix typo in feature level table
(cherry picked from commit 2ab0042854934827e61076c6e42c7381fdf78fdf)
Related #2138081
---
src/resolve/resolved-dns-server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
index 9b74a8d6d8..04a4f53ed0 100644
--- a/src/resolve/resolved-dns-server.c
+++ b/src/resolve/resolved-dns-server.c
@@ -1087,6 +1087,6 @@ static const char* const dns_server_feature_level_table[_DNS_SERVER_FEATURE_LEVE
[DNS_SERVER_FEATURE_LEVEL_EDNS0] = "UDP+EDNS0",
[DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN] = "TLS+EDNS0",
[DNS_SERVER_FEATURE_LEVEL_DO] = "UDP+EDNS0+DO",
- [DNS_SERVER_FEATURE_LEVEL_TLS_DO] = "TLS+EDNS0+D0",
+ [DNS_SERVER_FEATURE_LEVEL_TLS_DO] = "TLS+EDNS0+DO",
};
DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level, DnsServerFeatureLevel);

132
SOURCES/0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch
Unescape View File

@ -0,0 +1,132 @@
From 30df42a9277bbf138d52887c9b79e452db425585 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 17 May 2024 16:20:11 +0200
Subject: [PATCH] tpm2-setup: Don't fail if we can't access the TPM due to
authorization failure
The TPM might be password/pin protected for various reasons even if
there is no SRK yet. Let's handle those cases gracefully instead of
failing the unit as it is enabled by default.
(cherry picked from commit d6518003f8ebbfb6f85dbf227736ae05b0961199)
---
catalog/systemd.catalog.in | 13 +++++++++++++
src/shared/tpm2-util.c | 2 ++
src/systemd/sd-messages.h | 3 +++
src/tpm2-setup/tpm2-setup.c | 13 ++++++++++++-
units/systemd-tpm2-setup-early.service.in | 3 +++
units/systemd-tpm2-setup.service.in | 3 +++
6 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in
index 3c9a6860da..2831152763 100644
--- a/catalog/systemd.catalog.in
+++ b/catalog/systemd.catalog.in
@@ -780,3 +780,16 @@ Documentation: https://systemd.io/PORTABLE_SERVICES/
A Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has been
detached from the system and is no longer available for use. The list of attached
Portable Services can be queried with 'portablectl list'.
+
+-- ad7089f928ac4f7ea00c07457d47ba8a
+Subject: Authorization failure while attempting to enroll SRK into TPM
+Defined-By: systemd
+Support: %SUPPORT_URL%
+Documentation: man:systemd-tpm2-setup.service(8)
+
+An authorization failure occured while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform
+Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of
+the TPM.
+
+Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password
+protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'.
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 87ce53cf95..9603f1837e 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -2119,6 +2119,8 @@ int tpm2_create_primary(
/* creationData= */ NULL,
/* creationHash= */ NULL,
/* creationTicket= */ NULL);
+ if (rc == TPM2_RC_BAD_AUTH)
+ return log_debug_errno(SYNTHETIC_ERRNO(EDEADLK), "Authorization failure while attempting to enroll SRK into TPM.");
if (rc != TSS2_RC_SUCCESS)
return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to generate primary key in TPM: %s",
diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h
index e3f68068a8..16e9986be3 100644
--- a/src/systemd/sd-messages.h
+++ b/src/systemd/sd-messages.h
@@ -272,6 +272,9 @@ _SD_BEGIN_DECLARATIONS;
#define SD_MESSAGE_PORTABLE_DETACHED SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
#define SD_MESSAGE_PORTABLE_DETACHED_STR SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
+#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION SD_ID128_MAKE(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
+#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR SD_ID128_MAKE_STR(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
+
_SD_END_DECLARATIONS;
#endif
diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c
index 35628fc02a..b95c5e7a58 100644
--- a/src/tpm2-setup/tpm2-setup.c
+++ b/src/tpm2-setup/tpm2-setup.c
@@ -3,6 +3,8 @@
#include <getopt.h>
#include <unistd.h>
+#include "sd-messages.h"
+
#include "build.h"
#include "fd-util.h"
#include "fileio.h"
@@ -223,6 +225,8 @@ static int load_public_key_tpm2(struct public_key_data *ret) {
/* ret_name= */ NULL,
/* ret_qname= */ NULL,
NULL);
+ if (r == -EDEADLK)
+ return r;
if (r < 0)
return log_error_errno(r, "Failed to get or create SRK: %m");
if (r > 0)
@@ -289,6 +293,13 @@ static int run(int argc, char *argv[]) {
}
r = load_public_key_tpm2(&tpm2_key);
+ if (r == -EDEADLK) {
+ log_struct_errno(LOG_INFO, r,
+ LOG_MESSAGE("Insufficient permissions to access TPM, not generating SRK."),
+ "MESSAGE_ID=" SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR);
+ return 76; /* Special return value which means "Insufficient permissions to access TPM,
+ * cannot generate SRK". This isn't really an error when called at boot. */;
+ }
if (r < 0)
return r;
@@ -383,4 +394,4 @@ static int run(int argc, char *argv[]) {
return 0;
}
-DEFINE_MAIN_FUNCTION(run);
+DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run);
diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in
index 9982c84aba..7fdb99b53f 100644
--- a/units/systemd-tpm2-setup-early.service.in
+++ b/units/systemd-tpm2-setup-early.service.in
@@ -21,3 +21,6 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes --graceful
+
+# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
+SuccessExitStatus=76
diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in
index 0af7292528..ac29a76966 100644
--- a/units/systemd-tpm2-setup.service.in
+++ b/units/systemd-tpm2-setup.service.in
@@ -22,3 +22,6 @@ ConditionPathExists=!/etc/initrd-release
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --graceful
+
+# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
+SuccessExitStatus=76

28
SOURCES/0008-coverage-Mark-_coverage__exit-as-noreturn.patch
Unescape View File

@ -1,28 +0,0 @@
From a1f18876d5f7122c9f94af9a84f1324f50dba0ed Mon Sep 17 00:00:00 2001
From: Jan Janssen <medhefgo@web.de>
Date: Tue, 1 Nov 2022 09:43:32 +0100
Subject: [PATCH] coverage: Mark _coverage__exit as noreturn
../src/basic/coverage.h:15:48: warning: function '_coverage__exit' could
be declared with attribute 'noreturn' [-Wmissing-noreturn]
(cherry picked from commit 0bab5534b334677652bb69fe15eaa54ce84cbe7d)
Related #2138081
---
src/basic/coverage.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/basic/coverage.h b/src/basic/coverage.h
index 3ef02cf70e..640bddc485 100644
--- a/src/basic/coverage.h
+++ b/src/basic/coverage.h
@@ -12,7 +12,7 @@
extern void _exit(int);
extern void __gcov_dump(void);
-static inline void _coverage__exit(int status) {
+static inline _Noreturn void _coverage__exit(int status) {
__gcov_dump();
_exit(status);
}

37
SOURCES/0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch
Unescape View File

@ -0,0 +1,37 @@
From ba031f1fe86e36d7adc0340b047de32399c98bf7 Mon Sep 17 00:00:00 2001
From: Ronan Pigott <ronan@rjp.ie>
Date: Fri, 8 Mar 2024 13:40:08 -0700
Subject: [PATCH] resolved: permit dnssec rrtype questions when we aren't
validating
This check introduced in 91adc4db33f6 is intended to spare us from
encountering broken resolver behavior we don't want to deal with.
However if we aren't validating we more than likely don't know the state
of the upstream resolver's support for dnssec. Let's let clients try
these queries if they want.
This brings the behavior of sd-resolved in-line with previouly stated
change in the meaning of DNSSEC=no, which now means "don't validate"
rather than "don't validate, because the upstream resolver is declared to
be dnssec-unaware".
Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC")
(cherry picked from commit 364c948707afa097f6ad177b61c2b51a86c0089a)
---
src/resolve/resolved-dns-server.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
index 340f11f4f4..b37f541c7f 100644
--- a/src/resolve/resolved-dns-server.c
+++ b/src/resolve/resolved-dns-server.c
@@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) {
if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */
return true;
- if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level))
- return false;
-
if (server->packet_bad_opt)
return false;

154
SOURCES/0009-namespace-Add-hidepid-subset-support-check.patch
Unescape View File

@ -1,154 +0,0 @@
From 6ab61ac93e534aec1ea4d16e77c1c355c8286e64 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 27 Oct 2022 13:14:12 +0200
Subject: [PATCH] namespace: Add hidepid/subset support check
Using fsopen()/fsconfig(), we can check if hidepid/subset are supported to
avoid the noisy logs from the kernel if they aren't supported. This works
on centos/redhat 8 as well since they've backported fsopen()/fsconfig().
(cherry picked from commit 1c265fcd5963603d338233840129ecad8d9c1420)
Related #2138081
---
meson.build | 2 ++
src/basic/missing_syscall.h | 40 +++++++++++++++++++++++++++++++
src/core/namespace.c | 47 ++++++++++++++++++++++++++++++++-----
3 files changed, 83 insertions(+), 6 deletions(-)
diff --git a/meson.build b/meson.build
index 76ad51d3fb..7750534466 100644
--- a/meson.build
+++ b/meson.build
@@ -606,6 +606,8 @@ foreach ident : [
['mount_setattr', '''#include <sys/mount.h>'''],
['move_mount', '''#include <sys/mount.h>'''],
['open_tree', '''#include <sys/mount.h>'''],
+ ['fsopen', '''#include <sys/mount.h>'''],
+ ['fsconfig', '''#include <sys/mount.h>'''],
['getdents64', '''#include <dirent.h>'''],
]
diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
index 793d111c55..d54e59fdf9 100644
--- a/src/basic/missing_syscall.h
+++ b/src/basic/missing_syscall.h
@@ -593,6 +593,46 @@ static inline int missing_move_mount(
/* ======================================================================= */
+#if !HAVE_FSOPEN
+
+#ifndef FSOPEN_CLOEXEC
+#define FSOPEN_CLOEXEC 0x00000001
+#endif
+
+static inline int missing_fsopen(const char *fsname, unsigned flags) {
+# if defined __NR_fsopen && __NR_fsopen >= 0
+ return syscall(__NR_fsopen, fsname, flags);
+# else
+ errno = ENOSYS;
+ return -1;
+# endif
+}
+
+# define fsopen missing_fsopen
+#endif
+
+/* ======================================================================= */
+
+#if !HAVE_FSCONFIG
+
+#ifndef FSCONFIG_SET_STRING
+#define FSCONFIG_SET_STRING 1 /* Set parameter, supplying a string value */
+#endif
+
+static inline int missing_fsconfig(int fd, unsigned cmd, const char *key, const void *value, int aux) {
+# if defined __NR_fsconfig && __NR_fsconfig >= 0
+ return syscall(__NR_fsconfig, fd, cmd, key, value, aux);
+# else
+ errno = ENOSYS;
+ return -1;
+# endif
+}
+
+# define fsconfig missing_fsconfig
+#endif
+
+/* ======================================================================= */
+
#if !HAVE_GETDENTS64
static inline ssize_t missing_getdents64(int fd, void *buffer, size_t length) {
diff --git a/src/core/namespace.c b/src/core/namespace.c
index c3cced7410..852be3bdde 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -26,6 +26,7 @@
#include "list.h"
#include "loop-util.h"
#include "loopback-setup.h"
+#include "missing_syscall.h"
#include "mkdir-label.h"
#include "mount-util.h"
#include "mountpoint-util.h"
@@ -1073,6 +1074,27 @@ static int mount_sysfs(const MountEntry *m) {
return 1;
}
+static bool mount_option_supported(const char *fstype, const char *key, const char *value) {
+ _cleanup_close_ int fd = -1;
+ int r;
+
+ /* This function assumes support by default. Only if the fsconfig() call fails with -EINVAL/-EOPNOTSUPP
+ * will it report that the option/value is not supported. */
+
+ fd = fsopen(fstype, FSOPEN_CLOEXEC);
+ if (fd < 0) {
+ if (errno != ENOSYS)
+ log_debug_errno(errno, "Failed to open superblock context for '%s': %m", fstype);
+ return true; /* If fsopen() fails for whatever reason, assume the value is supported. */
+ }
+
+ r = fsconfig(fd, FSCONFIG_SET_STRING, key, value, 0);
+ if (r < 0 && !IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS))
+ log_debug_errno(errno, "Failed to set '%s=%s' on '%s' superblock context: %m", key, value, fstype);
+
+ return r >= 0 || !IN_SET(errno, EINVAL, EOPNOTSUPP);
+}
+
static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) {
_cleanup_free_ char *opts = NULL;
const char *entry_path;
@@ -1090,12 +1112,25 @@ static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) {
* per-instance, we'll exclusively use the textual value for hidepid=, since support was
* added in the same commit: if it's supported it is thus also per-instance. */
- opts = strjoin("hidepid=",
- ns_info->protect_proc == PROTECT_PROC_DEFAULT ? "off" :
- protect_proc_to_string(ns_info->protect_proc),
- ns_info->proc_subset == PROC_SUBSET_PID ? ",subset=pid" : "");
- if (!opts)
- return -ENOMEM;
+ const char *hpv = ns_info->protect_proc == PROTECT_PROC_DEFAULT ?
+ "off" :
+ protect_proc_to_string(ns_info->protect_proc);
+
+ /* hidepid= support was added in 5.8, so we can use fsconfig()/fsopen() (which were added in
+ * 5.2) to check if hidepid= is supported. This avoids a noisy dmesg log by the kernel when
+ * trying to use hidepid= on systems where it isn't supported. The same applies for subset=.
+ * fsopen()/fsconfig() was also backported on some distros which allows us to detect
+ * hidepid=/subset= support in even more scenarios. */
+
+ if (mount_option_supported("proc", "hidepid", hpv)) {
+ opts = strjoin("hidepid=", hpv);
+ if (!opts)
+ return -ENOMEM;
+ }
+
+ if (ns_info->proc_subset == PROC_SUBSET_PID && mount_option_supported("proc", "subset", "pid"))
+ if (!strextend_with_separator(&opts, ",", "subset=pid"))
+ return -ENOMEM;
}
entry_path = mount_entry_path(m);

123
SOURCES/0009-repart-Use-crypt_reencrypt_run-if-available.patch
Unescape View File

@ -0,0 +1,123 @@
From 70f5fb2f7ab585458008b1d3144e4ebaf98db42e Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 2 Jun 2024 16:24:52 +0200
Subject: [PATCH] repart: Use crypt_reencrypt_run() if available
crypt_reencrypt() is deprecated, so let's look for and prefer
crypt_reencrypt_run() if it is available.
(cherry picked from commit b99b2941276a74878a23470b36c75b0c21dbdd4a)
---
meson.build | 1 +
src/partition/repart.c | 6 +++++-
src/shared/cryptsetup-util.c | 19 ++++++++-----------
src/shared/cryptsetup-util.h | 6 +++---
4 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/meson.build b/meson.build
index ea4e12aa1c..e42151998b 100644
--- a/meson.build
+++ b/meson.build
@@ -1262,6 +1262,7 @@ foreach ident : ['crypt_set_metadata_size',
'crypt_token_max',
'crypt_reencrypt_init_by_passphrase',
'crypt_reencrypt',
+ 'crypt_reencrypt_run',
'crypt_set_data_offset',
'crypt_set_keyring_to_link',
'crypt_resume_by_volume_key']
diff --git a/src/partition/repart.c b/src/partition/repart.c
index 6f67d46025..2ecae4ca03 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -3913,7 +3913,7 @@ static int partition_target_sync(Context *context, Partition *p, PartitionTarget
}
static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) {
-#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && HAVE_CRYPT_REENCRYPT
+#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && (HAVE_CRYPT_REENCRYPT_RUN || HAVE_CRYPT_REENCRYPT)
const char *node = partition_target_path(target);
struct crypt_params_luks2 luks_params = {
.label = strempty(ASSERT_PTR(p)->new_label),
@@ -4220,7 +4220,11 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
if (r < 0)
return log_error_errno(r, "Failed to load reencryption context: %m");
+#if HAVE_CRYPT_REENCRYPT_RUN
+ r = sym_crypt_reencrypt_run(cd, NULL, NULL);
+#else
r = sym_crypt_reencrypt(cd, NULL);
+#endif
if (r < 0)
return log_error_errno(r, "Failed to encrypt %s: %m", node);
} else {
diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c
index 288e6e8942..d0dd434df8 100644
--- a/src/shared/cryptsetup-util.c
+++ b/src/shared/cryptsetup-util.c
@@ -54,10 +54,10 @@ DLSYM_FUNCTION(crypt_volume_key_get);
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_FUNCTION(crypt_reencrypt_init_by_passphrase);
#endif
-#if HAVE_CRYPT_REENCRYPT
-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+#if HAVE_CRYPT_REENCRYPT_RUN
+DLSYM_FUNCTION(crypt_reencrypt_run);
+#elif HAVE_CRYPT_REENCRYPT
DLSYM_FUNCTION(crypt_reencrypt);
-REENABLE_WARNING;
#endif
DLSYM_FUNCTION(crypt_metadata_locking);
#if HAVE_CRYPT_SET_DATA_OFFSET
@@ -246,11 +246,8 @@ int dlopen_cryptsetup(void) {
/* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
* crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
- * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the
- * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off
- * warnings about this for now. */
-
- DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+ * still available though, and given we want to support 2.2.0 for a while longer, we'll use the old
+ * symbol if the new one is not available. */
ELF_NOTE_DLOPEN("cryptsetup",
"Support for disk encryption, integrity, and authentication",
@@ -304,7 +301,9 @@ int dlopen_cryptsetup(void) {
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
#endif
-#if HAVE_CRYPT_REENCRYPT
+#if HAVE_CRYPT_REENCRYPT_RUN
+ DLSYM_ARG(crypt_reencrypt_run),
+#elif HAVE_CRYPT_REENCRYPT
DLSYM_ARG(crypt_reencrypt),
#endif
DLSYM_ARG(crypt_metadata_locking),
@@ -316,8 +315,6 @@ int dlopen_cryptsetup(void) {
if (r <= 0)
return r;
- REENABLE_WARNING;
-
/* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
* libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
* whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h
index f00ac367b6..d255e59004 100644
--- a/src/shared/cryptsetup-util.h
+++ b/src/shared/cryptsetup-util.h
@@ -70,10 +70,10 @@ DLSYM_PROTOTYPE(crypt_volume_key_get);
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase);
#endif
-#if HAVE_CRYPT_REENCRYPT
-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+#if HAVE_CRYPT_REENCRYPT_RUN
+DLSYM_PROTOTYPE(crypt_reencrypt_run);
+#elif HAVE_CRYPT_REENCRYPT
DLSYM_PROTOTYPE(crypt_reencrypt);
-REENABLE_WARNING;
#endif
DLSYM_PROTOTYPE(crypt_metadata_locking);
#if HAVE_CRYPT_SET_DATA_OFFSET

75
SOURCES/0010-test-add-a-couple-of-sanity-tests-for-loginctl.patch
Unescape View File

@ -1,75 +0,0 @@
From 07f188e9ca17345af904e6549c03b1c57d34405a Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 1 Nov 2022 09:17:58 +0100
Subject: [PATCH] test: add a couple of sanity tests for loginctl
(cherry picked from commit 70e9066bc2eaf159e9cde7d95bbee99e44f3045a)
Related #2138081
---
test/units/testsuite-35.sh | 45 ++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
diff --git a/test/units/testsuite-35.sh b/test/units/testsuite-35.sh
index 4ef0f0c11c..85925f2471 100755
--- a/test/units/testsuite-35.sh
+++ b/test/units/testsuite-35.sh
@@ -338,6 +338,50 @@ EOF
assert_eq "$(loginctl --no-legend | awk '$3=="logind-test-user" { print $5 }')" "tty2"
}
+test_sanity_check() {
+ # Exercise basic loginctl options
+
+ if [[ ! -c /dev/tty2 ]]; then
+ echo "/dev/tty2 does not exist, skipping test ${FUNCNAME[0]}."
+ return
+ fi
+
+ trap cleanup_session RETURN
+ create_session
+
+ # Run most of the loginctl commands from a user session to make
+ # the seat/session autodetection work-ish
+ systemd-run --user --pipe --wait -M "logind-test-user@.host" bash -eux <<\EOF
+ loginctl list-sessions
+ loginctl session-status
+ loginctl show-session
+ loginctl show-session -P DelayInhibited
+
+ # We're not in the same session scope, so in this case we need to specify
+ # the session ID explicitly
+ session=$(loginctl --no-legend | awk '$3 == "logind-test-user" { print $1; exit; }')
+ loginctl kill-session --signal=SIGCONT "$session"
+ # FIXME(?)
+ #loginctl kill-session --signal=SIGCONT --kill-who=leader "$session"
+
+ loginctl list-users
+ loginctl user-status
+ loginctl show-user -a
+ loginctl show-user -P IdleAction
+ loginctl kill-user --signal=SIGCONT ""
+
+ loginctl list-seats
+ loginctl seat-status
+ loginctl show-seat
+ loginctl show-seat -P IdleActionUSec
+EOF
+
+ # Requires root privileges
+ loginctl lock-sessions
+ loginctl unlock-sessions
+ loginctl flush-devices
+}
+
test_session() {
local dev
@@ -537,6 +581,7 @@ test_properties
test_started
test_suspend_on_lid
test_shutdown
+test_sanity_check
test_session
test_lock_idle_action
test_session_properties

136
SOURCES/0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch
Unescape View File

@ -0,0 +1,136 @@
From 4a468387acbc8a2bd51bffaeca242e415e55b614 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Wed, 12 Jun 2024 12:09:25 +0200
Subject: [PATCH] test: dump a simple summary at the end of TEST-02-UNITTEST
Let's dump a list of skipped tests and logs from failed tests at the end
of TEST-02-UNITTEST to make debugging fails in CI slightly less painful.
(cherry picked from commit 2ac0e52f29eb5f0040882fc46bcfa369893577f3)
---
test/TEST-02-UNITTESTS/test.sh | 8 ----
test/test-functions | 68 ---------------------------------
test/units/TEST-02-UNITTESTS.sh | 14 +++++++
3 files changed, 14 insertions(+), 76 deletions(-)
diff --git a/test/TEST-02-UNITTESTS/test.sh b/test/TEST-02-UNITTESTS/test.sh
index f165c99368..2cf9c31096 100755
--- a/test/TEST-02-UNITTESTS/test.sh
+++ b/test/TEST-02-UNITTESTS/test.sh
@@ -37,12 +37,4 @@ test_append_files() {
fi
}
-check_result_nspawn() {
- check_result_nspawn_unittests "${1}"
-}
-
-check_result_qemu() {
- check_result_qemu_unittests
-}
-
do_test "$@"
diff --git a/test/test-functions b/test/test-functions
index be6eb1d9b2..8b497b2e27 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -1860,74 +1860,6 @@ check_result_qemu() {
return $ret
}
-check_result_nspawn_unittests() {
- local workspace="${1:?}"
- local ret=1
-
- [[ -e "$workspace/testok" ]] && ret=0
-
- if [[ -s "$workspace/failed" ]]; then
- ret=$((ret + 1))
- echo "=== Failed test log ==="
- cat "$workspace/failed"
- else
- if [[ -s "$workspace/skipped" ]]; then
- echo "=== Skipped test log =="
- cat "$workspace/skipped"
- # We might have only skipped tests - that should not fail the job
- ret=0
- fi
- if [[ -s "$workspace/testok" ]]; then
- echo "=== Passed tests ==="
- cat "$workspace/testok"
- fi
- fi
-
- get_bool "${TIMED_OUT:=}" && ret=1
- check_coverage_reports "$workspace" || ret=5
-
- save_journal "$workspace/var/log/journal" $ret
- echo "${JOURNAL_LIST:-"No journals were saved"}"
-
- _umount_dir "${initdir:?}"
-
- return $ret
-}
-
-check_result_qemu_unittests() {
- local ret=1
-
- mount_initdir
- [[ -e "${initdir:?}/testok" ]] && ret=0
-
- if [[ -s "$initdir/failed" ]]; then
- ret=$((ret + 1))
- echo "=== Failed test log ==="
- cat "$initdir/failed"
- else
- if [[ -s "$initdir/skipped" ]]; then
- echo "=== Skipped test log =="
- cat "$initdir/skipped"
- # We might have only skipped tests - that should not fail the job
- ret=0
- fi
- if [[ -s "$initdir/testok" ]]; then
- echo "=== Passed tests ==="
- cat "$initdir/testok"
- fi
- fi
-
- get_bool "${TIMED_OUT:=}" && ret=1
- check_coverage_reports "$initdir" || ret=5
-
- save_journal "$initdir/var/log/journal" $ret
- echo "${JOURNAL_LIST:-"No journals were saved"}"
-
- _umount_dir "$initdir"
-
- return $ret
-}
-
create_rc_local() {
dinfo "Create rc.local"
mkdir -p "${initdir:?}/etc/rc.d"
diff --git a/test/units/TEST-02-UNITTESTS.sh b/test/units/TEST-02-UNITTESTS.sh
index 6392425130..4448643f9a 100755
--- a/test/units/TEST-02-UNITTESTS.sh
+++ b/test/units/TEST-02-UNITTESTS.sh
@@ -95,6 +95,20 @@ export -f run_test
find /usr/lib/systemd/tests/unit-tests/ -maxdepth 1 -type f -name "${TESTS_GLOB}" -print0 |
xargs -0 -I {} --max-procs="$MAX_QUEUE_SIZE" bash -ec "run_test {}"
+# Write all pending messages, so they don't get mixed with the summaries below
+journalctl --sync
+
+# No need for full test logs in this case
+if [[ -s /skipped-tests ]]; then
+ : "=== SKIPPED TESTS ==="
+ cat /skipped-tests
+fi
+
+if [[ -s /failed ]]; then
+ : "=== FAILED TESTS ==="
+ cat /failed
+fi
+
# Test logs are sometimes lost, as the system shuts down immediately after
journalctl --sync

29
SOURCES/0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch
Unescape View File

@ -0,0 +1,29 @@
From d316aed5d8e15fb5b13b5618f1b2d1d020b1e7bf Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 3 Jun 2024 12:35:29 +0200
Subject: [PATCH] repart: Use CRYPT_ACTIVATE_PRIVATE
Let's skip udev device scanning when activating a LUKS volume in
systemd-repart as we don't depend on any udev symlinks and don't
expect anything except repart to access the volume.
Suggested by https://github.com/systemd/systemd/issues/33129#issuecomment-2143390941.
(cherry picked from commit 726fc7ae696510b04c24810f691d34f5d20529d6)
---
src/partition/repart.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/partition/repart.c b/src/partition/repart.c
index 2ecae4ca03..78cf60f724 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -4236,7 +4236,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
dm_name,
NULL,
VOLUME_KEY_SIZE,
- arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0);
+ (arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0) | CRYPT_ACTIVATE_PRIVATE);
if (r < 0)
return log_error_errno(r, "Failed to activate LUKS superblock: %m");

48
SOURCES/0011-test-rename-TEST-26-SETENV-to-TEST-26-SYSTEMCTL.patch
Unescape View File

@ -1,48 +0,0 @@
From 66a9a36c3bcd5709c30ac1f2be998eea034a9f6d Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 1 Nov 2022 17:53:42 +0100
Subject: [PATCH] test: rename TEST-26-SETENV to TEST-26-SYSTEMCTL
(cherry picked from commit c5c258ae0a4a0cfc829ed07ff96c7fab79b6ca71)
Related #2138081
---
test/{TEST-26-SETENV => TEST-26-SYSTEMCTL}/Makefile | 0
test/{TEST-26-SETENV => TEST-26-SYSTEMCTL}/test.sh | 2 +-
test/units/testsuite-26.service | 2 +-
3 files changed, 2 insertions(+), 2 deletions(-)
rename test/{TEST-26-SETENV => TEST-26-SYSTEMCTL}/Makefile (100%)
rename test/{TEST-26-SETENV => TEST-26-SYSTEMCTL}/test.sh (79%)
diff --git a/test/TEST-26-SETENV/Makefile b/test/TEST-26-SYSTEMCTL/Makefile
similarity index 100%
rename from test/TEST-26-SETENV/Makefile
rename to test/TEST-26-SYSTEMCTL/Makefile
diff --git a/test/TEST-26-SETENV/test.sh b/test/TEST-26-SYSTEMCTL/test.sh
similarity index 79%
rename from test/TEST-26-SETENV/test.sh
rename to test/TEST-26-SYSTEMCTL/test.sh
index b38e37bfce..64accf850f 100755
--- a/test/TEST-26-SETENV/test.sh
+++ b/test/TEST-26-SYSTEMCTL/test.sh
@@ -2,7 +2,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e
-TEST_DESCRIPTION="test setenv"
+TEST_DESCRIPTION="systemctl-related tests"
# shellcheck source=test/test-functions
. "${TEST_BASE_DIR:?}/test-functions"
diff --git a/test/units/testsuite-26.service b/test/units/testsuite-26.service
index aa553b61a6..d8fdaffb06 100644
--- a/test/units/testsuite-26.service
+++ b/test/units/testsuite-26.service
@@ -1,6 +1,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Unit]
-Description=TEST-26-SETENV
+Description=TEST-26-SYSTEMCTL
[Service]
ExecStartPre=rm -f /failed /testok

26
SOURCES/0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch
Unescape View File

@ -0,0 +1,26 @@
From 4ebcdcb1360dbb10444f518bad7f04e10bcb6387 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Tue, 11 Jun 2024 23:09:30 +0100
Subject: [PATCH] NEWS: note that new stable releases will be in the main repo
(cherry picked from commit 40d637bace4041f081088673cb230669c1e34faf)
---
NEWS | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/NEWS b/NEWS
index 02ad8b2c79..bbee0852be 100644
--- a/NEWS
+++ b/NEWS
@@ -81,6 +81,11 @@ CHANGES WITH 256:
* systemd.crash_reboot and related settings are deprecated in favor of
systemd.crash_action=.
+ * Stable releases for version v256 and newer will now be pushed in the
+ main repository. The systemd-stable repository will be used for existing
+ stable branches (v255-stable and lower), and when they reach EOL it will
+ be archived.
+
General Changes and New Features:
* Various programs will now attempt to load the main configuration file

251
SOURCES/0012-test-add-a-couple-of-sanity-tests-for-systemctl.patch
Unescape View File

@ -1,251 +0,0 @@
From 680d2b33d3b2a0bed17c2c1594690155bdb910bb Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 1 Nov 2022 20:47:37 +0100
Subject: [PATCH] test: add a couple of sanity tests for systemctl
(cherry picked from commit d16684fe13e1d56e55df19b57b6c01b9a9303086)
Related #2138081
---
test/units/testsuite-26.sh | 209 +++++++++++++++++++++++++++++++++++--
1 file changed, 202 insertions(+), 7 deletions(-)
diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh
index ad08415317..b83f85917b 100755
--- a/test/units/testsuite-26.sh
+++ b/test/units/testsuite-26.sh
@@ -3,32 +3,227 @@
set -eux
set -o pipefail
+at_exit() {
+ if [[ -v UNIT_NAME && -e "/usr/lib/systemd/system/$UNIT_NAME" ]]; then
+ rm -fv "/usr/lib/systemd/system/$UNIT_NAME"
+ fi
+}
+
+trap at_exit EXIT
+
+# Create a simple unit file for testing
+# Note: the service file is created under /usr on purpose to test
+# the 'revert' verb as well
+UNIT_NAME="systemctl-test-$RANDOM.service"
+cat >"/usr/lib/systemd/system/$UNIT_NAME" <<\EOF
+[Unit]
+Description=systemctl test
+
+[Service]
+ExecStart=sleep infinity
+ExecReload=true
+
+# For systemctl clean
+CacheDirectory=%n
+ConfigurationDirectory=%n
+LogsDirectory=%n
+RuntimeDirectory=%n
+StateDirectory=%n
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Configure the preset setting for the unit file
+mkdir /run/systemd/system-preset/
+echo "disable $UNIT_NAME" >/run/systemd/system-preset/99-systemd-test.preset
+
+systemctl daemon-reload
+
+# Argument help
+systemctl --state help
+systemctl --signal help
+systemctl --type help
+
+# list-dependencies
+systemctl list-dependencies systemd-journald
+systemctl list-dependencies --after systemd-journald
+systemctl list-dependencies --before systemd-journald
+systemctl list-dependencies --after --reverse systemd-journald
+systemctl list-dependencies --before --reverse systemd-journald
+systemctl list-dependencies --plain systemd-journald
+
+# list-* verbs
+systemctl list-units
+systemctl list-units --recursive
+systemctl list-units --type=socket
+systemctl list-units --type=service,timer
+systemctl list-units --legend=yes -a "systemd-*"
+systemctl list-units --state=active
+systemctl list-units --with-dependencies systemd-journald.service
+systemctl list-units --with-dependencies --after systemd-journald.service
+systemctl list-units --with-dependencies --before --reverse systemd-journald.service
+systemctl list-sockets
+systemctl list-sockets --legend=no -a "*journal*"
+systemctl list-sockets --show-types
+systemctl list-sockets --state=listening
+systemctl list-timers -a -l
+systemctl list-unit-files
+systemctl list-unit-files "*journal*"
+systemctl list-jobs
+systemctl list-jobs --after
+systemctl list-jobs --before
+systemctl list-jobs --after --before
+systemctl list-jobs "*"
+
+# Basic service management
+systemctl start --show-transaction "$UNIT_NAME"
+systemctl status -n 5 "$UNIT_NAME"
+systemctl is-active "$UNIT_NAME"
+systemctl reload -T "$UNIT_NAME"
+systemctl restart -T "$UNIT_NAME"
+systemctl try-restart --show-transaction "$UNIT_NAME"
+systemctl try-reload-or-restart --show-transaction "$UNIT_NAME"
+systemctl kill "$UNIT_NAME"
+(! systemctl is-active "$UNIT_NAME")
+systemctl restart "$UNIT_NAME"
+systemctl is-active "$UNIT_NAME"
+systemctl restart "$UNIT_NAME"
+systemctl stop "$UNIT_NAME"
+(! systemctl is-active "$UNIT_NAME")
+
+# enable/disable/preset
+(! systemctl is-enabled "$UNIT_NAME")
+systemctl enable "$UNIT_NAME"
+systemctl is-enabled -l "$UNIT_NAME"
+# We created a preset file for this unit above with a "disable" policy
+systemctl preset "$UNIT_NAME"
+(! systemctl is-enabled "$UNIT_NAME")
+systemctl reenable "$UNIT_NAME"
+systemctl is-enabled "$UNIT_NAME"
+systemctl preset --preset-mode=enable-only "$UNIT_NAME"
+systemctl is-enabled "$UNIT_NAME"
+systemctl preset --preset-mode=disable-only "$UNIT_NAME"
+(! systemctl is-enabled "$UNIT_NAME")
+systemctl enable --runtime "$UNIT_NAME"
+[[ -e "/run/systemd/system/multi-user.target.wants/$UNIT_NAME" ]]
+systemctl is-enabled "$UNIT_NAME"
+systemctl disable "$UNIT_NAME"
+# The unit should be still enabled, as we didn't use the --runtime switch
+systemctl is-enabled "$UNIT_NAME"
+systemctl disable --runtime "$UNIT_NAME"
+(! systemctl is-enabled "$UNIT_NAME")
+
+# mask/unmask/revert
+systemctl disable "$UNIT_NAME"
+[[ "$(systemctl is-enabled "$UNIT_NAME")" == disabled ]]
+systemctl mask "$UNIT_NAME"
+[[ "$(systemctl is-enabled "$UNIT_NAME")" == masked ]]
+systemctl unmask "$UNIT_NAME"
+[[ "$(systemctl is-enabled "$UNIT_NAME")" == disabled ]]
+systemctl mask "$UNIT_NAME"
+[[ "$(systemctl is-enabled "$UNIT_NAME")" == masked ]]
+systemctl revert "$UNIT_NAME"
+[[ "$(systemctl is-enabled "$UNIT_NAME")" == disabled ]]
+systemctl mask --runtime "$UNIT_NAME"
+[[ "$(systemctl is-enabled "$UNIT_NAME")" == masked-runtime ]]
+# This should be a no-op without the --runtime switch
+systemctl unmask "$UNIT_NAME"
+[[ "$(systemctl is-enabled "$UNIT_NAME")" == masked-runtime ]]
+systemctl unmask --runtime "$UNIT_NAME"
+[[ "$(systemctl is-enabled "$UNIT_NAME")" == disabled ]]
+
+# add-wants/add-requires
+(! systemctl show -P Wants "$UNIT_NAME" | grep "systemd-journald.service")
+systemctl add-wants "$UNIT_NAME" "systemd-journald.service"
+systemctl show -P Wants "$UNIT_NAME" | grep "systemd-journald.service"
+(! systemctl show -P Requires "$UNIT_NAME" | grep "systemd-journald.service")
+systemctl add-requires "$UNIT_NAME" "systemd-journald.service"
+systemctl show -P Requires "$UNIT_NAME" | grep "systemd-journald.service"
+
+# set-property
+systemctl set-property "$UNIT_NAME" IPAccounting=yes MemoryMax=1234567
+systemctl cat "$UNIT_NAME"
+# These properties should be saved to a persistent storage
+grep -r "IPAccounting=yes" "/etc/systemd/system.control/${UNIT_NAME}.d/"
+grep -r "MemoryMax=1234567" "/etc/systemd/system.control/${UNIT_NAME}.d"
+systemctl revert "$UNIT_NAME"
+(! grep -r "IPAccounting=" "/etc/systemd/system.control/${UNIT_NAME}.d/")
+(! grep -r "MemoryMax=" "/etc/systemd/system.control/${UNIT_NAME}.d/")
+# Same stuff, but with --runtime, which should use /run
+systemctl set-property --runtime "$UNIT_NAME" CPUAccounting=no CPUQuota=10%
+systemctl cat "$UNIT_NAME"
+grep -r "CPUAccounting=no" "/run/systemd/system.control/${UNIT_NAME}.d/"
+grep -r "CPUQuota=10%" "/run/systemd/system.control/${UNIT_NAME}.d/"
+systemctl revert "$UNIT_NAME"
+(! grep -r "CPUAccounting=" "/run/systemd/system.control/${UNIT_NAME}.d/")
+(! grep -r "CPUQuota=" "/run/systemd/system.control/${UNIT_NAME}.d/")
+
+# Failed-unit related tests
+systemd-run --unit "failed.service" /bin/false
+systemctl is-failed failed.service
+systemctl --state=failed | grep failed.service
+systemctl --failed | grep failed.service
+systemctl reset-failed "fail*.service"
+(! systemctl is-failed failed.service)
+
+# clean
+systemctl restart "$UNIT_NAME"
+systemctl stop "$UNIT_NAME"
+# Check if the directories from *Directory= directives exist
+# (except RuntimeDirectory= in /run, which is removed when the unit is stopped)
+for path in /var/lib /var/cache /var/log /etc; do
+ [[ -e "$path/$UNIT_NAME" ]]
+done
+# Run the cleanup
+for what in "" configuration state cache logs runtime all; do
+ systemctl clean ${what:+--what="$what"} "$UNIT_NAME"
+done
+# All respective directories should be removed
+for path in /run /var/lib /var/cache /var/log /etc; do
+ [[ ! -e "$path/$UNIT_NAME" ]]
+done
+
+# --timestamp
+for value in pretty us µs utc us+utc µs+utc; do
+ systemctl show -P KernelTimestamp --timestamp="$value"
+done
+
+# Aux verbs & assorted checks
+systemctl is-active "*-journald.service"
+systemctl cat "*journal*"
+systemctl cat "$UNIT_NAME"
+systemctl help "$UNIT_NAME"
+
+# show/set-environment
# Make sure PATH is set
systemctl show-environment | grep -q '^PATH='
-
# Let's add an entry and override a built-in one
systemctl set-environment PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/testaddition FOO=BAR
-
# Check that both are set
systemctl show-environment | grep -q '^PATH=.*testaddition$'
systemctl show-environment | grep -q '^FOO=BAR$'
-
systemctl daemon-reload
-
# Check again after the reload
systemctl show-environment | grep -q '^PATH=.*testaddition$'
systemctl show-environment | grep -q '^FOO=BAR$'
-
# Check that JSON output is supported
systemctl show-environment --output=json | grep -q '^{.*"FOO":"BAR".*}$'
-
# Drop both
systemctl unset-environment FOO PATH
-
# Check that one is gone and the other reverted to the built-in
systemctl show-environment | grep '^FOO=$' && exit 1
systemctl show-environment | grep '^PATH=.*testaddition$' && exit 1
systemctl show-environment | grep -q '^PATH='
+# Check import-environment
+export IMPORT_THIS=hello
+export IMPORT_THIS_TOO=world
+systemctl import-environment IMPORT_THIS IMPORT_THIS_TOO
+systemctl show-environment | grep "^IMPORT_THIS=$IMPORT_THIS"
+systemctl show-environment | grep "^IMPORT_THIS_TOO=$IMPORT_THIS_TOO"
+systemctl unset-environment IMPORT_THIS IMPORT_THIS_TOO
+(! systemctl show-environment | grep "^IMPORT_THIS=")
+(! systemctl show-environment | grep "^IMPORT_THIS_TOO=")
echo OK >/testok

1192
SOURCES/0013-docs-DPS-and-BLS-have-moved-to-uapi-group.org.patch
View File

File diff suppressed because it is too large Load Diff

29
SOURCES/0013-shell-completion-only-offer-devices-for-completion.patch
Unescape View File

@ -0,0 +1,29 @@
From 2034de6157cc0d3e60489cdc16c7a5651f38783c Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Wed, 12 Jun 2024 14:35:34 +0200
Subject: [PATCH] shell-completion: only offer devices for completion
This skips directories and other stuff like /dev/core, /dev/initctl or
/dev/log.
(cherry picked from commit bde35f4a91663ebb854330f582baeef0f9adcbfb)
---
shell-completion/bash/udevadm | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/shell-completion/bash/udevadm b/shell-completion/bash/udevadm
index 05f921cf49..3842d722e7 100644
--- a/shell-completion/bash/udevadm
+++ b/shell-completion/bash/udevadm
@@ -32,10 +32,7 @@ __get_all_sysdevs() {
}
__get_all_device_nodes() {
- local i
- for i in /dev/* /dev/*/* /dev/*/*/*; do
- echo $i
- done
+ find /dev -xtype b -o -xtype c
}
__get_all_device_units() {

98
SOURCES/0014-CODING_STYLE-document-reterr_-return-parameters.patch
Unescape View File

@ -0,0 +1,98 @@
From a61a83a22b5f464463f9ab9e3ee3950f299c9f43 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 12 Jun 2024 18:31:56 +0200
Subject: [PATCH] CODING_STYLE: document "reterr_" return parameters
In some recent PRs (e.g. #32628) I started to systematically name return
parameters that shall only be initialized on failure (because they carry
additional error meta information, such as the line/column number of
parse failures or so). Let's make this official in the coding style.
(cherry picked from commit 7811864b08393eda5ff92145ea2776180d9b28ee)
---
docs/CODING_STYLE.md | 62 ++++++++++++++++++++++++++++++++++----------
1 file changed, 48 insertions(+), 14 deletions(-)
diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md
index 8f687e6662..309436a397 100644
--- a/docs/CODING_STYLE.md
+++ b/docs/CODING_STYLE.md
@@ -164,30 +164,64 @@ SPDX-License-Identifier: LGPL-2.1-or-later
thread. Use `is_main_thread()` to detect whether the calling thread is the
main thread.
-- Do not write functions that clobber call-by-reference variables on
- failure. Use temporary variables for these cases and change the passed in
- variables only on success. The rule is: never clobber return parameters on
- failure, always initialize return parameters on success.
-
-- Typically, function parameters fit into three categories: input parameters,
- mutable objects, and call-by-reference return parameters. Input parameters
- should always carry suitable "const" declarators if they are pointers, to
- indicate they are input-only and not changed by the function. Return
- parameters are best prefixed with "ret_", to clarify they are return
- parameters. (Conversely, please do not prefix parameters that aren't
- output-only with "ret_", in particular not mutable parameters that are both
- input as well as output). Example:
+- Typically, function parameters fit into four categories: input parameters,
+ mutable objects, call-by-reference return parameters that are initialized on
+ success, and call-by-reference return parameters that are initialized on
+ failure. Input parameters should always carry suitable `const` declarators if
+ they are pointers, to indicate they are input-only and not changed by the
+ function. The name of return parameters that are initialized on success
+ should be prefixed with `ret_`, to clarify they are return parameters. The
+ name of return parameters that are initialized on failure should be prefixed
+ with `reterr_`. (Examples of such parameters: those which carry additional
+ error information, such as the row/column of parse errors or so).
+ Conversely, please do not prefix parameters that aren't output-only with
+ `ret_` or `reterr_`, in particular not mutable parameters that are both input
+ as well as output.
+
+ Example:
```c
static int foobar_frobnicate(
Foobar* object, /* the associated mutable object */
const char *input, /* immutable input parameter */
- char **ret_frobnicated) { /* return parameter */
+ char **ret_frobnicated, /* return parameter on success */
+ unsigned *reterr_line, /* return parameter on failure */
+ unsigned *reterr_column) { /* ditto */
return 0;
}
```
+- Do not write functions that clobber call-by-reference success return
+ parameters on failure (i.e. `ret_xyz`, see above), or that clobber
+ call-by-reference failure return parameters on success
+ (i.e. `reterr_xyz`). Use temporary variables for these cases and change the
+ passed in variables only in the right condition. The rule is: never clobber
+ success return parameters on failure, always initialize success return
+ parameters on success (and the reverse for failure return parameters, of
+ course).
+
+- Please put `reterr_` return parameters in the function parameter list last,
+ and `ret_` return parameters immediately before that.
+
+ Good:
+
+ ```c
+ static int do_something(
+ const char *input,
+ const char *ret_on_success,
+ const char *reterr_on_failure);
+ ```
+
+ Not good:
+
+ ```c
+ static int do_something(
+ const char *reterr_on_failure,
+ const char *ret_on_success,
+ const char *input);
+ ```
+
- The order in which header files are included doesn't matter too
much. systemd-internal headers must not rely on an include order, so it is
safe to include them in any order possible. However, to not clutter global

49
SOURCES/0014-core-fix-memleak-in-GetUnitFileLinks-method.patch
Unescape View File

@ -1,49 +0,0 @@
From a9424191821c8c967edd7dd92a19d02ff5bbca87 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 2 Nov 2022 07:06:46 +0900
Subject: [PATCH] core: fix memleak in GetUnitFileLinks method
(cherry picked from commit a12ba535fa677e642c7ba19e81062ed6e9365ceb)
Related #2138081
---
src/core/dbus-manager.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 919aa58cde..88f098ec86 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -2647,21 +2647,27 @@ static int method_get_unit_file_links(sd_bus_message *message, void *userdata, s
(runtime ? UNIT_FILE_RUNTIME : 0);
r = unit_file_disable(LOOKUP_SCOPE_SYSTEM, flags, NULL, p, &changes, &n_changes);
- if (r < 0)
- return log_error_errno(r, "Failed to get file links for %s: %m", name);
+ if (r < 0) {
+ log_error_errno(r, "Failed to get file links for %s: %m", name);
+ goto finish;
+ }
for (i = 0; i < n_changes; i++)
if (changes[i].type == INSTALL_CHANGE_UNLINK) {
r = sd_bus_message_append(reply, "s", changes[i].path);
if (r < 0)
- return r;
+ goto finish;
}
r = sd_bus_message_close_container(reply);
if (r < 0)
- return r;
+ goto finish;
- return sd_bus_send(NULL, reply, NULL);
+ r = sd_bus_send(NULL, reply, NULL);
+
+finish:
+ install_changes_free(changes, n_changes);
+ return r;
}
static int method_get_job_waiting(sd_bus_message *message, void *userdata, sd_bus_error *error) {

27
SOURCES/0015-analyze-show-pcrs-also-in-sha384-bank.patch
Unescape View File

@ -0,0 +1,27 @@
From 51390a1f41a762ef96d3c496d8a5d890d722907d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 4 Jun 2024 11:02:34 +0200
Subject: [PATCH] analyze: show pcrs also in sha384 bank
SHA384 is pretty much the bank we actually *want* to use, since it's
faster to calculate than SHA256, hence at the very least, start
considering.
(cherry picked from commit acaca5ab250a51be6ba07768bee80bf0f7b462fa)
---
src/analyze/analyze-pcrs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c
index 43e415fc6d..1c3da3fd84 100644
--- a/src/analyze/analyze-pcrs.c
+++ b/src/analyze/analyze-pcrs.c
@@ -11,7 +11,7 @@
static int get_pcr_alg(const char **ret) {
assert(ret);
- FOREACH_STRING(alg, "sha256", "sha1") {
+ FOREACH_STRING(alg, "sha256", "sha384", "sha1") {
_cleanup_free_ char *p = NULL;
if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/0", alg) < 0)

42
SOURCES/0015-man-use-the-correct-Markers-property-name-for-markin.patch
Unescape View File

@ -1,42 +0,0 @@
From ada95dd4f4c0014815a2c3162de6297107569b05 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Wed, 2 Nov 2022 11:48:23 +0100
Subject: [PATCH] man: use the correct 'Markers' property name for marking
units
Follow-up to c9615f7352 and 70666e28a1.
(cherry picked from commit 1ca1bb03dec9ae3e8d734bd40eeb60210ffd7a0a)
Related #2138081
---
man/org.freedesktop.systemd1.xml | 2 +-
man/systemctl.xml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index cbd552bd99..5e08b35234 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -1250,7 +1250,7 @@ node /org/freedesktop/systemd1 {
"ReloadOrRestart" flavors attempt a reload if the unit supports it and use a restart otherwise.</para>
<para><function>EnqueueMarkedJobs()</function> creates reload/restart jobs for units which have been
- appropriately marked, see <varname>Marks</varname> property above. This is equivalent to calling
+ appropriately marked, see <varname>Markers</varname> property above. This is equivalent to calling
<function>TryRestartUnit()</function> or <function>ReloadOrTryRestartUnit()</function> for the marked
units.</para>
diff --git a/man/systemctl.xml b/man/systemctl.xml
index 4d4f6c3992..997925892d 100644
--- a/man/systemctl.xml
+++ b/man/systemctl.xml
@@ -2386,7 +2386,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
<listitem><para>Only allowed with <command>reload-or-restart</command>. Enqueues restart jobs for all
units that have the <literal>needs-restart</literal> mark, and reload jobs for units that have the
<literal>needs-reload</literal> mark. When a unit marked for reload does not support reload, restart
- will be queued. Those properties can be set using <command>set-property Marks</command>.</para>
+ will be queued. Those properties can be set using <command>set-property Markers=…</command>.</para>
<para>Unless <option>--no-block</option> is used, <command>systemctl</command> will wait for the
queued jobs to finish.</para></listitem>

41
SOURCES/0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch
Unescape View File

@ -0,0 +1,41 @@
From 3706b5e8e92fe6a4ff21cefe66f2eb27953a3fdf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <cristian@rodriguez.im>
Date: Thu, 13 Jun 2024 11:59:28 -0400
Subject: [PATCH] fundamental: declare flex array updated for gcc15 and clang
19
Silly workaround that:
- allowed flexible arrays in unions
- allowed flexible arrays in otherwise empty structs
Is no longer needed since https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=adb1c8a0f167c3a1f7593d75f5a10eb07a5d741a
(GCC15) or clang 19 https://github.com/llvm/llvm-project/commit/14ba782a87e16e9e15460a51f50e67e2744c26d9
(cherry picked from commit 3c2f2146f50c75662987541719bedc4aee9df939)
---
src/fundamental/macro-fundamental.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
index 5ccbda5186..8aca5f784a 100644
--- a/src/fundamental/macro-fundamental.h
+++ b/src/fundamental/macro-fundamental.h
@@ -517,6 +517,10 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) {
} \
}
+/* Restriction/bug (see above) was fixed in GCC 15 and clang 19.*/
+#if __GNUC__ >= 15 || (defined(__clang__) && __clang_major__ >= 19)
+#define DECLARE_FLEX_ARRAY(type, name) type name[];
+#else
/* Declare a flexible array usable in a union.
* This is essentially a work-around for a pointless constraint in C99
* and might go away in some future version of the standard.
@@ -528,6 +532,7 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) {
dummy_t __empty__ ## name; \
type name[]; \
}
+#endif
/* Declares an ELF read-only string section that does not occupy memory at runtime. */
#define DECLARE_NOALLOC_SECTION(name, text) \

115
SOURCES/0016-test-further-extend-systemctl-s-sanity-coverage.patch
Unescape View File

@ -1,115 +0,0 @@
From cce2e337e37524df5ff81e758dbcfa91bf8b696a Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Wed, 2 Nov 2022 11:44:00 +0100
Subject: [PATCH] test: further extend systemctl's sanity coverage
Also, fix a race condition introduced by d16684fe13:
```
[ 16.904218] H testsuite-26.sh[394]: + systemd-run --unit failed.service /bin/false
[ 16.964783] H systemd[845]: failed.service: Executing: /bin/false
[ 16.965062] H systemd[1]: Started failed.service.
[ 16.965462] H testsuite-26.sh[844]: Running as unit: failed.service
[ 16.966390] H testsuite-26.sh[394]: + systemctl is-failed failed.service
[ 16.977970] H testsuite-26.sh[846]: active
[ 16.978403] H systemd[1]: failed.service: Main process exited, code=exited, status=1/FAILURE
[ 16.978478] H systemd[1]: failed.service: Failed with result 'exit-code'.
```
(cherry picked from commit 23f3a6f5ff864fd26063c6c35fdaa6d85de566c7)
Related #2138081
---
test/units/testsuite-26.sh | 61 +++++++++++++++++++++++++++++++++++++-
1 file changed, 60 insertions(+), 1 deletion(-)
diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh
index b83f85917b..7c7a12b1ae 100755
--- a/test/units/testsuite-26.sh
+++ b/test/units/testsuite-26.sh
@@ -58,6 +58,9 @@ systemctl list-units
systemctl list-units --recursive
systemctl list-units --type=socket
systemctl list-units --type=service,timer
+# Compat: --type= allows load states for compatibility reasons
+systemctl list-units --type=loaded
+systemctl list-units --type=loaded,socket
systemctl list-units --legend=yes -a "systemd-*"
systemctl list-units --state=active
systemctl list-units --with-dependencies systemd-journald.service
@@ -160,7 +163,7 @@ systemctl revert "$UNIT_NAME"
(! grep -r "CPUQuota=" "/run/systemd/system.control/${UNIT_NAME}.d/")
# Failed-unit related tests
-systemd-run --unit "failed.service" /bin/false
+(! systemd-run --wait --unit "failed.service" /bin/false)
systemctl is-failed failed.service
systemctl --state=failed | grep failed.service
systemctl --failed | grep failed.service
@@ -189,11 +192,67 @@ for value in pretty us µs utc us+utc µs+utc; do
systemctl show -P KernelTimestamp --timestamp="$value"
done
+# set-default/get-default
+target="$(systemctl get-default)"
+systemctl set-default emergency.target
+[[ "$(systemctl get-default)" == emergency.target ]]
+systemctl set-default "$target"
+[[ "$(systemctl get-default)" == "$target" ]]
+
+# show/status
+systemctl show --property ""
+# Pick a heavily sandboxed unit for the best effect on coverage
+systemctl show systemd-logind.service
+systemctl status
+# Ignore the exit code in this case, as it might try to load non-existing units
+systemctl status -a >/dev/null || :
+systemctl status -a --state active,running,plugged >/dev/null
+systemctl status "systemd-*.timer"
+systemctl status "systemd-journald*.socket"
+systemctl status "sys-devices-*-ttyS0.device"
+systemctl status -- -.mount
+
+# --marked
+systemctl restart "$UNIT_NAME"
+systemctl set-property "$UNIT_NAME" Markers=needs-restart
+systemctl show -P Markers "$UNIT_NAME" | grep needs-restart
+systemctl reload-or-restart --marked
+(! systemctl show -P Markers "$UNIT_NAME" | grep needs-restart)
+
+# --dry-run with destructive verbs
+# kexec is skipped intentionally, as it requires a bit more involved setup
+VERBS=(
+ default
+ emergency
+ exit
+ halt
+ hibernate
+ hybrid-sleep
+ poweroff
+ reboot
+ rescue
+ suspend
+ suspend-then-hibernate
+)
+
+for verb in "${VERBS[@]}"; do
+ systemctl --dry-run "$verb"
+
+ if [[ "$verb" =~ (halt|poweroff|reboot) ]]; then
+ systemctl --dry-run --message "Hello world" "$verb"
+ systemctl --dry-run --no-wall "$verb"
+ systemctl --dry-run -f "$verb"
+ systemctl --dry-run -ff "$verb"
+ fi
+done
+
# Aux verbs & assorted checks
systemctl is-active "*-journald.service"
systemctl cat "*journal*"
systemctl cat "$UNIT_NAME"
systemctl help "$UNIT_NAME"
+systemctl service-watchdogs
+systemctl service-watchdogs "$(systemctl service-watchdogs)"
# show/set-environment
# Make sure PATH is set

31
SOURCES/0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch
Unescape View File

@ -0,0 +1,31 @@
From aedeaf745028a463150fd6d2b1aca778797735ac Mon Sep 17 00:00:00 2001
From: Nick Rosbrook <enr0n@ubuntu.com>
Date: Fri, 14 Jun 2024 17:31:22 -0400
Subject: [PATCH] man: add a bit of a warning to systemd-tmpfiles --purge
Mention that by default, /home is managed by tmpfiles.d/home.conf, and
recommend that users run systemd-tmpfiles --dry-run --purge first to
see exactly what will be removed.
(cherry picked from commit 9ebcac3b5125a8b0b11f371731ea167cd4684adc)
---
man/systemd-tmpfiles.xml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index 008bff62da..6f3ec66611 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -150,7 +150,11 @@
<varlistentry>
<term><option>--purge</option></term>
<listitem><para>If this option is passed, all files and directories created by a
- <filename>tmpfiles.d/</filename> entry will be deleted.</para>
+ <filename>tmpfiles.d/</filename> entry will be deleted. Keep in mind that by default,
+ <filename>/home</filename> is created by <command>systemd-tmpfiles</command>
+ (see <filename>/usr/lib/tmpfiles.d/home.conf</filename>). Therefore it is recommended
+ to first run <command>systemd-tmpfiles --dry-run --purge</command> to be certain which files
+ and directories will be deleted.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>

131
SOURCES/0017-test-add-a-sanity-coverage-for-systemd-analyze-verbs.patch
Unescape View File

@ -1,131 +0,0 @@
From d68d785ba0e3ecd59a2678fe00fbd7b1bde90622 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Wed, 2 Nov 2022 17:51:51 +0100
Subject: [PATCH] test: add a sanity coverage for systemd-analyze verbs
(cherry picked from commit 6c83054c0133eb53245e479d71589dceff76cf74)
Related #2138081
---
test/units/testsuite-65.sh | 108 +++++++++++++++++++++++++++++++++++++
1 file changed, 108 insertions(+)
diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh
index 64ce629f3b..ece6b8734e 100755
--- a/test/units/testsuite-65.sh
+++ b/test/units/testsuite-65.sh
@@ -9,6 +9,114 @@ set -eux
systemd-analyze log-level debug
export SYSTEMD_LOG_LEVEL=debug
+# Sanity checks
+#
+# We can't really test time, blame, critical-chain and plot verbs here, as
+# the testsuite service is a part of the boot transaction, so let's assume
+# they fail
+systemd-analyze || :
+systemd-analyze time || :
+systemd-analyze blame || :
+systemd-analyze critical-chain || :
+systemd-analyze plot >/dev/null || :
+# dot
+systemd-analyze dot >/dev/null
+systemd-analyze dot systemd-journald.service >/dev/null
+systemd-analyze dot systemd-journald.service systemd-logind.service >/dev/null
+systemd-analyze dot --from-pattern="*" --from-pattern="*.service" systemd-journald.service >/dev/null
+systemd-analyze dot --to-pattern="*" --to-pattern="*.service" systemd-journald.service >/dev/null
+systemd-analyze dot --from-pattern="*.service" --to-pattern="*.service" systemd-journald.service >/dev/null
+systemd-analyze dot --order systemd-journald.service systemd-logind.service >/dev/null
+systemd-analyze dot --require systemd-journald.service systemd-logind.service >/dev/null
+systemd-analyze dot "systemd-*.service" >/dev/null
+(! systemd-analyze dot systemd-journald.service systemd-logind.service "*" bbb ccc)
+# dump
+systemd-analyze dump >/dev/null
+systemd-analyze dump "*" >/dev/null
+systemd-analyze dump "*.socket" >/dev/null
+systemd-analyze dump systemd-journald.service >/dev/null
+(! systemd-analyze dump "")
+# unit-paths
+systemd-analyze unit-paths
+systemd-analyze unit-paths --user
+systemd-analyze unit-paths --global
+# exist-status
+systemd-analyze exit-status
+systemd-analyze exit-status STDOUT BPF
+systemd-analyze exit-status 0 1 {63..65}
+(! systemd-analyze exit-status STDOUT BPF "hello*")
+# capability
+systemd-analyze capability
+systemd-analyze capability cap_chown CAP_KILL
+systemd-analyze capability 0 1 {30..32}
+(! systemd-analyze capability cap_chown CAP_KILL "hello*")
+# condition
+mkdir -p /run/systemd/system
+UNIT_NAME="analyze-condition-$RANDOM.service"
+cat >"/run/systemd/system/$UNIT_NAME" <<EOF
+[Unit]
+AssertPathExists=/etc/os-release
+AssertEnvironment=!FOOBAR
+ConditionKernelVersion=>1.0
+ConditionPathExists=/etc/os-release
+
+[Service]
+ExecStart=/bin/true
+EOF
+systemctl daemon-reload
+systemd-analyze condition --unit="$UNIT_NAME"
+systemd-analyze condition 'ConditionKernelVersion = ! <4.0' \
+ 'ConditionKernelVersion = >=3.1' \
+ 'ConditionACPower=|false' \
+ 'ConditionArchitecture=|!arm' \
+ 'AssertPathExists=/etc/os-release'
+(! systemd-analyze condition 'ConditionArchitecture=|!arm' 'AssertXYZ=foo')
+(! systemd-analyze condition 'ConditionKernelVersion=<1.0')
+(! systemd-analyze condition 'AssertKernelVersion=<1.0')
+# syscall-filter
+systemd-analyze syscall-filter >/dev/null
+systemd-analyze syscall-filter @chown @sync
+systemd-analyze syscall-filter @sync @sync @sync
+(! systemd-analyze syscall-filter @chown @sync @foobar)
+# filesystems (requires libbpf support)
+if systemctl --version | grep "+BPF_FRAMEWORK"; then
+ systemd-analyze filesystems >/dev/null
+ systemd-analyze filesystems @basic-api
+ systemd-analyze filesystems @basic-api @basic-api @basic-api
+ (! systemd-analyze filesystems @basic-api @basic-api @foobar @basic-api)
+fi
+# calendar
+systemd-analyze calendar '*-2-29 0:0:0'
+systemd-analyze calendar --iterations=5 '*-2-29 0:0:0'
+systemd-analyze calendar '*-* *:*:*'
+systemd-analyze calendar --iterations=5 '*-* *:*:*'
+systemd-analyze calendar --iterations=50 '*-* *:*:*'
+systemd-analyze calendar --iterations=0 '*-* *:*:*'
+systemd-analyze calendar --base-time=yesterday --iterations=5 '*-* *:*:*'
+(! systemd-analyze calendar --iterations=0 '*-* 99:*:*')
+(! systemd-analyze calendar --base-time=never '*-* *:*:*')
+(! systemd-analyze calendar 1)
+(! systemd-analyze calendar "")
+# timestamp
+systemd-analyze timestamp now
+systemd-analyze timestamp -- -1
+systemd-analyze timestamp yesterday now tomorrow
+(! systemd-analyze timestamp yesterday never tomorrow)
+(! systemd-analyze timestamp 1)
+(! systemd-analyze timestamp "")
+# timespan
+systemd-analyze timespan 1
+systemd-analyze timespan 1s 300s '1year 0.000001s'
+(! systemd-analyze timespan 1s 300s aaaaaa '1year 0.000001s')
+(! systemd-analyze timespan -- -1)
+(! systemd-analyze timespan "")
+# cat-config
+systemd-analyze cat-config systemd/system.conf >/dev/null
+systemd-analyze cat-config /etc/systemd/system.conf >/dev/null
+systemd-analyze cat-config systemd/system.conf systemd/journald.conf >/dev/null
+systemd-analyze cat-config systemd/system.conf foo/bar systemd/journald.conf >/dev/null
+systemd-analyze cat-config foo/bar
+
mkdir -p /tmp/img/usr/lib/systemd/system/
mkdir -p /tmp/img/opt/

65
SOURCES/0018-man-units-drop-temporary-from-description-of-systemd.patch
Unescape View File

@ -0,0 +1,65 @@
From 1a0e6961cfaed42bda542e111738c136f7b4d73f Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Sat, 15 Jun 2024 17:27:33 +0200
Subject: [PATCH] man,units: drop "temporary" from description of
systemd-tmpfiles
Historically, systemd-tmpfiles was designed to manager temporary
files, but nowadays it has become a generic tool for managing
all kinds of files. To avoid user confusion, let's remove "temporary"
from the tool's description.
As discussed in #33349
(cherry picked from commit b5c8cc0a3b8e4e2fea0539d6420a76b524ea5735)
---
man/systemd-tmpfiles.xml | 8 +++++---
units/systemd-tmpfiles-setup.service | 2 +-
units/user/systemd-tmpfiles-setup.service | 2 +-
3 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index 6f3ec66611..9767aead85 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -55,9 +55,11 @@
<refsect1>
<title>Description</title>
- <para><command>systemd-tmpfiles</command> creates, deletes, and cleans up volatile and temporary files
- and directories, using the configuration file format and location specified in
- <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. It must
+ <para><command>systemd-tmpfiles</command> creates, deletes, and cleans up files and directories, using
+ the configuration file format and location specified in
+ <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ Historically, it was designed to manage volatile and temporary files, as the name suggests, but it provides
+ generic file management functionality and can be used to manage any kind of files. It must
be invoked with one or more commands <option>--create</option>, <option>--remove</option>, and
<option>--clean</option>, to select the respective subset of operations.</para>
diff --git a/units/systemd-tmpfiles-setup.service b/units/systemd-tmpfiles-setup.service
index 6cae32850f..b92beb7314 100644
--- a/units/systemd-tmpfiles-setup.service
+++ b/units/systemd-tmpfiles-setup.service
@@ -8,7 +8,7 @@
# (at your option) any later version.
[Unit]
-Description=Create Volatile Files and Directories
+Description=Create System Files and Directories
Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
DefaultDependencies=no
diff --git a/units/user/systemd-tmpfiles-setup.service b/units/user/systemd-tmpfiles-setup.service
index 156689edcd..54e453c4fc 100644
--- a/units/user/systemd-tmpfiles-setup.service
+++ b/units/user/systemd-tmpfiles-setup.service
@@ -8,7 +8,7 @@
# (at your option) any later version.
[Unit]
-Description=Create User's Volatile Files and Directories
+Description=Create User Files and Directories
Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
DefaultDependencies=no
Conflicts=shutdown.target

37
SOURCES/0018-udev-first-set-properties-based-on-usb-subsystem.patch
Unescape View File

@ -1,37 +0,0 @@
From 080747ee6685b9c5877073c5120375e7a04d8216 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 3 Nov 2022 09:39:36 +0900
Subject: [PATCH] udev: first set properties based on usb subsystem
After 479da1107a0d4e2f7ef5cd938512b87a0e45f180, the usb_id builtin
command does not set ID_SERIAL if ID_BUS is already set.
Before the commit, all properties set based on pci bus were overwritten
by the usb_id, hence now it is sufficient setting them only when ID_BUS is
not set yet.
Fixes #25238.
(cherry picked from commit 01e704eba982fbc1517287cd261d229ff8e0a779)
Related #2138081
---
rules.d/60-serial.rules | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/rules.d/60-serial.rules b/rules.d/60-serial.rules
index f303e27fd5..c133f26109 100644
--- a/rules.d/60-serial.rules
+++ b/rules.d/60-serial.rules
@@ -3,9 +3,10 @@
ACTION=="remove", GOTO="serial_end"
SUBSYSTEM!="tty", GOTO="serial_end"
-SUBSYSTEMS=="pci", ENV{ID_BUS}="pci", ENV{ID_VENDOR_ID}="$attr{vendor}", ENV{ID_MODEL_ID}="$attr{device}"
-SUBSYSTEMS=="pci", IMPORT{builtin}="hwdb --subsystem=pci"
SUBSYSTEMS=="usb", IMPORT{builtin}="usb_id", IMPORT{builtin}="hwdb --subsystem=usb"
+SUBSYSTEMS=="pci", ENV{ID_BUS}=="", ENV{ID_BUS}="pci", \
+ ENV{ID_VENDOR_ID}="$attr{vendor}", ENV{ID_MODEL_ID}="$attr{device}", \
+ IMPORT{builtin}="hwdb --subsystem=pci"
# /dev/serial/by-path/, /dev/serial/by-id/ for USB devices
KERNEL!="ttyUSB[0-9]*|ttyACM[0-9]*", GOTO="serial_end"

24
SOURCES/0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch
Unescape View File

@ -0,0 +1,24 @@
From 9f5f3c2f8bc2c3d82678672f3e700c1eb4e52d61 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 11:16:21 +0100
Subject: [PATCH] mkosi: enable unprivileged user ns for integration tests
Ubuntu disables them by default in Noble, ship a sysctl to turn them back on
so that tests can use them
(cherry picked from commit 4cfcde024f34b3e5f682364d4e0c6185ef07d467)
---
.../usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
new file mode 100644
index 0000000000..657ac72f8d
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
@@ -0,0 +1,4 @@
+# Ubuntu since Noble disables unprivileged user namespaces by default, re-enable them as they are needed
+# for integration tests
+kernel.apparmor_restrict_unprivileged_unconfined = 0
+kernel.apparmor_restrict_unprivileged_userns = 0

30
SOURCES/0019-udev-drop-redundant-call-of-usb_id-and-assignment-of.patch
Unescape View File

@ -1,30 +0,0 @@
From 35ec16bfef92d072edacad892fc138b3595ee69b Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 3 Nov 2022 09:43:14 +0900
Subject: [PATCH] udev: drop redundant call of usb_id and assignment of
ID_USB_INTERFACE_NUM
The usb_id builtin command is already called in the above, and the
command sets the ID_USB_INTERFACE_NUM property.
(cherry picked from commit b2e53f5a0f12db65c88404477fedee5c57d201ba)
Related #2138081
---
rules.d/60-serial.rules | 2 --
1 file changed, 2 deletions(-)
diff --git a/rules.d/60-serial.rules b/rules.d/60-serial.rules
index c133f26109..2c1488e930 100644
--- a/rules.d/60-serial.rules
+++ b/rules.d/60-serial.rules
@@ -17,9 +17,7 @@ IMPORT{builtin}="path_id"
ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="", SYMLINK+="serial/by-path/$env{ID_PATH}"
ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="?*", SYMLINK+="serial/by-path/$env{ID_PATH}-port$env{.ID_PORT}"
-IMPORT{builtin}="usb_id"
ENV{ID_SERIAL}=="", GOTO="serial_end"
-SUBSYSTEMS=="usb", ENV{ID_USB_INTERFACE_NUM}="$attr{bInterfaceNumber}"
ENV{ID_USB_INTERFACE_NUM}=="", GOTO="serial_end"
ENV{.ID_PORT}=="", SYMLINK+="serial/by-id/$env{ID_BUS}-$env{ID_SERIAL}-if$env{ID_USB_INTERFACE_NUM}"
ENV{.ID_PORT}=="?*", SYMLINK+="serial/by-id/$env{ID_BUS}-$env{ID_SERIAL}-if$env{ID_USB_INTERFACE_NUM}-port$env{.ID_PORT}"

74
SOURCES/0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch
Unescape View File

@ -0,0 +1,74 @@
From 21feae324e812580062c36aa14cc5e68a37aa151 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 15:28:56 +0100
Subject: [PATCH] mkosi: use ports.ubuntu.com for non-x86 backports
Follow-up for 46368556afee7a1f3a1685609942438ef2d9d6c1
(cherry picked from commit c01cb8cbff8512b65b7903b55f78c8d12661b8d7)
---
mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf | 3 ---
.../mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf | 9 +++++++++
.../system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf | 9 +++++++++
.../mkosi.conf.d/10-ubuntu/noble-backports-ports.sources | 6 ++++++
4 files changed, 24 insertions(+), 3 deletions(-)
create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
index 25957b1e92..86f9736ed9 100644
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
@@ -3,9 +3,6 @@
[Match]
Distribution=ubuntu
-[Distribution]
-PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
-
[Content]
Packages=
linux-image-generic
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
new file mode 100644
index 0000000000..0ec4807822
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# The ports Ubuntu archive is for non i386/amd64 repositories
+
+[Match]
+Architecture=!x86-64
+Architecture=!x86
+
+[Distribution]
+PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
new file mode 100644
index 0000000000..c08eeac337
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# The main Ubuntu archive is only for i386/amd64 repositories
+
+[Match]
+Architecture=|x86-64
+Architecture=|x86
+
+[Distribution]
+PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
new file mode 100644
index 0000000000..5b96dc544d
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+Types: deb
+URIs: http://ports.ubuntu.com
+Suites: noble-backports
+Components: main universe
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

26
SOURCES/0020-udev-add-safe-guard-for-setting-by-id-symlink.patch
Unescape View File

@ -1,26 +0,0 @@
From 03bb31bbb875e20da7ae37eb44e98d244823e0e7 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 3 Nov 2022 09:52:23 +0900
Subject: [PATCH] udev: add safe guard for setting by-id symlink
The ID_BUS property is necessary for creating by-id symlinks.
(cherry picked from commit 5286da064c97d2ac934cb301066aaa8605a3c8f9)
Related #2138081
---
rules.d/60-serial.rules | 1 +
1 file changed, 1 insertion(+)
diff --git a/rules.d/60-serial.rules b/rules.d/60-serial.rules
index 2c1488e930..a0e66323a9 100644
--- a/rules.d/60-serial.rules
+++ b/rules.d/60-serial.rules
@@ -17,6 +17,7 @@ IMPORT{builtin}="path_id"
ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="", SYMLINK+="serial/by-path/$env{ID_PATH}"
ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="?*", SYMLINK+="serial/by-path/$env{ID_PATH}-port$env{.ID_PORT}"
+ENV{ID_BUS}=="", GOTO="serial_end"
ENV{ID_SERIAL}=="", GOTO="serial_end"
ENV{ID_USB_INTERFACE_NUM}=="", GOTO="serial_end"
ENV{.ID_PORT}=="", SYMLINK+="serial/by-id/$env{ID_BUS}-$env{ID_SERIAL}-if$env{ID_USB_INTERFACE_NUM}"

58
SOURCES/0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch
Unescape View File

@ -0,0 +1,58 @@
From 9802a28b367b3d403c41b570949e3c91f505ede5 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 20:42:12 +0100
Subject: [PATCH] mkosi: install EFI packages only on EFI architectures
sbsigntool, systemd-boot and systemd-boot-efi do not exist on other
architectures
(cherry picked from commit 47fe3f29b4ba1b44ae71a7e67c579c4883731dd4)
---
.../mkosi.conf.d/10-debian-ubuntu/mkosi.conf | 3 ---
.../10-debian-ubuntu/mkosi.conf.d/efi.conf | 16 ++++++++++++++++
2 files changed, 16 insertions(+), 3 deletions(-)
create mode 100644 mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
index ae014fa966..ecac78049d 100644
--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
@@ -20,8 +20,6 @@ VolatilePackages=
libsystemd-dev
libudev-dev
systemd
- systemd-boot
- systemd-boot-efi
systemd-container
systemd-coredump
systemd-dev
@@ -74,7 +72,6 @@ Packages=
python3-pexpect
python3-psutil
quota
- sbsigntool
softhsm2
squashfs-tools
stress
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
new file mode 100644
index 0000000000..781670a775
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# sbsigntool exists only on UEFI architectures
+
+[Match]
+Architecture=|x86
+Architecture=|x86-64
+Architecture=|arm
+Architecture=|arm64
+Architecture=|riscv32
+Architecture=|riscv64
+
+[Content]
+Packages=
+ sbsigntool
+ systemd-boot
+ systemd-boot-efi

45
SOURCES/0021-test-cover-legacy-deprecated-systemd-analyze-verbs.patch
Unescape View File

@ -1,45 +0,0 @@
From 266baa71dbb336d9c2eb1e4e7db3983477cc6ce0 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Thu, 3 Nov 2022 10:59:38 +0100
Subject: [PATCH] test: cover legacy/deprecated systemd-analyze verbs
They're no longer documented since 26e1e97345 but still work.
(cherry picked from commit 926d95cd4c209b8c292829511542b11d7c43e662)
Related #2138081
---
test/units/testsuite-65.sh | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh
index ece6b8734e..89406a108e 100755
--- a/test/units/testsuite-65.sh
+++ b/test/units/testsuite-65.sh
@@ -6,7 +6,7 @@ set -eux
# shellcheck source=test/units/assert.sh
. "$(dirname "$0")"/assert.sh
-systemd-analyze log-level debug
+systemctl log-level debug
export SYSTEMD_LOG_LEVEL=debug
# Sanity checks
@@ -19,6 +19,17 @@ systemd-analyze time || :
systemd-analyze blame || :
systemd-analyze critical-chain || :
systemd-analyze plot >/dev/null || :
+# legacy/deprecated options (moved to systemctl, but still usable from analyze)
+systemd-analyze log-level
+systemd-analyze log-level "$(systemctl log-level)"
+systemd-analyze get-log-level
+systemd-analyze set-log-level "$(systemctl log-level)"
+systemd-analyze log-target
+systemd-analyze log-target "$(systemctl log-target)"
+systemd-analyze get-log-target
+systemd-analyze set-log-target "$(systemctl log-target)"
+systemd-analyze service-watchdogs
+systemd-analyze service-watchdogs "$(systemctl service-watchdogs)"
# dot
systemd-analyze dot >/dev/null
systemd-analyze dot systemd-journald.service >/dev/null

31
SOURCES/0022-test-check-the-skip-condition-before-installing-addi.patch
Unescape View File

@ -0,0 +1,31 @@
From 50b53b8221aa9d5e8fa3269b73d13b8a304728a8 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 13:41:50 +0100
Subject: [PATCH] test: check the skip condition before installing additional
files
(cherry picked from commit e1daedb4be6d8180790e0b303872fb1c87ddc7fc)
---
test/units/TEST-43-PRIVATEUSER-UNPRIV.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
index 165af47f15..f8a2a62467 100755
--- a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
+++ b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
@@ -6,13 +6,13 @@ set -o pipefail
# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh
-install_extension_images
-
if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then
echo "Cannot create unprivileged user namespaces" >/skipped
exit 77
fi
+install_extension_images
+
systemd-analyze log-level debug
runas testuser systemd-run --wait --user --unit=test-private-users \

56
SOURCES/0022-test-cover-a-couple-of-previously-missed-analyze-cod.patch
Unescape View File

@ -1,56 +0,0 @@
From 37614533602981aa3757cd3e847f184fdae1432e Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Thu, 3 Nov 2022 11:33:13 +0100
Subject: [PATCH] test: cover a couple of previously missed analyze code paths
(cherry picked from commit 8b1879bcd0ed1168f5ad35a3dd0e213a31a2ee42)
Related #2138081
---
test/units/testsuite-65.sh | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh
index 89406a108e..1f34308b44 100755
--- a/test/units/testsuite-65.sh
+++ b/test/units/testsuite-65.sh
@@ -45,8 +45,16 @@ systemd-analyze dot "systemd-*.service" >/dev/null
systemd-analyze dump >/dev/null
systemd-analyze dump "*" >/dev/null
systemd-analyze dump "*.socket" >/dev/null
+systemd-analyze dump "*.socket" "*.service" aaaaaaa ... >/dev/null
systemd-analyze dump systemd-journald.service >/dev/null
(! systemd-analyze dump "")
+# unit-files
+systemd-analyze unit-files >/dev/null
+systemd-analyze unit-files systemd-journald.service >/dev/null
+systemd-analyze unit-files "*" >/dev/null
+systemd-analyze unit-files "*" aaaaaa "*.service" "*.target" >/dev/null
+systemd-analyze unit-files --user >/dev/null
+systemd-analyze unit-files --user "*" aaaaaa "*.service" "*.target" >/dev/null
# unit-paths
systemd-analyze unit-paths
systemd-analyze unit-paths --user
@@ -103,6 +111,7 @@ systemd-analyze calendar '*-* *:*:*'
systemd-analyze calendar --iterations=5 '*-* *:*:*'
systemd-analyze calendar --iterations=50 '*-* *:*:*'
systemd-analyze calendar --iterations=0 '*-* *:*:*'
+systemd-analyze calendar --iterations=5 '01-01-22 01:00:00'
systemd-analyze calendar --base-time=yesterday --iterations=5 '*-* *:*:*'
(! systemd-analyze calendar --iterations=0 '*-* 99:*:*')
(! systemd-analyze calendar --base-time=never '*-* *:*:*')
@@ -114,12 +123,14 @@ systemd-analyze timestamp -- -1
systemd-analyze timestamp yesterday now tomorrow
(! systemd-analyze timestamp yesterday never tomorrow)
(! systemd-analyze timestamp 1)
+(! systemd-analyze timestamp '*-2-29 0:0:0')
(! systemd-analyze timestamp "")
# timespan
systemd-analyze timespan 1
systemd-analyze timespan 1s 300s '1year 0.000001s'
(! systemd-analyze timespan 1s 300s aaaaaa '1year 0.000001s')
(! systemd-analyze timespan -- -1)
+(! systemd-analyze timespan '*-2-29 0:0:0')
(! systemd-analyze timespan "")
# cat-config
systemd-analyze cat-config systemd/system.conf >/dev/null

37
SOURCES/0023-test-drop-unneeded-firmware-uefi-setting.patch
Unescape View File

@ -0,0 +1,37 @@
From 51a2e7be5ec1a28be11d309897671c8dd4511ae8 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 16:08:57 +0100
Subject: [PATCH] test: drop unneeded firmware: uefi setting
These tests no longer need this, as they are running in nspawn, drop it
(cherry picked from commit f44fc531c95e37c83203375c411189009a01b482)
---
test/TEST-09-REBOOT/meson.build | 2 --
test/TEST-18-FAILUREACTION/meson.build | 2 --
2 files changed, 4 deletions(-)
diff --git a/test/TEST-09-REBOOT/meson.build b/test/TEST-09-REBOOT/meson.build
index c4b41bc97b..b7556189f5 100644
--- a/test/TEST-09-REBOOT/meson.build
+++ b/test/TEST-09-REBOOT/meson.build
@@ -4,7 +4,5 @@ integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
'storage' : 'persistent',
- # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
- 'firmware' : 'uefi',
},
]
diff --git a/test/TEST-18-FAILUREACTION/meson.build b/test/TEST-18-FAILUREACTION/meson.build
index 5edfbcad1f..8dec5f37e7 100644
--- a/test/TEST-18-FAILUREACTION/meson.build
+++ b/test/TEST-18-FAILUREACTION/meson.build
@@ -3,7 +3,5 @@
integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
- # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
- 'firmware' : 'uefi',
},
]

371
SOURCES/0023-test-introduce-sanity-coverage-for-auxiliary-utils.patch
Unescape View File

@ -1,371 +0,0 @@
From e0d51a65a8bbe8c86af4bb843a5f9ac7d590fa01 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Thu, 3 Nov 2022 13:13:03 +0100
Subject: [PATCH] test: introduce sanity coverage for auxiliary utils
(cherry picked from commit d1020334fd15e0cffe68cb4d7e862a36253cc481)
Related #2138081
---
test/TEST-74-AUX-UTILS/Makefile | 1 +
test/TEST-74-AUX-UTILS/test.sh | 10 ++
test/units/testsuite-74.cgls.sh | 26 +++++
test/units/testsuite-74.cgtop.sh | 32 ++++++
test/units/testsuite-74.delta.sh | 59 +++++++++++
test/units/testsuite-74.firstboot.sh | 145 +++++++++++++++++++++++++++
test/units/testsuite-74.service | 8 ++
test/units/testsuite-74.sh | 14 +++
8 files changed, 295 insertions(+)
create mode 120000 test/TEST-74-AUX-UTILS/Makefile
create mode 100755 test/TEST-74-AUX-UTILS/test.sh
create mode 100755 test/units/testsuite-74.cgls.sh
create mode 100755 test/units/testsuite-74.cgtop.sh
create mode 100755 test/units/testsuite-74.delta.sh
create mode 100755 test/units/testsuite-74.firstboot.sh
create mode 100644 test/units/testsuite-74.service
create mode 100755 test/units/testsuite-74.sh
diff --git a/test/TEST-74-AUX-UTILS/Makefile b/test/TEST-74-AUX-UTILS/Makefile
new file mode 120000
index 0000000000..e9f93b1104
--- /dev/null
+++ b/test/TEST-74-AUX-UTILS/Makefile
@@ -0,0 +1 @@
+../TEST-01-BASIC/Makefile
\ No newline at end of file
diff --git a/test/TEST-74-AUX-UTILS/test.sh b/test/TEST-74-AUX-UTILS/test.sh
new file mode 100755
index 0000000000..f422c89141
--- /dev/null
+++ b/test/TEST-74-AUX-UTILS/test.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+TEST_DESCRIPTION="Tests for auxiliary utilities"
+
+# shellcheck source=test/test-functions
+. "${TEST_BASE_DIR:?}/test-functions"
+
+do_test "$@"
diff --git a/test/units/testsuite-74.cgls.sh b/test/units/testsuite-74.cgls.sh
new file mode 100755
index 0000000000..120570c9cc
--- /dev/null
+++ b/test/units/testsuite-74.cgls.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+systemd-cgls
+systemd-cgls --all --full
+systemd-cgls -k
+systemd-cgls --xattr=yes
+systemd-cgls --xattr=no
+systemd-cgls --cgroup-id=yes
+systemd-cgls --cgroup-id=no
+
+systemd-cgls /system.slice/systemd-journald.service
+systemd-cgls /system.slice/systemd-journald.service /init.scope
+systemd-cgls /sys/fs/cgroup/system.slice/systemd-journald.service /init.scope
+(cd /sys/fs/cgroup/init.scope && systemd-cgls)
+systemd-cgls --unit=systemd-journald.service
+# There's most likely no user session running, so we need to create one
+systemd-run --user --wait --pipe -M testuser@.host systemd-cgls --user-unit=app.slice
+
+(! systemd-cgls /foo/bar)
+(! systemd-cgls --unit=hello.world)
+(! systemd-cgls --user-unit=hello.world)
+(! systemd-cgls --xattr=foo)
+(! systemd-cgls --cgroup-id=foo)
diff --git a/test/units/testsuite-74.cgtop.sh b/test/units/testsuite-74.cgtop.sh
new file mode 100755
index 0000000000..8141ec1b1f
--- /dev/null
+++ b/test/units/testsuite-74.cgtop.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# Without tty attached cgtop should default to --iterations=1
+systemd-cgtop
+systemd-cgtop --iterations=1
+# Same as --iterations=1
+systemd-cgtop -1
+systemd-cgtop --delay=1ms
+systemd-cgtop --raw
+systemd-cgtop --batch
+systemd-cgtop --cpu=percentage
+systemd-cgtop --cpu=time
+systemd-cgtop -P
+systemd-cgtop -k
+# FIXME: https://github.com/systemd/systemd/issues/25248
+#systemd-cgtop --recursive=no
+systemd-cgtop --depth=0
+systemd-cgtop --depth=100
+
+for order in path tasks cpu memory io; do
+ systemd-cgtop --order="$order"
+done
+systemd-cgtop -p -t -c -m -i
+
+(! systemd-cgtop --cpu=foo)
+(! systemd-cgtop --order=foo)
+(! systemd-cgtop --depth=-1)
+(! systemd-cgtop --recursive=foo)
+(! systemd-cgtop --delay=1foo)
diff --git a/test/units/testsuite-74.delta.sh b/test/units/testsuite-74.delta.sh
new file mode 100755
index 0000000000..a0e1cb52dd
--- /dev/null
+++ b/test/units/testsuite-74.delta.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+at_exit() {
+ rm -rfv /{run,etc}/systemd/system/delta-test*
+}
+
+trap at_exit EXIT
+
+# Create a couple of supporting units with overrides
+#
+# Extended unit
+cat >"/run/systemd/system/delta-test-unit-extended.service" <<EOF
+[Service]
+ExecStart=/bin/true
+EOF
+mkdir -p "/run/systemd/system/delta-test-unit-extended.service.d"
+cat >"/run/systemd/system/delta-test-unit-extended.service.d/override.conf" <<EOF
+[Unit]
+Description=Foo Bar
+[Service]
+ExecStartPre=/bin/true
+EOF
+# Masked unit
+cp -fv /run/systemd/system/delta-test-unit-extended.service /run/systemd/system/delta-test-unit-masked.service
+systemctl mask delta-test-unit-masked.service
+# Overridden unit
+cp -fv /run/systemd/system/delta-test-unit-extended.service /run/systemd/system/delta-test-unit-overridden.service
+cp -fv /run/systemd/system/delta-test-unit-overridden.service /etc/systemd/system/delta-test-unit-overridden.service
+echo "ExecStartPost=/bin/true" >>/etc/systemd/system/delta-test-unit-overridden.service
+# Overridden but equivalent unit
+ln -srfv /run/systemd/system/delta-test-unit-extended.service /run/systemd/system/delta-test-unit-equivalent.service
+ln -sfv /run/systemd/system/delta-test-unit-extended.service /etc/systemd/system/delta-test-unit-equivalent.service
+# Redirected unit
+ln -srfv /run/systemd/system/delta-test-unit-extended.service /run/systemd/system/delta-test-unit-redirected.service
+ln -sfv /run/systemd/system/delta-test-unit-overidden.service /etc/systemd/system/delta-test-unit-extended.service
+
+systemctl daemon-reload
+
+systemd-delta
+systemd-delta /run
+systemd-delta systemd/system
+systemd-delta /run systemd/system /run
+systemd-delta /run foo/bar hello/world systemd/system /run
+systemd-delta foo/bar
+systemd-delta --diff=true
+systemd-delta --diff=false
+
+for type in masked equivalent redirected overridden extended unchanged; do
+ systemd-delta --type="$type"
+ systemd-delta --type="$type" /run
+done
+systemd-delta --type=equivalent,redirected
+
+(! systemd-delta --diff=foo)
+(! systemd-delta --type=foo)
+(! systemd-delta --type=equivalent,redirected,foo)
diff --git a/test/units/testsuite-74.firstboot.sh b/test/units/testsuite-74.firstboot.sh
new file mode 100755
index 0000000000..02f9f5cd7a
--- /dev/null
+++ b/test/units/testsuite-74.firstboot.sh
@@ -0,0 +1,145 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+if ! command -v systemd-firstboot >/dev/null; then
+ echo "systemd-firstboot not found, skipping the test"
+ exit 0
+fi
+
+at_exit() {
+ if [[ -v ROOT && -n "$ROOT" ]]; then
+ ls -lR "$ROOT"
+ rm -fr "$ROOT"
+ fi
+}
+
+trap at_exit EXIT
+
+# Generated via `mkpasswd -m sha-512 -S foobarsalt password1`
+# shellcheck disable=SC2016
+ROOT_HASHED_PASSWORD1='$6$foobarsalt$YbwdaATX6IsFxvWbY3QcZj2gB31R/LFRFrjlFrJtTTqFtSfn4dfOAg/km2k4Sl.a2g7LOYDo31wMTaEsCo9j41'
+# Generated via `mkpasswd -m sha-512 -S foobarsalt password2`
+# shellcheck disable=SC2016
+ROOT_HASHED_PASSWORD2='$6$foobarsalt$q.P2932zYMLbKnjFwIxPI8y3iuxeuJ2BgE372LcZMMnj3Gcg/9mJg2LPKUl.ha0TG/.fRNNnRQcLfzM0SNot3.'
+
+# Create a minimal root so we don't modify the testbed
+ROOT=test-root
+mkdir -p "$ROOT/bin"
+# Dummy shell for --root-shell=
+touch "$ROOT/bin/fooshell" "$ROOT/bin/barshell"
+
+systemd-firstboot --root="$ROOT" --locale=foo
+grep -q "LANG=foo" "$ROOT/etc/locale.conf"
+rm -fv "$ROOT/etc/locale.conf"
+# FIXME: https://github.com/systemd/systemd/issues/25249
+#systemd-firstboot --root="$ROOT" --locale-messages=foo
+#grep -q "LC_MESSAGES=foo" "$ROOT/etc/locale.conf"
+#rm -fv "$ROOT/etc/locale.conf"
+systemd-firstboot --root="$ROOT" --locale=foo --locale-messages=bar
+grep -q "LANG=foo" "$ROOT/etc/locale.conf"
+grep -q "LC_MESSAGES=bar" "$ROOT/etc/locale.conf"
+
+systemd-firstboot --root="$ROOT" --keymap=foo
+grep -q "KEYMAP=foo" "$ROOT/etc/vconsole.conf"
+
+systemd-firstboot --root="$ROOT" --timezone=Europe/Berlin
+readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin"
+
+systemd-firstboot --root="$ROOT" --hostname "foobar"
+grep -q "foobar" "$ROOT/etc/hostname"
+
+systemd-firstboot --root="$ROOT" --machine-id=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+grep -q "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "$ROOT/etc/machine-id"
+
+rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow"
+systemd-firstboot --root="$ROOT" --root-password=foo
+grep -q "^root:x:0:0:" "$ROOT/etc/passwd"
+grep -q "^root:" "$ROOT/etc/shadow"
+rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow"
+echo "foo" >root.passwd
+systemd-firstboot --root="$ROOT" --root-password-file=root.passwd
+grep -q "^root:x:0:0:" "$ROOT/etc/passwd"
+grep -q "^root:" "$ROOT/etc/shadow"
+rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" root.passwd
+# Set the shell together with the password, as firstboot won't touch
+# /etc/passwd if it already exists
+systemd-firstboot --root="$ROOT" --root-password-hashed="$ROOT_HASHED_PASSWORD1" --root-shell=/bin/fooshell
+grep -q "^root:x:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd"
+grep -q "^root:$ROOT_HASHED_PASSWORD1:" "$ROOT/etc/shadow"
+
+systemd-firstboot --root="$ROOT" --kernel-command-line="foo.bar=42"
+grep -q "foo.bar=42" "$ROOT/etc/kernel/cmdline"
+
+# Configs should not get overwritten if they exist unless --force is used
+systemd-firstboot --root="$ROOT" \
+ --locale=locale-overwrite \
+ --locale-messages=messages-overwrite \
+ --keymap=keymap-overwrite \
+ --timezone=CET \
+ --hostname=hostname-overwrite \
+ --machine-id=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb \
+ --root-password-hashed="$ROOT_HASHED_PASSWORD2" \
+ --root-shell=/bin/barshell \
+ --kernel-command-line="hello.world=0"
+grep -q "LANG=foo" "$ROOT/etc/locale.conf"
+grep -q "LC_MESSAGES=bar" "$ROOT/etc/locale.conf"
+grep -q "KEYMAP=foo" "$ROOT/etc/vconsole.conf"
+readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin$"
+grep -q "foobar" "$ROOT/etc/hostname"
+grep -q "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "$ROOT/etc/machine-id"
+grep -q "^root:x:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd"
+grep -q "^root:$ROOT_HASHED_PASSWORD1:" "$ROOT/etc/shadow"
+grep -q "foo.bar=42" "$ROOT/etc/kernel/cmdline"
+
+# The same thing, but now with --force
+systemd-firstboot --root="$ROOT" --force \
+ --locale=locale-overwrite \
+ --locale-messages=messages-overwrite \
+ --keymap=keymap-overwrite \
+ --timezone=CET \
+ --hostname=hostname-overwrite \
+ --machine-id=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb \
+ --root-password-hashed="$ROOT_HASHED_PASSWORD2" \
+ --root-shell=/bin/barshell \
+ --kernel-command-line="hello.world=0"
+grep -q "LANG=locale-overwrite" "$ROOT/etc/locale.conf"
+grep -q "LC_MESSAGES=messages-overwrite" "$ROOT/etc/locale.conf"
+grep -q "KEYMAP=keymap-overwrite" "$ROOT/etc/vconsole.conf"
+readlink "$ROOT/etc/localtime" | grep -q "/CET$"
+grep -q "hostname-overwrite" "$ROOT/etc/hostname"
+grep -q "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" "$ROOT/etc/machine-id"
+grep -q "^root:x:0:0:.*:/bin/barshell$" "$ROOT/etc/passwd"
+grep -q "^root:$ROOT_HASHED_PASSWORD2:" "$ROOT/etc/shadow"
+grep -q "hello.world=0" "$ROOT/etc/kernel/cmdline"
+
+# --copy-* options
+rm -fr "$ROOT"
+mkdir "$ROOT"
+# Copy everything at once (--copy)
+systemd-firstboot --root="$ROOT" --copy
+diff /etc/locale.conf "$ROOT/etc/locale.conf"
+diff <(awk -F: '/^root/ { print $7; }' /etc/passwd) <(awk -F: '/^root/ { print $7; }' "$ROOT/etc/passwd")
+diff <(awk -F: '/^root/ { print $2; }' /etc/shadow) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow")
+[[ -e /etc/vconsole.conf ]] && diff /etc/vconsole.conf "$ROOT/etc/vconsole.conf"
+[[ -e /etc/localtime ]] && diff <(readlink /etc/localtime) <(readlink "$ROOT/etc/localtime")
+rm -fr "$ROOT"
+mkdir "$ROOT"
+# Copy everything at once, but now by using separate switches
+systemd-firstboot --root="$ROOT" --copy-locale --copy-keymap --copy-timezone --copy-root-password --copy-root-shell
+diff /etc/locale.conf "$ROOT/etc/locale.conf"
+diff <(awk -F: '/^root/ { print $7; }' /etc/passwd) <(awk -F: '/^root/ { print $7; }' "$ROOT/etc/passwd")
+diff <(awk -F: '/^root/ { print $2; }' /etc/shadow) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow")
+[[ -e /etc/vconsole.conf ]] && diff /etc/vconsole.conf "$ROOT/etc/vconsole.conf"
+[[ -e /etc/localtime ]] && diff <(readlink /etc/localtime) <(readlink "$ROOT/etc/localtime")
+
+# Assorted tests
+rm -fr "$ROOT"
+mkdir "$ROOT"
+
+systemd-firstboot --root="$ROOT" --setup-machine-id
+grep -E "[a-z0-9]{32}" "$ROOT/etc/machine-id"
+
+systemd-firstboot --root="$ROOT" --delete-root-password
+diff <(echo) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow")
diff --git a/test/units/testsuite-74.service b/test/units/testsuite-74.service
new file mode 100644
index 0000000000..f782132a92
--- /dev/null
+++ b/test/units/testsuite-74.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=TEST-74-AUX-UTILS
+
+[Service]
+ExecStartPre=rm -f /failed /testok
+ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh
+Type=oneshot
diff --git a/test/units/testsuite-74.sh b/test/units/testsuite-74.sh
new file mode 100755
index 0000000000..13c767e490
--- /dev/null
+++ b/test/units/testsuite-74.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+: >/failed
+
+for script in "${0%.sh}".*.sh; do
+ echo "Running $script"
+ "./$script"
+done
+
+touch /testok
+rm /failed

56
SOURCES/0024-firstboot-fix-segfault-when-locale-messages-is-passe.patch
Unescape View File

@ -1,56 +0,0 @@
From 1ef6ffdf0923095752665c7ff6062514dfa6c6bf Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Fri, 4 Nov 2022 00:01:16 +0000
Subject: [PATCH] firstboot: fix segfault when --locale-messages= is passed
without --locale=
\#0 __strcmp_evex () at ../sysdeps/x86_64/multiarch/strcmp-evex.S:295
No locals.
\#1 0x0000557444eb172b in process_locale () at ../src/firstboot/firstboot.c:342
etc_localeconf = 0x7ffd40217b80 "/root/root/etc/locale.conf"
locales = {0x0, 0x0, 0x0}
i = 0
r = <optimized out>
__PRETTY_FUNCTION__ = "process_locale"
__func__ = "process_locale"
\#2 0x0000557444eaff93 in run (argv=0x7ffd40217d98, argc=3) at ../src/firstboot/firstboot.c:1401
loop_device = 0x0
unlink_dir = 0x0
r = <optimized out>
loop_device = <optimized out>
unlink_dir = <optimized out>
r = <optimized out>
__func__ = <optimized out>
__PRETTY_FUNCTION__ = <optimized out>
enabled = <optimized out>
_error = <optimized out>
_level = <optimized out>
_e = <optimized out>
_level = <optimized out>
_e = <optimized out>
\#3 main (argc=3, argv=0x7ffd40217d98) at ../src/firstboot/firstboot.c:1432
r = <optimized out>
__PRETTY_FUNCTION__ = "main"
Fixes https://github.com/systemd/systemd/issues/25249
(cherry picked from commit 4c4a73ce068ef16cfe7ad07c7c3386ac1dbc58fe)
Related #2138081
---
src/firstboot/firstboot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
index 065ee896cd..63db78b52d 100644
--- a/src/firstboot/firstboot.c
+++ b/src/firstboot/firstboot.c
@@ -339,7 +339,7 @@ static int process_locale(void) {
if (!isempty(arg_locale))
locales[i++] = strjoina("LANG=", arg_locale);
- if (!isempty(arg_locale_messages) && !streq(arg_locale_messages, arg_locale))
+ if (!isempty(arg_locale_messages) && !streq_ptr(arg_locale_messages, arg_locale))
locales[i++] = strjoina("LC_MESSAGES=", arg_locale_messages);
if (i == 0)

28
SOURCES/0024-test-drop-obsolete-comment.patch
Unescape View File

@ -0,0 +1,28 @@
From df1e7d9572fab94209989f341bb1e1a86d88223b Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 19:21:32 +0100
Subject: [PATCH] test: drop obsolete comment
We want to keep various logic here instead of mkosi, so drop the
temporary comment
(cherry picked from commit 626518ecd5e7b0c0c708ba53d7eb62934506ed54)
---
test/integration-test-wrapper.py | 4 ----
1 file changed, 4 deletions(-)
diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
index 5b098a3e01..1e015e7d47 100755
--- a/test/integration-test-wrapper.py
+++ b/test/integration-test-wrapper.py
@@ -2,10 +2,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
'''Test wrapper command for driving integration tests.
-
-Note: This is deliberately rough and only intended to drive existing tests
-with the expectation that as part of formally defining the API it will be tidy.
-
'''
import argparse

25
SOURCES/0025-test-support-TEST_NO_KVM.patch
Unescape View File

@ -0,0 +1,25 @@
From a36cb5660e4d84c16242c1d70b99d9a2e389f191 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 19:15:24 +0100
Subject: [PATCH] test: support TEST_NO_KVM
The shell integration suite allows to manually deselect KVM, so
suppor the same env var for the same purpose in python.
(cherry picked from commit 7d2701e7d1d0a7194026dd371071df6e63f59a82)
---
test/integration-test-wrapper.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
index 1e015e7d47..15b1ce1055 100755
--- a/test/integration-test-wrapper.py
+++ b/test/integration-test-wrapper.py
@@ -124,6 +124,7 @@ def main():
*args.mkosi_args,
'--append',
'--qemu-firmware', args.firmware,
+ '--qemu-kvm', "auto" if not bool(int(os.getenv("TEST_NO_KVM", "0"))) else "no",
'--kernel-command-line-extra',
' '.join([
'systemd.hostname=H',

76
SOURCES/0025-tests-make-test-execute-pass-on-openSUSE.patch
Unescape View File

@ -1,76 +0,0 @@
From 1d41d2789bb67f5909d6974d2fd916e462a0a5cf Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Fri, 4 Nov 2022 12:24:10 +0100
Subject: [PATCH] tests: make test-execute pass on openSUSE
In my understanding user group "3" (aka "sys") is kept for historical reasons
but not really useful these days. That's probably explained why this group
isn't defined on openSUSE.
Hence let's drop reference to this user group, this shouldn't lessen the
revelance of the test since SupplementaryGroups= is still tested with 2 other
groups.
(cherry picked from commit d723b0467d7b8c5c772086d5352442f3fca4368d)
Related #2138081
---
test/test-execute/exec-dynamicuser-supplementarygroups.service | 3 +--
...plementarygroups-multiple-groups-default-group-user.service | 3 +--
.../exec-supplementarygroups-multiple-groups-withgid.service | 3 +--
.../exec-supplementarygroups-multiple-groups-withuid.service | 3 +--
4 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/test/test-execute/exec-dynamicuser-supplementarygroups.service b/test/test-execute/exec-dynamicuser-supplementarygroups.service
index fb0b57bc00..53ba0ec7cb 100644
--- a/test/test-execute/exec-dynamicuser-supplementarygroups.service
+++ b/test/test-execute/exec-dynamicuser-supplementarygroups.service
@@ -5,7 +5,6 @@ Description=Test DynamicUser with SupplementaryGroups=
[Service]
ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1'
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "3" && HAVE=1; done; test "$$HAVE" -eq 1'
Type=oneshot
DynamicUser=yes
-SupplementaryGroups=1 2 3
+SupplementaryGroups=1 2
diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service
index 362e539287..4cb0326320 100644
--- a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service
+++ b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service
@@ -6,7 +6,6 @@ Description=Test for Supplementary Group with multiple groups without Group and
ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "%G" && HAVE=1; done; test "$$HAVE" -eq 1'
ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1'
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "3" && HAVE=1; done; test "$$HAVE" -eq 1'
ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "%G" && test "$$(id -u)" = "%U"'
Type=oneshot
-SupplementaryGroups=1 2 3
+SupplementaryGroups=1 2
diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service
index ff3fdc8142..e11743d754 100644
--- a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service
+++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service
@@ -5,8 +5,7 @@ Description=Test for Supplementary Group with multiple groups and Group=1
[Service]
ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1'
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "3" && HAVE=1; done; test "$$HAVE" -eq 1'
ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "%U"'
Type=oneshot
Group=1
-SupplementaryGroups=1 2 3
+SupplementaryGroups=1 2
diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service
index f35ff84765..3efbbfb0f9 100644
--- a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service
+++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service
@@ -5,7 +5,6 @@ Description=Test for Supplementary Group with multiple groups and Uid=1
[Service]
ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1'
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "3" && HAVE=1; done; test "$$HAVE" -eq 1'
Type=oneshot
User=1
-SupplementaryGroups=1 2 3
+SupplementaryGroups=1 2

30
SOURCES/0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch
Unescape View File

@ -0,0 +1,30 @@
From 6178aa4bbcc6b0531314c1a2e9df61e45e6c9ad4 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 17 Jun 2024 14:09:40 +0100
Subject: [PATCH] test: support TEST_NO_QEMU in mkosi integration wrapper
Same as the old integration test suite, allow skipping tests that
require qemu.
ppc64el's vsock support doesn't appear to work, so we'll skip it,
as it is already done in the legacy framework.
(cherry picked from commit 464d182b3e470e4163ca376145539a537a6e43a2)
---
test/integration-test-wrapper.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
index 15b1ce1055..b6a16aa3ef 100755
--- a/test/integration-test-wrapper.py
+++ b/test/integration-test-wrapper.py
@@ -57,6 +57,10 @@ def main():
print(f"SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr)
exit(77)
+ if args.vm and bool(int(os.getenv("TEST_NO_QEMU", "0"))):
+ print(f"TEST_NO_QEMU=1, skipping {args.name}", file=sys.stderr)
+ exit(77)
+
name = args.name + (f"-{i}" if (i := os.getenv("MESON_TEST_ITERATION")) else "")
dropin = textwrap.dedent(

150
SOURCES/0026-tests-minor-simplification-in-test-execute.patch
Unescape View File

@ -1,150 +0,0 @@
From 5685a8b01abf34ec5da7c43a99ede6e3bb7394eb Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Fri, 4 Nov 2022 12:50:04 +0100
Subject: [PATCH] tests: minor simplification in test-execute
No functional change.
(cherry picked from commit 09415aef940f4a471da7cb899b9a66f1504d7c77)
Related #2138081
---
...xec-dynamicuser-fixeduser-one-supplementarygroup.service | 2 +-
test/test-execute/exec-dynamicuser-fixeduser.service | 2 +-
.../exec-dynamicuser-supplementarygroups.service | 4 ++--
...mentarygroups-multiple-groups-default-group-user.service | 6 +++---
...exec-supplementarygroups-multiple-groups-withgid.service | 4 ++--
...exec-supplementarygroups-multiple-groups-withuid.service | 4 ++--
.../exec-supplementarygroups-single-group-user.service | 2 +-
.../exec-supplementarygroups-single-group.service | 2 +-
test/test-execute/exec-supplementarygroups.service | 4 ++--
9 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service b/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service
index 0c2a218be0..bbb1af5fb3 100644
--- a/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service
+++ b/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service
@@ -3,7 +3,7 @@
Description=Test DynamicUser with User= and SupplementaryGroups=
[Service]
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"'
Type=oneshot
User=1
diff --git a/test/test-execute/exec-dynamicuser-fixeduser.service b/test/test-execute/exec-dynamicuser-fixeduser.service
index 061bbd2b93..c5828c2a93 100644
--- a/test/test-execute/exec-dynamicuser-fixeduser.service
+++ b/test/test-execute/exec-dynamicuser-fixeduser.service
@@ -3,7 +3,7 @@
Description=Test DynamicUser with User=
[Service]
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"'
Type=oneshot
User=1
diff --git a/test/test-execute/exec-dynamicuser-supplementarygroups.service b/test/test-execute/exec-dynamicuser-supplementarygroups.service
index 53ba0ec7cb..d601af272e 100644
--- a/test/test-execute/exec-dynamicuser-supplementarygroups.service
+++ b/test/test-execute/exec-dynamicuser-supplementarygroups.service
@@ -3,8 +3,8 @@
Description=Test DynamicUser with SupplementaryGroups=
[Service]
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1'
Type=oneshot
DynamicUser=yes
SupplementaryGroups=1 2
diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service
index 4cb0326320..0ecc34441c 100644
--- a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service
+++ b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service
@@ -3,9 +3,9 @@
Description=Test for Supplementary Group with multiple groups without Group and User
[Service]
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "%G" && HAVE=1; done; test "$$HAVE" -eq 1'
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "%G" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1'
ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "%G" && test "$$(id -u)" = "%U"'
Type=oneshot
SupplementaryGroups=1 2
diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service
index e11743d754..cd1021bbdf 100644
--- a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service
+++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service
@@ -3,8 +3,8 @@
Description=Test for Supplementary Group with multiple groups and Group=1
[Service]
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1'
ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "%U"'
Type=oneshot
Group=1
diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service
index 3efbbfb0f9..7913a2c2ed 100644
--- a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service
+++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service
@@ -3,8 +3,8 @@
Description=Test for Supplementary Group with multiple groups and Uid=1
[Service]
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1'
Type=oneshot
User=1
SupplementaryGroups=1 2
diff --git a/test/test-execute/exec-supplementarygroups-single-group-user.service b/test/test-execute/exec-supplementarygroups-single-group-user.service
index aae71d0a30..ee4017e74e 100644
--- a/test/test-execute/exec-supplementarygroups-single-group-user.service
+++ b/test/test-execute/exec-supplementarygroups-single-group-user.service
@@ -3,7 +3,7 @@
Description=Test for Supplementary Group with only one group and uid 1
[Service]
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"'
Type=oneshot
User=1
diff --git a/test/test-execute/exec-supplementarygroups-single-group.service b/test/test-execute/exec-supplementarygroups-single-group.service
index c870774382..62275201cc 100644
--- a/test/test-execute/exec-supplementarygroups-single-group.service
+++ b/test/test-execute/exec-supplementarygroups-single-group.service
@@ -3,7 +3,7 @@
Description=Test for Supplementary Group with only one group
[Service]
-ExecStart=/bin/sh -x -c 'HAVE=; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "0"'
Type=oneshot
Group=1
diff --git a/test/test-execute/exec-supplementarygroups.service b/test/test-execute/exec-supplementarygroups.service
index 75601eab57..03406c3ee8 100644
--- a/test/test-execute/exec-supplementarygroups.service
+++ b/test/test-execute/exec-supplementarygroups.service
@@ -3,7 +3,7 @@
Description=Test for Supplementary Group
[Service]
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "%G" && HAVE=1; done; test "$$HAVE" -eq 1'
-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "%G" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
Type=oneshot
SupplementaryGroups=1

27
SOURCES/0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch
Unescape View File

@ -0,0 +1,27 @@
From 7d65709901cb3fc746639398776cfdb7cb750a03 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 17 Jun 2024 15:37:43 +0100
Subject: [PATCH] test: use 'auto' instead of 'uefi' for automated fallback
mkosi will prefer UEFI if the architecture supports it, but fallback
to 'linux' if it doesn't.
(cherry picked from commit 80468db8fa21ffd07dc2f28c656eeaf8f0292367)
---
test/TEST-06-SELINUX/meson.build | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build
index 7a850beb81..9261a49c49 100644
--- a/test/TEST-06-SELINUX/meson.build
+++ b/test/TEST-06-SELINUX/meson.build
@@ -5,7 +5,8 @@ integration_tests += [
'name' : fs.name(meson.current_source_dir()),
'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'],
# FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
- 'firmware' : 'uefi',
+ # Use 'auto' to automatically fallback on non-uefi architectures.
+ 'firmware' : 'auto',
'vm' : true,
},
]

29
SOURCES/0027-tmpfiles.d-do-not-fail-if-provision.conf-fails.patch
Unescape View File

@ -1,29 +0,0 @@
From 6d8f91ab2f7db862d95d0565bad3aaf4279c00bc Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Thu, 3 Nov 2022 20:10:57 +0000
Subject: [PATCH] tmpfiles.d: do not fail if provision.conf fails
On a read-only filesystem creating /root/.ssh might fail, but that's ok.
Do not fail the run, as this is only needed to add the credential, which
is a separate step.
(cherry picked from commit e0fc9be37e4d15e2c322eb8281692c2639dac023)
Related #2138081
---
tmpfiles.d/provision.conf | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tmpfiles.d/provision.conf b/tmpfiles.d/provision.conf
index 3c56f42d58..093104aaaf 100644
--- a/tmpfiles.d/provision.conf
+++ b/tmpfiles.d/provision.conf
@@ -17,6 +17,6 @@ f^ /etc/issue.d/50-provision.conf - - - - login.issue
f^ /etc/hosts - - - - network.hosts
# Provision SSH key for root
-d /root :0700 root :root -
-d /root/.ssh :0700 root :root -
+d- /root :0700 root :root -
+d- /root/.ssh :0700 root :root -
f^ /root/.ssh/authorized_keys :0600 root :root - ssh.authorized_keys.root

45
SOURCES/0028-core-service-fix-accept-socket-deserialization.patch
Unescape View File

@ -0,0 +1,45 @@
From f7d55cc801611781fbff2817f2fd4a16ec96ca85 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Mon, 17 Jun 2024 07:47:20 +0200
Subject: [PATCH] core/service: fix accept-socket deserialization
Follow-up for 45b1017488cef2a5bacdf82028ce900a311c9a1c
(cherry picked from commit 9f5d8c3da4f505346bd1edfae907a2abcdbdc578)
---
src/core/service.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/core/service.c b/src/core/service.c
index 8ec27c463a..6e81460ad0 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1351,7 +1351,7 @@ static int service_coldplug(Unit *u) {
service_start_watchdog(s);
if (UNIT_ISSET(s->accept_socket)) {
- Socket* socket = SOCKET(UNIT_DEREF(s->accept_socket));
+ Socket *socket = SOCKET(UNIT_DEREF(s->accept_socket));
if (socket->max_connections_per_source > 0) {
SocketPeer *peer;
@@ -3220,8 +3220,8 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
} else if (streq(key, "accept-socket")) {
Unit *socket;
- if (u->type != UNIT_SOCKET) {
- log_unit_debug(u, "Failed to deserialize accept-socket: unit is not a socket");
+ if (unit_name_to_type(value) != UNIT_SOCKET) {
+ log_unit_debug(u, "Deserialized accept-socket is not a socket unit, ignoring: %s", value);
return 0;
}
@@ -3230,7 +3230,7 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
log_unit_debug_errno(u, r, "Failed to load accept-socket unit '%s': %m", value);
else {
unit_ref_set(&s->accept_socket, u, socket);
- SOCKET(socket)->n_connections++;
+ ASSERT_PTR(SOCKET(socket))->n_connections++;
}
} else if (streq(key, "socket-fd")) {

31
SOURCES/0028-kernel-install-90-loaderentry-do-not-add-multiple-sy.patch
Unescape View File

@ -1,31 +0,0 @@
From d3b559f5e561750e6c50449b2ca84b40abeb492d Mon Sep 17 00:00:00 2001
From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
Date: Fri, 4 Nov 2022 09:57:24 +0100
Subject: [PATCH] kernel-install/90-loaderentry: do not add multiple
systemd.machine_id options
Do not unconditionally add a new systemd.machine_id command line option, first
check if it already exists with the expected value.
Fixes #25203
(cherry picked from commit 981502c5cc9ce32c3f77ff74aad87cd6f0da3b16)
Related #2138081
---
src/kernel-install/90-loaderentry.install | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/kernel-install/90-loaderentry.install b/src/kernel-install/90-loaderentry.install
index 743af33aa9..ea75e1b0d8 100755
--- a/src/kernel-install/90-loaderentry.install
+++ b/src/kernel-install/90-loaderentry.install
@@ -85,7 +85,7 @@ BOOT_OPTIONS="${BOOT_OPTIONS% }"
# command line with the machine ID we use, so that the machine ID remains
# stable, even during factory reset, in the initrd (where the system's machine
# ID is not directly accessible yet), and if the root file system is volatile.
-if [ "$ENTRY_TOKEN" = "$MACHINE_ID" ]; then
+if [ "$ENTRY_TOKEN" = "$MACHINE_ID" ] && ! echo "$BOOT_OPTIONS" | grep -q "systemd.machine_id=$MACHINE_ID"; then
BOOT_OPTIONS="$BOOT_OPTIONS systemd.machine_id=$MACHINE_ID"
fi

120
SOURCES/0029-condition-Check-that-subsystem-is-enabled-in-Conditi.patch
Unescape View File

@ -1,120 +0,0 @@
From 1b7dfe48d6d66cad5d0368b8e8b387a4d9586ccd Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 27 Oct 2022 11:12:10 +0200
Subject: [PATCH] condition: Check that subsystem is enabled in
ConditionSecurity=tpm2
Instead of succeeding when either the firmware reports a TPM device
or we find a TPM device, let's check that the firmware reports a TPM
device and the TPM subsystem is enabled in the kernel.
To check whether the subsystem enabled, we check if the relevant
subdirectory in /sys exists at all.
(cherry picked from commit 300bba79c22e4be1effe2faad0e59ac725d396a1)
Related #2138081
---
man/systemd-creds.xml | 4 ++--
src/creds/creds.c | 6 ++++--
src/shared/condition.c | 9 ++++-----
src/shared/tpm2-util.c | 6 +++++-
src/shared/tpm2-util.h | 11 ++++++-----
5 files changed, 21 insertions(+), 15 deletions(-)
diff --git a/man/systemd-creds.xml b/man/systemd-creds.xml
index 1e5632e63d..003fbcd463 100644
--- a/man/systemd-creds.xml
+++ b/man/systemd-creds.xml
@@ -175,8 +175,8 @@
by the OS kernel drivers and by userspace (i.e. systemd) this prints <literal>yes</literal> and exits
with exit status zero. If no such device is discovered/supported/used, prints
<literal>no</literal>. Otherwise prints <literal>partial</literal>. In either of these two cases
- exits with non-zero exit status. It also shows three lines indicating separately whether drivers,
- firmware and the system discovered/support/use TPM2.</para>
+ exits with non-zero exit status. It also shows four lines indicating separately whether firmware,
+ drivers, the system and the kernel discovered/support/use TPM2.</para>
<para>Combine with <option>--quiet</option> to suppress the output.</para></listitem>
</varlistentry>
diff --git a/src/creds/creds.c b/src/creds/creds.c
index 5586fd776a..a755a52c34 100644
--- a/src/creds/creds.c
+++ b/src/creds/creds.c
@@ -637,10 +637,12 @@ static int verb_has_tpm2(int argc, char **argv, void *userdata) {
printf("%sfirmware\n"
"%sdriver\n"
- "%ssystem\n",
+ "%ssystem\n"
+ "%ssubsystem\n",
plus_minus(s & TPM2_SUPPORT_FIRMWARE),
plus_minus(s & TPM2_SUPPORT_DRIVER),
- plus_minus(s & TPM2_SUPPORT_SYSTEM));
+ plus_minus(s & TPM2_SUPPORT_SYSTEM),
+ plus_minus(s & TPM2_SUPPORT_SUBSYSTEM));
}
/* Return inverted bit flags. So that TPM2_SUPPORT_FULL becomes EXIT_SUCCESS and the other values
diff --git a/src/shared/condition.c b/src/shared/condition.c
index 310ffcbdc6..a23d6a3e45 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -664,14 +664,13 @@ static int condition_test_ac_power(Condition *c, char **env) {
}
static int has_tpm2(void) {
- /* Checks whether the system has at least one TPM2 resource manager device, i.e. at least one "tpmrm"
- * class device. Alternatively, we are also happy if the firmware reports support (this is to cover
- * for cases where we simply haven't loaded the driver for it yet, i.e. during early boot where we
- * very likely want to use this condition check).
+ /* Checks whether the kernel has the TPM subsystem enabled and the firmware reports support. Note
+ * we don't check for actual TPM devices, since we might not have loaded the driver for it yet, i.e.
+ * during early boot where we very likely want to use this condition check).
*
* Note that we don't check if we ourselves are built with TPM2 support here! */
- return (tpm2_support() & (TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_FIRMWARE)) != 0;
+ return FLAGS_SET(tpm2_support(), TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_FIRMWARE);
}
static int condition_test_security(Condition *c, char **env) {
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 13e92c4144..65e8d48347 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -2189,7 +2189,11 @@ Tpm2Support tpm2_support(void) {
if (r != -ENOENT)
log_debug_errno(r, "Unable to test whether /sys/class/tpmrm/ exists and is populated, assuming it is not: %m");
} else if (r == 0) /* populated! */
- support |= TPM2_SUPPORT_DRIVER;
+ support |= TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_DRIVER;
+ else
+ /* If the directory exists but is empty, we know the subsystem is enabled but no
+ * driver has been loaded yet. */
+ support |= TPM2_SUPPORT_SUBSYSTEM;
}
if (efi_has_tpm2())
diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h
index 048c28d6ca..c240335ae6 100644
--- a/src/shared/tpm2-util.h
+++ b/src/shared/tpm2-util.h
@@ -137,11 +137,12 @@ typedef struct {
typedef enum Tpm2Support {
/* NOTE! The systemd-creds tool returns these flags 1:1 as exit status. Hence these flags are pretty
* much ABI! Hence, be extra careful when changing/extending these definitions. */
- TPM2_SUPPORT_NONE = 0, /* no support */
- TPM2_SUPPORT_FIRMWARE = 1 << 0, /* firmware reports TPM2 was used */
- TPM2_SUPPORT_DRIVER = 1 << 1, /* the kernel has a driver loaded for it */
- TPM2_SUPPORT_SYSTEM = 1 << 2, /* we support it ourselves */
- TPM2_SUPPORT_FULL = TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_SYSTEM,
+ TPM2_SUPPORT_NONE = 0, /* no support */
+ TPM2_SUPPORT_FIRMWARE = 1 << 0, /* firmware reports TPM2 was used */
+ TPM2_SUPPORT_DRIVER = 1 << 1, /* the kernel has a driver loaded for it */
+ TPM2_SUPPORT_SYSTEM = 1 << 2, /* we support it ourselves */
+ TPM2_SUPPORT_SUBSYSTEM = 1 << 3, /* the kernel has the tpm subsystem enabled */
+ TPM2_SUPPORT_FULL = TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_SYSTEM|TPM2_SUPPORT_SUBSYSTEM,
} Tpm2Support;
Tpm2Support tpm2_support(void);

26
SOURCES/0029-test-network-mention-that-the-captive-portal-option-.patch
Unescape View File

@ -0,0 +1,26 @@
From 4cc6da9a5dfb69f149404d5a784c57bca2a21237 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 18 Jun 2024 00:09:03 +0900
Subject: [PATCH] test-network: mention that the captive portal option is
supported since v2.20
The current latest release is v2.19, hence the test is typically skipped now.
(cherry picked from commit 4f6d8ab0767e534553bfa130f39dbb07ebb804a4)
---
test/test-network/systemd-networkd-tests.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
index 92cb07f11c..0355c7aca1 100755
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@@ -5824,6 +5824,8 @@ class NetworkdRATests(unittest.TestCase, Utilities):
self.assertIn('pref high', output)
self.assertNotIn('pref low', output)
+ # radvd supports captive portal since v2.20.
+ # https://github.com/radvd-project/radvd/commit/791179a7f730decbddb2290ef0e34aa85d71b1bc
@unittest.skipUnless(radvd_check_config('captive-portal.conf'), "Installed radvd doesn't support captive portals")
def test_captive_portal(self):
copy_network_unit('25-veth-client.netdev',

27
SOURCES/0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch
Unescape View File

@ -0,0 +1,27 @@
From b455006ae189d4ceef4214d8d4ab2027781d37e0 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 17 Jun 2024 17:40:28 +0100
Subject: [PATCH] CI: disable secure boot in mkosi GHA runs
Booting a guest with secure boot is broken in Azure due to a hypervisor
bug. Disable it for now. Given there's no option, need to edit
the configuration on the fly.
(cherry picked from commit bdd0b45bfd7190bb8eb50c71ff6f50a80d6e6e52)
---
.github/workflows/mkosi.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 425d737b62..62efd367cb 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -117,6 +117,8 @@ jobs:
- name: Configure
run: |
+ # XXX: drop after the HyperV bug that breaks secure boot KVM guests is solved
+ sed -i "s/'firmware'\s*:\s*'auto'/'firmware' : 'uefi'/g" test/*/meson.build
tee mkosi.local.conf <<EOF
[Distribution]
Distribution=${{ matrix.distro }}

52
SOURCES/0030-semaphore-remove-the-Semaphore-repositories-recursiv.patch
Unescape View File

@ -1,52 +0,0 @@
From f0839034c9910529f368e60262b5653afad58f63 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Mon, 7 Nov 2022 16:39:12 +0100
Subject: [PATCH] semaphore: remove the Semaphore repositories recursively
The list of disabled repositories was recently converted from a single
file into a directory with separate repository files, so let's adjust
the setup script accordingly.
```
$ ls -lR /etc/apt/sources.list.d/
/etc/apt/sources.list.d/:
total 36
-rw-r--r-- 1 root root 76 Nov 3 10:28 azure-cli.list
-rw-r--r-- 1 root root 72 Nov 3 10:22 bazel.list
drwxr-xr-x 2 root root 4096 Nov 3 10:31 disabled
-rw-r--r-- 1 root root 113 Nov 3 10:13 docker-source.list
-rw-r--r-- 1 root root 367 Nov 3 10:28 github_git-lfs.list
-rw-r--r-- 1 root root 111 Nov 3 10:25 google-chrome-source.list
-rw-r--r-- 1 root root 64 Nov 3 10:14 google-cloud-sdk.list
-rw-r--r-- 1 root root 54 Nov 3 10:23 helm-stable-debian.list
-rw-r--r-- 1 root root 89 Nov 3 10:29 yarn-source.list
/etc/apt/sources.list.d/disabled:
total 20
-rw-r--r-- 1 root root 100 Nov 3 10:23 devel_kubic_libcontainers_stable.list
-rw-r--r-- 1 root root 103 Nov 3 10:27 git.list
-rw-r--r-- 1 root root 105 Nov 3 10:22 gradle.list
-rw-r--r-- 1 root root 118 Nov 3 10:13 pypy.list
-rw-r--r-- 1 root root 104 Nov 3 10:13 python.list
```
(cherry picked from commit 610eb3f8260ecbb161db5186a5e27417f3110a68)
Related #2138081
---
.semaphore/semaphore-runner.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh
index 98fd7b4411..b0d32bd136 100755
--- a/.semaphore/semaphore-runner.sh
+++ b/.semaphore/semaphore-runner.sh
@@ -55,7 +55,7 @@ for phase in "${PHASES[@]}"; do
case "$phase" in
SETUP)
# remove semaphore repos, some of them don't work and cause error messages
- sudo rm -f /etc/apt/sources.list.d/*
+ sudo rm -rf /etc/apt/sources.list.d/*
# enable backports for latest LXC
echo "deb http://archive.ubuntu.com/ubuntu $UBUNTU_RELEASE-backports main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list.d/backports.list

29
SOURCES/0031-kernel-install-90-loaderentry-do-not-override-an-exi.patch
Unescape View File

@ -1,29 +0,0 @@
From c440081c968c93d527d441f4d106e0acad9540eb Mon Sep 17 00:00:00 2001
From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
Date: Mon, 7 Nov 2022 15:25:25 +0100
Subject: [PATCH] kernel-install/90-loaderentry: do not override an existing
systemd.machine_id
If the systemd.machine_id command line option is already set, do not override
it.
(cherry picked from commit 802d9219aa19d759113dd6cd1e91b2bb661fe9ba)
Related #2138081
---
src/kernel-install/90-loaderentry.install | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/kernel-install/90-loaderentry.install b/src/kernel-install/90-loaderentry.install
index ea75e1b0d8..41a05534b9 100755
--- a/src/kernel-install/90-loaderentry.install
+++ b/src/kernel-install/90-loaderentry.install
@@ -85,7 +85,7 @@ BOOT_OPTIONS="${BOOT_OPTIONS% }"
# command line with the machine ID we use, so that the machine ID remains
# stable, even during factory reset, in the initrd (where the system's machine
# ID is not directly accessible yet), and if the root file system is volatile.
-if [ "$ENTRY_TOKEN" = "$MACHINE_ID" ] && ! echo "$BOOT_OPTIONS" | grep -q "systemd.machine_id=$MACHINE_ID"; then
+if [ "$ENTRY_TOKEN" = "$MACHINE_ID" ] && ! echo "$BOOT_OPTIONS" | grep -q "systemd.machine_id="; then
BOOT_OPTIONS="$BOOT_OPTIONS systemd.machine_id=$MACHINE_ID"
fi

23
SOURCES/0031-mkosi-bump-to-latest.patch
Unescape View File

@ -0,0 +1,23 @@
From d89c99c7ad165fa2471e1c5c1a3bdedab0818da9 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 17 Jun 2024 15:40:10 +0100
Subject: [PATCH] mkosi: bump to latest
(cherry picked from commit 3001339dc5b3faf8f8edee4c07b14a4abdf3d66f)
---
.github/workflows/mkosi.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 62efd367cb..3a8dabd95c 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -92,7 +92,7 @@ jobs:
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- - uses: systemd/mkosi@0081ea66faf56a35353d6aeadfe42f9679c7d1cf
+ - uses: systemd/mkosi@6972f9efba5c8472d990be3783b7e7dbf76e109e
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location

23
SOURCES/0032-NEWS-fix-typo.patch
Unescape View File

@ -0,0 +1,23 @@
From a776dcf7af3b189f4f9616d174dbfc53a9bd6db6 Mon Sep 17 00:00:00 2001
From: Carlo Teubner <carlo@cteubner.net>
Date: Tue, 18 Jun 2024 09:41:59 +0100
Subject: [PATCH] NEWS: fix typo
(cherry picked from commit f6d517f8478bdd83b7d149b242a47d7686235c7e)
---
NEWS | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index bbee0852be..da81fe3c5d 100644
--- a/NEWS
+++ b/NEWS
@@ -195,7 +195,7 @@ CHANGES WITH 256:
additional per-user service managers, whose users are transient and
are only defined as long as the service manager is running. (This is
implemented via DynamicUser=1), allowing a user manager to be used to
- manager a group of processes without needing to create an actual user
+ manage a group of processes without needing to create an actual user
account. These service managers run with home directories of
/var/lib/capsules/<capsule-name> and can contain regular services and
other units. A capsule is started via a simple "systemctl start

28
SOURCES/0032-kernel-install-skip-50-depmod-if-depmod-is-not-avail.patch
Unescape View File

@ -1,28 +0,0 @@
From d1abf107c5b4c661886001de996bf03587bb35c1 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 7 Nov 2022 16:28:33 +0000
Subject: [PATCH] kernel-install: skip 50-depmod if depmod is not available
Images might be built without any kernel module, and without
installing depmod as it is not needed. Skip it.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023607
(cherry picked from commit cda4d00dfcbcd075cef95341f8a466f0c4ee8e1d)
Related #2138081
---
src/kernel-install/50-depmod.install | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/kernel-install/50-depmod.install b/src/kernel-install/50-depmod.install
index d4b991cfd6..43bd87c7ed 100755
--- a/src/kernel-install/50-depmod.install
+++ b/src/kernel-install/50-depmod.install
@@ -26,6 +26,7 @@ KERNEL_VERSION="${2:?}"
case "$COMMAND" in
add)
[ -d "/lib/modules/$KERNEL_VERSION/kernel" ] || exit 0
+ command -v depmod >/dev/null || exit 0
[ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && echo "+depmod -a $KERNEL_VERSION"
exec depmod -a "$KERNEL_VERSION"
;;

69
SOURCES/0033-install-allow-removing-symlinks-even-for-units-that-.patch
Unescape View File

@ -0,0 +1,69 @@
From c26e56d08f30a2946dfa1d03781c63bfa9f56c1d Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Fri, 7 Jun 2024 21:39:45 +0100
Subject: [PATCH] install: allow removing symlinks even for units that are gone
If a symlink is leftover, still allow cleaning it up via 'disable'. This
happens when a unit is stopped and removed, but not disabled, and a reload
has already happened. At that point, cleaning up the old symlinks becomes
impossible through the APIs, and needs to be done manually. Always allow
cleaning up symlinks, if they exist, by only erroring out if there is an
OOM.
Follow-up for f31f10a6207efc9ae9e0b1f73975b5b610914017
(cherry picked from commit 5163c9b1e56293b1bb2803420613c5b374570892)
---
src/shared/install.c | 14 ++++++++++----
test/units/TEST-26-SYSTEMCTL.sh | 6 ++++++
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/src/shared/install.c b/src/shared/install.c
index dd2bd5c948..c94b456c21 100644
--- a/src/shared/install.c
+++ b/src/shared/install.c
@@ -2282,7 +2282,9 @@ static int install_context_mark_for_removal(
else {
log_debug_errno(r, "Unit %s not found, removing name.", i->name);
r = install_changes_add(changes, n_changes, r, i->path ?: i->name, NULL);
- if (r < 0)
+ /* In case there's no unit, we still want to remove any leftover symlink, even if
+ * the unit might have been removed already, hence treating ENOENT as non-fatal. */
+ if (r != -ENOENT)
return r;
}
} else if (r < 0) {
@@ -2874,9 +2876,13 @@ static int do_unit_file_disable(
r = install_info_add(&ctx, *name, NULL, lp->root_dir, /* auxiliary= */ false, &info);
if (r >= 0)
r = install_info_traverse(&ctx, lp, info, SEARCH_LOAD|SEARCH_FOLLOW_CONFIG_SYMLINKS, NULL);
-
- if (r < 0)
- return install_changes_add(changes, n_changes, r, *name, NULL);
+ if (r < 0) {
+ r = install_changes_add(changes, n_changes, r, *name, NULL);
+ /* In case there's no unit, we still want to remove any leftover symlink, even if
+ * the unit might have been removed already, hence treating ENOENT as non-fatal. */
+ if (r != -ENOENT)
+ return r;
+ }
/* If we enable multiple units, some with install info and others without,
* the "empty [Install] section" warning is not shown. Let's make the behavior
diff --git a/test/units/TEST-26-SYSTEMCTL.sh b/test/units/TEST-26-SYSTEMCTL.sh
index ae7a5d6eb6..1471f3fd9e 100755
--- a/test/units/TEST-26-SYSTEMCTL.sh
+++ b/test/units/TEST-26-SYSTEMCTL.sh
@@ -343,6 +343,12 @@ systemctl cat "$UNIT_NAME"
systemctl help "$UNIT_NAME"
systemctl service-watchdogs
systemctl service-watchdogs "$(systemctl service-watchdogs)"
+# Ensure that the enablement symlinks can still be removed after the user is gone, to avoid having leftovers
+systemctl enable "$UNIT_NAME"
+systemctl stop "$UNIT_NAME"
+rm -f "/usr/lib/systemd/system/$UNIT_NAME"
+systemctl daemon-reload
+systemctl disable "$UNIT_NAME"
# show/set-environment
# Make sure PATH is set

38
SOURCES/0033-man-add-note-that-network-generator-is-not-a-generat.patch
Unescape View File

@ -1,38 +0,0 @@
From 04cdbacc26c7e38d3bd684235b51c79ab64b6026 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 8 Nov 2022 11:07:02 +0100
Subject: [PATCH] man: add note that network-generator is not a generator
Also fix indentation.
(cherry picked from commit 2fa6574e835566c2aa5cbf4167ecee316f71bf98)
Related #2138081
---
man/systemd-network-generator.service.xml | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/man/systemd-network-generator.service.xml b/man/systemd-network-generator.service.xml
index 6b7e2564d4..2ddeadfc54 100644
--- a/man/systemd-network-generator.service.xml
+++ b/man/systemd-network-generator.service.xml
@@ -41,10 +41,17 @@
</para>
<para>Files are generated in <filename>/run/systemd/network/</filename>.</para>
+
+ <para>Note: despite the name, this generator executes as a normal systemd service and is
+ <emphasis>not</emphasis> an implementation of the
+ <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ concept.</para>
</refsect1>
- <refsect1><title>Kernel command line options</title>
- <para>This tool understands the following options:</para>
+ <refsect1>
+ <title>Kernel command line options</title>
+
+ <para>This tool understands the following options:</para>
<variablelist class='kernel-commandline-options'>
<varlistentry>

64
SOURCES/0034-test-fstab-generator-adjust-PATH-for-fsck.patch
Unescape View File

@ -1,64 +0,0 @@
From 054da791c98fba7e11079e94c9b9fe0b1ca4e8d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 4 Nov 2022 15:48:50 +0100
Subject: [PATCH] test: fstab-generator: adjust PATH for fsck
fsck(8) is located in /usr/sib/ on Debian sid:
stdout:
*** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-01-dev-nfs.input
*** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-02-dhcp.input
*** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-03-dhcp6.input
*** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-04-nfs.input
*** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-05-nfs4.input
*** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-06-ipv4.input
*** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-07-ipv6.input
*** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-08-implicit-nfs.input
*** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-09-cifs.input
*** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-10-iscsi.input
*** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-11-live.input
*** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-12-dev-sdx.input
--- /dev/fd/63 2022-11-04 15:39:13.131532174 +0100
+++ /dev/fd/62 2022-11-04 15:39:13.131532174 +0100
@@ -6,3 +6,4 @@
initrd-usr-fs.target.requires
initrd-usr-fs.target.requires/sysroot.mount
sysroot.mount
+systemd-fsck-root.service
**** Unexpected output for /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-12-dev-sdx.input
stderr:
Skipping root directory handling, as root on NFS was requested.
Skipping root directory handling, as root on NFS was requested.
Skipping root directory handling, as root on NFS was requested.
Skipping root directory handling, as root on NFS was requested.
Skipping root directory handling, as root on NFS was requested.
Skipping root directory handling, as root on NFS was requested.
Skipping root directory handling, as root on NFS was requested.
Skipping root directory handling, as root on NFS was requested.
Skipping root directory handling, as root on CIFS was requested.
Skipping root directory handling, as root on iSCSI was requested.
Skipping root directory handling, as root on live image was requested.
Found entry what=/dev/sdx1 where=/sysroot type=n/a opts=ro
Checking was requested for /dev/sdx1, but the fsck command does not exist.
(cherry picked from commit a45efc9e4b574a85176610496f2ac7ae769364bb)
Related #2138081
---
test/test-fstab-generator.sh | 3 +++
1 file changed, 3 insertions(+)
diff --git a/test/test-fstab-generator.sh b/test/test-fstab-generator.sh
index 0c977645e3..7c060dfac7 100755
--- a/test/test-fstab-generator.sh
+++ b/test/test-fstab-generator.sh
@@ -14,6 +14,9 @@ fi
src="$(dirname "$0")/testdata/test-fstab-generator"
+# fsck(8) is located in /usr/sbin on Debian
+PATH=$PATH:/usr/sbin
+
for f in "$src"/test-*.input; do
echo "*** Running $f"

35
SOURCES/0034-tmpfiles-honour-dry-run-when-removing-directories.patch
Unescape View File

@ -0,0 +1,35 @@
From 90ec0265707d381ed8cc77de475cd963686eaba3 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 18 Jun 2024 09:54:33 +0200
Subject: [PATCH] tmpfiles: honour --dry-run when removing directories
(cherry picked from commit edeceb80a91e8400e8c22f08a41045a2ba270fe6)
---
src/tmpfiles/tmpfiles.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 807925f199..283be21d16 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -3024,10 +3024,16 @@ static int remove_recursive(
return r;
if (remove_instance) {
- log_debug("Removing directory \"%s\".", instance);
- r = RET_NERRNO(rmdir(instance));
- if (r < 0 && !IN_SET(r, -ENOENT, -ENOTEMPTY))
- return log_error_errno(r, "Failed to remove %s: %m", instance);
+ log_action("Would remove", "Removing", "%s directory \"%s\".", instance);
+ if (!arg_dry_run) {
+ r = RET_NERRNO(rmdir(instance));
+ if (r < 0) {
+ bool fatal = !IN_SET(r, -ENOENT, -ENOTEMPTY);
+ log_full_errno(fatal ? LOG_ERR : LOG_DEBUG, r, "Failed to remove %s: %m", instance);
+ if (fatal)
+ return r;
+ }
+ }
}
return 0;
}

30
SOURCES/0035-loop-util-open-lock-fd-read-only.patch
Unescape View File

@ -1,30 +0,0 @@
From ba5d26d85d0c4250b10a46a5c9cd3a3e1f0ce43b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 4 Nov 2022 19:36:31 +0100
Subject: [PATCH] loop-util: open lock fd read-only
flock(2) works with file descriptors opened with O_RDONLY.
This affects SELinux systems where access to block devices is quite
restricted to avoid bypasses on filesystem objects.
(cherry picked from commit 3e6b7d2626de9c0faf8b34b2629e8d6d8fa85a7d)
Related #2138081
---
src/shared/loop-util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/shared/loop-util.c b/src/shared/loop-util.c
index 731ce29112..fb7e80b1b5 100644
--- a/src/shared/loop-util.c
+++ b/src/shared/loop-util.c
@@ -77,7 +77,7 @@ static int open_lock_fd(int primary_fd, int operation) {
assert(primary_fd >= 0);
assert(IN_SET(operation & ~LOCK_NB, LOCK_SH, LOCK_EX));
- lock_fd = fd_reopen(primary_fd, O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
+ lock_fd = fd_reopen(primary_fd, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
if (lock_fd < 0)
return lock_fd;

68
SOURCES/0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch
Unescape View File

@ -0,0 +1,68 @@
From e76015738942246db70f444b3567afd1b132f824 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 18 Jun 2024 09:55:20 +0200
Subject: [PATCH] tmpfiles: insist on at least one configuration file being
specified on --purge
Also, extend the man page explanation substantially, matching more
closely what --create says.
Fixes: #33349
(cherry picked from commit 41064a3c97c9a53c97bbe8a1de799a82c4374a2d)
---
man/systemd-tmpfiles.xml | 26 ++++++++++++++++++++------
src/tmpfiles/tmpfiles.c | 4 ++++
2 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index 9767aead85..2a494b9c5c 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -151,12 +151,26 @@
<varlistentry>
<term><option>--purge</option></term>
- <listitem><para>If this option is passed, all files and directories created by a
- <filename>tmpfiles.d/</filename> entry will be deleted. Keep in mind that by default,
- <filename>/home</filename> is created by <command>systemd-tmpfiles</command>
- (see <filename>/usr/lib/tmpfiles.d/home.conf</filename>). Therefore it is recommended
- to first run <command>systemd-tmpfiles --dry-run --purge</command> to be certain which files
- and directories will be deleted.</para>
+
+ <listitem><para>If this option is passed, all files and directories marked for
+ <emphasis>creation</emphasis> by the <filename>tmpfiles.d/</filename> files specified on the command
+ line will be <emphasis>deleted</emphasis>. Specifically, this acts on all files and directories
+ marked with <varname>f</varname>, <varname>F</varname>, <varname>d</varname>, <varname>D</varname>,
+ <varname>v</varname>, <varname>q</varname>, <varname>Q</varname>, <varname>p</varname>,
+ <varname>L</varname>, <varname>c</varname>, <varname>b</varname>, <varname>C</varname>,
+ <varname>w</varname>, <varname>e</varname>. If this switch is used at least one
+ <filename>tmpfiles.d/</filename> file (or <filename>-</filename> for standard input) must be
+ specified on the command line or the invocation will be refused, for safety reasons (as otherwise
+ much of the installed system files might be removed).</para>
+
+ <para>The primary usecase for this option is to automatically remove files and directories that
+ originally have been created on behalf of an installed packaged at package removal time.</para>
+
+ <para>It is recommended to first run this command in combination with <option>--dry-run</option>
+ (see below) to verify which files and directories will be deleted.</para>
+
+ <para><emphasis>Warning!</emphasis> This is is usually not the command you want! In most cases
+ <option>--remove</option> is what you are looking for.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 283be21d16..1704197207 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -4344,6 +4344,10 @@ static int parse_argv(int argc, char *argv[]) {
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"You need to specify at least one of --clean, --create, --remove, or --purge.");
+ if (FLAGS_SET(arg_operation, OPERATION_PURGE) && optind >= argc)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Refusing --purge without specification of a configuration file.");
+
if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Option --replace= is not supported with --cat-config/--tldr.");

30
SOURCES/0036-test-don-t-ignore-non-existent-paths-in-inst_recursi.patch
Unescape View File

@ -1,30 +0,0 @@
From ca92c2e035d5702f23f9a8d1cd705425b5605822 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Mon, 7 Nov 2022 11:55:29 +0100
Subject: [PATCH] test: don't ignore non-existent paths in inst_recursive()
The process substitution in the while loop hides errors raised by the
find utility, which might (and did), in turn, hide errors in test setup.
(cherry picked from commit eb5d7730e1b3b1bddecb80be37e5a4c938183f61)
Related #2138081
---
test/test-functions | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/test/test-functions b/test/test-functions
index 16d9da637b..80ce383e64 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -2773,6 +2773,10 @@ inst_recursive() {
local p item
for p in "$@"; do
+ # Make sure the source exists, as the process substitution below
+ # suppresses errors
+ stat "$p" >/dev/null || return 1
+
while read -r item; do
if [[ -d "$item" ]]; then
inst_dir "$item"

37
SOURCES/0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch
Unescape View File

@ -0,0 +1,37 @@
From 08b8237303efdf072a0f61615b7f1633eafc8e0a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 18 Jun 2024 09:56:15 +0200
Subject: [PATCH] tmpfiles: move --purge to command section in --help text
where it belongs
Also, make contrast between --remove and --purge clearer: one deletes
files marked for deletion, the other deletes files marked for creation.
(cherry picked from commit 69d76823ce6e9c307184946ed55b207eb728e625)
---
src/tmpfiles/tmpfiles.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 1704197207..8cc8c1ccd6 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -4148,7 +4148,9 @@ static int help(void) {
"\n%3$sCommands:%4$s\n"
" --create Create files and directories\n"
" --clean Clean up files and directories\n"
- " --remove Remove files and directories\n"
+ " --remove Remove files and directories marked for removal\n"
+ " --purge Delete files and directories marked for creation in\n"
+ " specified configuration files (careful!)\n"
" -h --help Show this help\n"
" --version Show package version\n"
"\n%3$sOptions:%4$s\n"
@@ -4157,7 +4159,6 @@ static int help(void) {
" --tldr Show non-comment parts of configuration\n"
" --boot Execute actions only safe at boot\n"
" --graceful Quietly ignore unknown users or groups\n"
- " --purge Delete all files owned by the configuration files\n"
" --prefix=PATH Only apply rules with the specified prefix\n"
" --exclude-prefix=PATH Ignore rules with the specified prefix\n"
" -E Ignore rules prefixed with /dev, /proc, /run, /sys\n"

37
SOURCES/0037-mkosi-restrict-noble-backports-to-noble-builds.patch
Unescape View File

@ -0,0 +1,37 @@
From 7b18adadde58798a895366105c6c1517231029d9 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Tue, 18 Jun 2024 13:35:32 +0100
Subject: [PATCH] mkosi: restrict noble-backports to noble builds
Follow-up for c01cb8cbff8512b65b7903b55f78c8d12661b8d7
(cherry picked from commit f97b243edfcae211aade6ceb2fd89ae9d9209fac)
---
.../system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf | 1 +
mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf | 1 +
2 files changed, 2 insertions(+)
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
index 0ec4807822..582f038b5f 100644
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
@@ -4,6 +4,7 @@
[Match]
Architecture=!x86-64
Architecture=!x86
+Release=noble
[Distribution]
PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
index c08eeac337..7347be9069 100644
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
@@ -4,6 +4,7 @@
[Match]
Architecture=|x86-64
Architecture=|x86
+Release=noble
[Distribution]
PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources

46
SOURCES/0037-test-fix-locale-installation-when-locale-gen-is-used.patch
Unescape View File

@ -1,46 +0,0 @@
From ea8b80cdc0dfd0ad92301a0e421df4d3110fe09c Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Mon, 7 Nov 2022 11:57:59 +0100
Subject: [PATCH] test: fix locale installation when locale-gen is used
locale-gen might merge all compiled locales into a simple archive, so we
need to install it as well if necessary.
(cherry picked from commit 0c416ea01bc14adff10f4fc5415a36bd2d48f604)
Related #2138081
---
test/test-functions | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/test/test-functions b/test/test-functions
index 80ce383e64..45ca472916 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -1988,14 +1988,19 @@ install_locales() {
inst /usr/share/i18n/SUPPORTED || :
inst_recursive /usr/share/i18n/charmaps
inst_recursive /usr/share/i18n/locales
- inst_recursive /usr/share/locale/en
- inst_recursive /usr/share/locale/en_*
+ inst_recursive /usr/share/locale/en*
+ inst_recursive /usr/share/locale/de*
+ image_install /usr/share/locale/locale.alias
+ # locale-gen might either generate each locale separately or merge them
+ # into a single archive
+ if ! (inst_recursive /usr/lib/locale/C.*8 /usr/lib/locale/en_*8 ||
+ image_install /usr/lib/locale/locale-archive); then
+ dfatal "Failed to install required locales"
+ exit 1
+ fi
+ else
+ inst_recursive /usr/lib/locale/C.*8 /usr/lib/locale/en_*8
fi
-
- inst_recursive /usr/lib/locale/C.utf8
- inst_recursive /usr/lib/locale/C.UTF-8
- inst_recursive /usr/lib/locale/en_*.utf8
- inst_recursive /usr/lib/locale/en_*.UTF-8
}
# shellcheck disable=SC2120

22
SOURCES/0038-repart-fix-memory-leak.patch
Unescape View File

@ -0,0 +1,22 @@
From f8f669fd69bf15f386308ef8f4cbbbd5a7ad69cd Mon Sep 17 00:00:00 2001
From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
Date: Tue, 18 Jun 2024 14:07:50 +0200
Subject: [PATCH] repart: fix memory leak
(cherry picked from commit a81f5ffd40081441dafc678fe83d185436dde35a)
---
src/partition/repart.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/partition/repart.c b/src/partition/repart.c
index 78cf60f724..8f64520ee7 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -187,6 +187,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_pcrlock, freep);
STATIC_DESTRUCTOR_REGISTER(arg_filter_partitions, freep);
+STATIC_DESTRUCTOR_REGISTER(arg_defer_partitions, freep);
STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
STATIC_DESTRUCTOR_REGISTER(arg_copy_from, strv_freep);
STATIC_DESTRUCTOR_REGISTER(arg_copy_source, freep);

71
SOURCES/0038-test-fix-keymaps-installation-on-Arch.patch
Unescape View File

@ -1,71 +0,0 @@
From bec9d65390249d4e88f5095e751283645a2a4c08 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Mon, 7 Nov 2022 12:07:27 +0100
Subject: [PATCH] test: fix keymaps installation on Arch
Where the keymaps live under /usr/share/kbd/keymaps/.
(cherry picked from commit 1edad89399e7cbee230878589ac618103c157ec7)
Related #2138081
---
test/test-functions | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/test/test-functions b/test/test-functions
index 45ca472916..194cd682bb 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -2007,7 +2007,8 @@ install_locales() {
install_keymaps() {
local i p
local -a prefix=(
- "/usr"
+ "/usr/lib"
+ "/usr/share"
)
dinfo "Install console keymaps"
@@ -2016,7 +2017,7 @@ install_keymaps() {
&& [[ "$(meson configure "${BUILD_DIR:?}" | grep 'split-usr' | awk '{ print $2 }')" == "true" ]] \
|| [[ ! -L /lib ]]; then
prefix+=(
- ""
+ "/lib"
)
fi
@@ -2025,12 +2026,12 @@ install_keymaps() {
# The first three paths may be deprecated.
# It seems now the last three paths are used by many distributions.
for i in \
- "$p"/lib/kbd/keymaps/include/* \
- "$p"/lib/kbd/keymaps/i386/include/* \
- "$p"/lib/kbd/keymaps/i386/qwerty/us.* \
- "$p"/lib/kbd/keymaps/legacy/include/* \
- "$p"/lib/kbd/keymaps/legacy/i386/qwerty/us.* \
- "$p"/lib/kbd/keymaps/xkb/us*; do
+ "$p"/kbd/keymaps/include/* \
+ "$p"/kbd/keymaps/i386/include/* \
+ "$p"/kbd/keymaps/i386/qwerty/us.* \
+ "$p"/kbd/keymaps/legacy/include/* \
+ "$p"/kbd/keymaps/legacy/i386/qwerty/us.* \
+ "$p"/kbd/keymaps/xkb/us*; do
[[ -f "$i" ]] || continue
inst "$i"
done
@@ -2039,10 +2040,10 @@ install_keymaps() {
# When it takes any argument, then install more keymaps.
for p in "${prefix[@]}"; do
for i in \
- "$p"/lib/kbd/keymaps/include/* \
- "$p"/lib/kbd/keymaps/i386/*/* \
- "$p"/lib/kbd/keymaps/legacy/i386/*/* \
- "$p"/lib/kbd/keymaps/xkb/*; do
+ "$p"/kbd/keymaps/include/* \
+ "$p"/kbd/keymaps/i386/*/* \
+ "$p"/kbd/keymaps/legacy/i386/*/* \
+ "$p"/kbd/keymaps/xkb/*; do
[[ -f "$i" ]] || continue
inst "$i"
done

42
SOURCES/0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch
Unescape View File

@ -0,0 +1,42 @@
From 34ba18b0124407403690738b46fbd6236fe65c92 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 18 Jun 2024 17:55:31 +0900
Subject: [PATCH] logs-show: do not use _SOURCE_MONOTONIC_TIMESTAMP field
The timestamp is not in CLOCK_MONOTONIC, but CLOCK_BOOTTIME,
while header monotonic timestamp is in CLOCK_MONOTONIC. Hence, we cannot
adjust timestamp by comparing with header monotonic timestamp and
_SOURCE_MONOTONIC_TIMESTAMP field.
Fixes a regression caused by affde1d7e79a634ee6053dbd4a57b3b51b74c170.
Fixes #33293.
(cherry picked from commit 144498e7e6efe2d90981cb14e3ed462a70a955c6)
---
src/shared/logs-show.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index c71c868889..153a4110ce 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -450,6 +450,9 @@ static void parse_display_realtime(
assert(j);
assert(ret);
+ // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime.
+ source_monotonic = NULL;
+
/* First, try _SOURCE_REALTIME_TIMESTAMP. */
if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t)) {
*ret = t;
@@ -488,6 +491,9 @@ static void parse_display_timestamp(
assert(ret_display_ts);
assert(ret_boot_id);
+ // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime.
+ source_monotonic = NULL;
+
if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t))
source_ts.realtime = t;

43
SOURCES/0039-test-compile-test-utmp.c-only-if-UTMP-is-enabled.patch
Unescape View File

@ -1,43 +0,0 @@
From d63a1edb6bef959e8d6a481464a809badcc3a2eb Mon Sep 17 00:00:00 2001
From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
Date: Mon, 7 Nov 2022 08:38:58 +0100
Subject: [PATCH] test: compile test-utmp.c only if UTMP is enabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When compiling with -D utmp=false the compilation fails with:
../../git/systemd/src/test/test-utmp.c: In function test_dump_run_utmp:
../../git/systemd/src/test/test-utmp.c:21:9: error: cleanup argument not a function
21 | _unused_ _cleanup_(utxent_cleanup) bool utmpx = false;
| ^~~~~~~~
../../git/systemd/src/test/test-utmp.c:23:17: error: implicit declaration of function utxent_start [-Werror=implicit-function-declaration]
23 | utmpx = utxent_start();
| ^~~~~~~~~~~~
any many other errors
Add a conditional to compile test-utmp.c only if ENABLE_UTMP is true.
(cherry picked from commit 41cac2a8b98fc5faebe942c697b17e109822342d)
Related: #2138081
---
src/test/meson.build | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/test/meson.build b/src/test/meson.build
index 86fc1d4fc0..2a4dfe26db 100644
--- a/src/test/meson.build
+++ b/src/test/meson.build
@@ -622,7 +622,8 @@ tests += [
[files('test-journal-importer.c')],
- [files('test-utmp.c')],
+ [files('test-utmp.c'),
+ [], [], [], 'ENABLE_UTMP'],
[files('test-udev.c'),
[libudevd_core,

98
SOURCES/0040-ci-update-workflows-to-run-on-source-git-setup.patch
Unescape View File

@ -0,0 +1,98 @@
From 67ff61b054e8d4d4d3923c3b81586b2d4e286d6b Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Thu, 16 May 2024 14:24:38 +0200
Subject: [PATCH] ci: update workflows to run on source-git setup
rhel-only: ci
Related: RHEL-36636
---
.github/workflows/cflite_pr.yml | 3 ---
.github/workflows/codeql.yml | 6 ------
.github/workflows/differential-shellcheck.yml | 4 ----
.github/workflows/linter.yml | 3 ---
.github/workflows/unit_tests.yml | 3 ---
5 files changed, 19 deletions(-)
diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml
index f0d321794a..87dcd3c478 100644
--- a/.github/workflows/cflite_pr.yml
+++ b/.github/workflows/cflite_pr.yml
@@ -5,9 +5,6 @@
name: ClusterFuzzLite PR fuzzing
on:
pull_request:
- branches:
- - main
- - v[0-9]+-stable
permissions: read-all
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0d284f75f1..daf34486d2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -6,9 +6,6 @@ name: "CodeQL"
on:
pull_request:
- branches:
- - main
- - v[0-9]+-stable
paths:
- '**/meson.build'
- '.github/**/codeql*'
@@ -16,9 +13,6 @@ on:
- 'test/**'
- 'tools/**'
push:
- branches:
- - main
- - v[0-9]+-stable
permissions:
contents: read
diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml
index 244f5d503b..403b5cfc58 100644
--- a/.github/workflows/differential-shellcheck.yml
+++ b/.github/workflows/differential-shellcheck.yml
@@ -4,11 +4,7 @@
name: Differential ShellCheck
on:
push:
- branches:
- - main
pull_request:
- branches:
- - main
permissions:
contents: read
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index cf0bc09453..e7fb70f2f5 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -6,9 +6,6 @@ name: Lint Code Base
on:
pull_request:
- branches:
- - main
- - v[0-9]+-stable
permissions:
contents: read
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index 895068c2a2..bf6c820092 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -5,9 +5,6 @@
name: Unit tests
on:
pull_request:
- branches:
- - main
- - v[0-9]+-stable
permissions:
contents: read

282
SOURCES/0041-ci-setup-source-git-automation.patch
Unescape View File

@ -0,0 +1,282 @@
From 67b16d23396d9837f878850e890f90228d59d49e Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Thu, 16 May 2024 14:36:04 +0200
Subject: [PATCH] ci: setup source-git automation
rhel-only: ci
Related: RHEL-36636
---
.github/advanced-commit-linter.yml | 17 +++++
.github/auto-merge.yml | 4 ++
.github/pull-request-validator.yml | 4 ++
.github/regression-sniffer.yml | 1 +
.github/tracker-validator.yml | 31 ++++++++
.github/workflows/gather-pr-metadata.yml | 12 ++--
.../source-git-automation-on-demand.yml | 72 +++++++++++++++++++
.github/workflows/source-git-automation.yml | 45 ++++++++++++
8 files changed, 179 insertions(+), 7 deletions(-)
create mode 100644 .github/advanced-commit-linter.yml
create mode 100644 .github/auto-merge.yml
create mode 100644 .github/pull-request-validator.yml
create mode 100644 .github/regression-sniffer.yml
create mode 100644 .github/tracker-validator.yml
create mode 100644 .github/workflows/source-git-automation-on-demand.yml
create mode 100644 .github/workflows/source-git-automation.yml
diff --git a/.github/advanced-commit-linter.yml b/.github/advanced-commit-linter.yml
new file mode 100644
index 0000000000..3609fe4612
--- /dev/null
+++ b/.github/advanced-commit-linter.yml
@@ -0,0 +1,17 @@
+policy:
+ cherry-pick:
+ upstream:
+ - github: systemd/systemd
+ exception:
+ note:
+ - rhel-only
+ - RHEL-only
+ tracker:
+ - keyword:
+ - 'Resolves: '
+ - 'Related: '
+ - 'Reverts: '
+ type: jira
+ issue-format:
+ - 'RHEL-\d+$'
+ url: 'https://issues.redhat.com/browse/'
diff --git a/.github/auto-merge.yml b/.github/auto-merge.yml
new file mode 100644
index 0000000000..35c2539295
--- /dev/null
+++ b/.github/auto-merge.yml
@@ -0,0 +1,4 @@
+labels:
+ dont-merge: dont-merge
+ manual-merge: pr/needs-manual-merge
+target-branch': ['main']
diff --git a/.github/pull-request-validator.yml b/.github/pull-request-validator.yml
new file mode 100644
index 0000000000..4bb5bbec12
--- /dev/null
+++ b/.github/pull-request-validator.yml
@@ -0,0 +1,4 @@
+labels:
+ missing-review: pr/needs-review
+ changes-requested: pr/changes-requested
+ missing-failing-ci: pr/needs-ci
diff --git a/.github/regression-sniffer.yml b/.github/regression-sniffer.yml
new file mode 100644
index 0000000000..3824028e92
--- /dev/null
+++ b/.github/regression-sniffer.yml
@@ -0,0 +1 @@
+upstream: systemd/systemd
diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml
new file mode 100644
index 0000000000..2e858606ff
--- /dev/null
+++ b/.github/tracker-validator.yml
@@ -0,0 +1,31 @@
+labels:
+ missing-tracker: tracker/missing
+ invalid-product: tracker/invalid-product
+ invalid-component: tracker/invalid-component
+ unapproved: tracker/unapproved
+products:
+ - Red Hat Enterprise Linux 10
+ - CentOS Stream 10
+ - rhel-10.0.beta
+ - rhel-10.0
+ - rhel-10.0.z
+ - rhel-10.1
+ - rhel-10.1.z
+ - rhel-10.2
+ - rhel-10.2.z
+ - rhel-10.3
+ - rhel-10.3.z
+ - rhel-10.4
+ - rhel-10.4.z
+ - rhel-10.5
+ - rhel-10.5.z
+ - rhel-10.6
+ - rhel-10.6.z
+ - rhel-10.7
+ - rhel-10.7.z
+ - rhel-10.8
+ - rhel-10.8.z
+ - rhel-10.9
+ - rhel-10.9.z
+ - rhel-10.10
+ - rhel-10.10.z
diff --git a/.github/workflows/gather-pr-metadata.yml b/.github/workflows/gather-pr-metadata.yml
index e4a0caff03..857689a37b 100644
--- a/.github/workflows/gather-pr-metadata.yml
+++ b/.github/workflows/gather-pr-metadata.yml
@@ -1,18 +1,17 @@
---
-
name: Gather Pull Request Metadata
on:
pull_request:
- branches: [ main ]
+ types: [ opened, reopened, synchronize ]
+ branches: [ main, rhel-10.0.beta, rhel-10.* ]
permissions:
contents: read
jobs:
gather-metadata:
- if: github.repository == 'systemd/systemd'
- runs-on: ubuntu-24.04
+ runs-on: ubuntu-latest
steps:
- name: Repository checkout
@@ -20,11 +19,10 @@ jobs:
- id: metadata
name: Gather Pull Request Metadata
- uses: redhat-plumbers-in-action/gather-pull-request-metadata@17821d3bc27c1efed339595898c2e622accc5a1b
+ uses: redhat-plumbers-in-action/gather-pull-request-metadata@v1
- name: Upload Pull Request Metadata artifact
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
+ uses: actions/upload-artifact@v4
with:
name: Pull Request Metadata
path: ${{ steps.metadata.outputs.metadata-file }}
- retention-days: 1
diff --git a/.github/workflows/source-git-automation-on-demand.yml b/.github/workflows/source-git-automation-on-demand.yml
new file mode 100644
index 0000000000..af9ea781f6
--- /dev/null
+++ b/.github/workflows/source-git-automation-on-demand.yml
@@ -0,0 +1,72 @@
+name: Source git Automation Scheduled/On Demand
+on:
+ schedule:
+ # Workflow runs every 45 minutes
+ - cron: '*/45 * * * *'
+ workflow_dispatch:
+ inputs:
+ pr-number:
+ description: 'Pull Request number/s ; when not provided, the workflow will run for all open PRs'
+ required: true
+ default: '0'
+
+permissions:
+ contents: read
+
+jobs:
+ # Get all open PRs
+ gather-pull-requests:
+ if: github.repository == 'redhat-plumbers/systemd-rhel10'
+ runs-on: ubuntu-latest
+
+ outputs:
+ pr-numbers: ${{ steps.get-pr-numbers.outputs.result }}
+ pr-numbers-manual: ${{ steps.parse-manual-input.outputs.result }}
+
+ steps:
+ - id: get-pr-numbers
+ if: inputs.pr-number == '0'
+ name: Get all open PRs
+ uses: actions/github-script@v6
+ with:
+ # !FIXME: this is not working if there is more than 100 PRs opened
+ script: |
+ const { data: pullRequests } = await github.rest.pulls.list({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ state: 'open',
+ per_page: 100
+ });
+ return pullRequests.map(pr => pr.number);
+
+ - id: parse-manual-input
+ if: inputs.pr-number != '0'
+ name: Parse manual input
+ run: |
+ # shellcheck disable=SC2086
+ echo "result="[ ${{ inputs.pr-number }} ]"" >> $GITHUB_OUTPUT
+ shell: bash
+
+ validate-pr:
+ name: 'Validation of Pull Request #${{ matrix.pr-number }}'
+ needs: [ gather-pull-requests ]
+ runs-on: ubuntu-latest
+
+ strategy:
+ fail-fast: false
+ matrix:
+ pr-number: ${{ inputs.pr-number == 0 && fromJSON(needs.gather-pull-requests.outputs.pr-numbers) || fromJSON(needs.gather-pull-requests.outputs.pr-numbers-manual) }}
+
+ permissions:
+ # required for merging PRs
+ contents: write
+ # required for PR comments and setting labels
+ pull-requests: write
+
+ steps:
+ - name: Source-git Automation
+ uses: redhat-plumbers-in-action/source-git-automation@v1
+ with:
+ pr-number: ${{ matrix.pr-number }}
+ jira-api-token: ${{ secrets.JIRA_API_TOKEN }}
+ token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/source-git-automation.yml b/.github/workflows/source-git-automation.yml
new file mode 100644
index 0000000000..d58242efa7
--- /dev/null
+++ b/.github/workflows/source-git-automation.yml
@@ -0,0 +1,45 @@
+name: Source git Automation
+on:
+ workflow_run:
+ workflows: [ Gather Pull Request Metadata ]
+ types:
+ - completed
+
+permissions:
+ contents: read
+
+jobs:
+ download-metadata:
+ if: >
+ github.event.workflow_run.event == 'pull_request' &&
+ github.event.workflow_run.conclusion == 'success' &&
+ github.repository == 'redhat-plumbers/systemd-rhel10'
+ runs-on: ubuntu-latest
+
+ outputs:
+ pr-metadata: ${{ steps.Artifact.outputs.pr-metadata-json }}
+
+ steps:
+ - id: Artifact
+ name: Download Artifact
+ uses: redhat-plumbers-in-action/download-artifact@v1
+ with:
+ name: Pull Request Metadata
+
+ source-git-automation:
+ needs: [ download-metadata ]
+ runs-on: ubuntu-latest
+
+ permissions:
+ # required for merging PRs
+ contents: write
+ # required for PR comments and setting labels
+ pull-requests: write
+
+ steps:
+ - name: Source-git Automation
+ uses: redhat-plumbers-in-action/source-git-automation@v1
+ with:
+ pr-metadata: ${{ needs.download-metadata.outputs.pr-metadata }}
+ jira-api-token: ${{ secrets.JIRA_API_TOKEN }}
+ token: ${{ secrets.GITHUB_TOKEN }}

46
SOURCES/0041-tpm2-util-force-default-TCTI-to-be-device-with-param.patch
Unescape View File

@ -1,46 +0,0 @@
From 31f0c1b06bfd90d52009b59b9a4bf26c297790a7 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 14 Nov 2022 17:26:49 +0100
Subject: [PATCH] tpm2-util: force default TCTI to be "device" with parameter
"/dev/tpmrm0"
Apparently some distros default to tss-abmrd. Let's bypass that and
always go to the kernel resource manager.
abmrd cannot really work for us, since we want to access the TPM already
in earliest boot i.e. in environments the abmrd service is not available
in.
Fixes: #25352
(cherry picked from commit 34906680afe60d724ea435b79b9b830a4bf2e7e9)
Related: #2138081
---
src/shared/tpm2-util.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 65e8d48347..9d73316146 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -152,8 +152,19 @@ int tpm2_context_init(const char *device, struct tpm2_context *ret) {
if (r < 0)
return log_error_errno(r, "TPM2 support not installed: %m");
- if (!device)
+ if (!device) {
device = secure_getenv("SYSTEMD_TPM2_DEVICE");
+ if (device)
+ /* Setting the env var to an empty string forces tpm2-tss' own device picking
+ * logic to be used. */
+ device = empty_to_null(device);
+ else
+ /* If nothing was specified explicitly, we'll use a hardcoded default: the "device" tcti
+ * driver and the "/dev/tpmrm0" device. We do this since on some distributions the tpm2-abrmd
+ * might be used and we really don't want that, since it is a system service and that creates
+ * various ordering issues/deadlocks during early boot. */
+ device = "device:/dev/tpmrm0";
+ }
if (device) {
const char *param, *driver, *fn;

78
SOURCES/0042-ci-deploy-systemd-man-to-GitHub-Pages.patch
Unescape View File

@ -0,0 +1,78 @@
From ecae988291383e13e5b23b5d7a4a1f8a7d6736dc Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Thu, 16 May 2024 15:14:17 +0200
Subject: [PATCH] ci: deploy systemd man to GitHub Pages
rhel-only: ci
Related: RHEL-36636
---
.github/workflows/deploy-man-pages.yml | 59 ++++++++++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 .github/workflows/deploy-man-pages.yml
diff --git a/.github/workflows/deploy-man-pages.yml b/.github/workflows/deploy-man-pages.yml
new file mode 100644
index 0000000000..9739228a87
--- /dev/null
+++ b/.github/workflows/deploy-man-pages.yml
@@ -0,0 +1,59 @@
+name: Deploy systemd man to Pages
+
+on:
+ push:
+ branches: [ main ]
+ paths:
+ - man/*
+ - .github/workflows/deploy-man-pages.yml
+ schedule:
+ # Run every Monday at 4:00 AM UTC
+ - cron: 0 4 * * 1
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+ group: pages
+ cancel-in-progress: false
+
+jobs:
+ # Single deploy job since we're just deploying
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+
+ permissions:
+ pages: write
+ id-token: write
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install dependencies
+ run: |
+ sudo add-apt-repository -y --no-update --enable-source
+ sudo apt-get -y update
+ sudo apt-get -y build-dep systemd
+
+ - name: Build HTML man pages
+ run: |
+ meson setup build
+ ninja -C build man/html
+
+ - name: Setup Pages
+ uses: actions/configure-pages@v4
+
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v3
+ with:
+ path: ./build/man
+
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v4

52
SOURCES/0042-tpm2-add-some-extra-validation-of-device-string-befo.patch
Unescape View File

@ -1,52 +0,0 @@
From 5b20ba25259da453a2aac5e65978a11bc2d048ed Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 15 Nov 2022 23:01:04 +0100
Subject: [PATCH] tpm2: add some extra validation of device string before using
it
Let's add some extra validation before constructing and using the .so
name to load. This isn't really security sensitive, given that we
used secure_getenv() to get the device string (and it thus should have
been come from a trusted source) but let's better be safe than sorry.
(cherry picked from commit 50a085143fa8f5dd6b6b3cef8a6ea2ec7c53ed0d)
Related: #2138081
---
src/shared/tpm2-util.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 9d73316146..4d0df944a9 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -174,15 +174,27 @@ int tpm2_context_init(const char *device, struct tpm2_context *ret) {
param = strchr(device, ':');
if (param) {
+ /* Syntax #1: Pair of driver string and arbitrary parameter */
driver = strndupa_safe(device, param - device);
+ if (isempty(driver))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name is empty, refusing.");
+
param++;
- } else {
+ } else if (path_is_absolute(device) && path_is_valid(device)) {
+ /* Syntax #2: TPM device node */
driver = "device";
param = device;
- }
+ } else
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid TPM2 driver string, refusing.");
+
+ log_debug("Using TPM2 TCTI driver '%s' with device '%s'.", driver, param);
fn = strjoina("libtss2-tcti-", driver, ".so.0");
+ /* Better safe than sorry, let's refuse strings that cannot possibly be valid driver early, before going to disk. */
+ if (!filename_is_valid(fn))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
+
dl = dlopen(fn, RTLD_NOW);
if (!dl)
return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to load %s: %s", fn, dlerror());

25
SOURCES/0043-boot-Fix-error-message.patch
Unescape View File

@ -1,25 +0,0 @@
From 2fdb15b3053d20282d7f3c20a7a4d2bd96d9a39b Mon Sep 17 00:00:00 2001
From: Jan Janssen <medhefgo@web.de>
Date: Sun, 13 Nov 2022 16:14:17 +0100
Subject: [PATCH] boot: Fix error message
(cherry picked from commit 6ee4aa22140dd8d51b1a18882eb4220629b8dd8f)
Related: #2138081
---
src/boot/efi/boot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index 4150b16ecf..84f4cc11a3 100644
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -2678,7 +2678,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
err = device_path_to_str(loaded_image->FilePath, &loaded_image_path);
if (err != EFI_SUCCESS)
- return log_error_status_stall(err, L"Error getting loaded image path: %m");
+ return log_error_status_stall(err, L"Error getting loaded image path: %r", err);
export_variables(loaded_image, loaded_image_path, init_usec);

61
SOURCES/0043-ci-reconfigure-Packit-for-RHEL-10.patch
Unescape View File

@ -0,0 +1,61 @@
From 970ac707323ce1b50c6f45184df4373d651e669c Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Fri, 17 May 2024 13:55:40 +0200
Subject: [PATCH] ci: reconfigure Packit for RHEL 10
rhel-only: ci
Related: RHEL-36636
---
.packit.yml | 28 +++++++++-------------------
1 file changed, 9 insertions(+), 19 deletions(-)
diff --git a/.packit.yml b/.packit.yml
index 2dcc9e86ca..340c6992ec 100644
--- a/.packit.yml
+++ b/.packit.yml
@@ -24,14 +24,12 @@ actions:
- "bash -ec 'git describe --tags --abbrev=0 | cut -b 2-'"
post-upstream-clone:
- # Use the Fedora Rawhide specfile
- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1"
+ # Use the CentOS Stream 10 specfile
+ - "git clone -b c10s https://gitlab.com/redhat/centos-stream/rpms/systemd.git .packit_rpm --depth=1"
# Drop the "sources" file so rebase-helper doesn't think we're a dist-git
- "rm -fv .packit_rpm/sources"
- # Drop backported patches from the specfile, but keep the downstream-only ones
- # - Patch(0000-0499): backported patches from upstream
- # - Patch0500-9999: downstream-only patches
- - "sed -ri '/^Patch(0[0-4]?[0-9]{0,2})?\\:.+\\.patch/d' .packit_rpm/systemd.spec"
+ # Drop all patches, since they're already included in the tarball
+ - "sed -ri '/^Patch[0-9]+:/d' .packit_rpm/systemd.spec"
# Build the RPM with --werror. Even though --werror doesn't work in all
# cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the
# RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]).
@@ -45,20 +43,12 @@ actions:
# until the change propagates to Rawhide's specfile
- "sed -ri '0,/^BuildRequires: .+$/s//&\\nBuildRequires: libarchive-devel\\nRequires: libarchive/' .packit_rpm/systemd.spec"
+# Available targets can be listed via `copr-cli list-chroots`
jobs:
- job: copr_build
trigger: pull_request
targets:
- - fedora-rawhide-aarch64
- - fedora-rawhide-i386
- - fedora-rawhide-ppc64le
- - fedora-rawhide-s390x
- - fedora-rawhide-x86_64
-
-- job: tests
- trigger: pull_request
- fmf_url: https://src.fedoraproject.org/tests/systemd
- fmf_ref: main
- tmt_plan: ci
- targets:
- - fedora-rawhide-x86_64
+ - centos-stream-10-aarch64
+ - centos-stream-10-ppc64le
+ - centos-stream-10-s390x
+ - centos-stream-10-x86_64

25
SOURCES/0044-boot-Fix-memory-leak.patch
Unescape View File

@ -1,25 +0,0 @@
From 58a3aaaad640bee3cca79a644422489e184b49c1 Mon Sep 17 00:00:00 2001
From: Jan Janssen <medhefgo@web.de>
Date: Mon, 14 Nov 2022 14:18:26 +0100
Subject: [PATCH] boot: Fix memory leak
(cherry picked from commit b7b327f856b3782f28be561d612d66ff406c7789)
Related: #2138081
---
src/boot/efi/boot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index 84f4cc11a3..17d4ec2d09 100644
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -2650,7 +2650,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
EFI_LOADED_IMAGE_PROTOCOL *loaded_image;
_cleanup_(file_closep) EFI_FILE *root_dir = NULL;
_cleanup_(config_free) Config config = {};
- char16_t *loaded_image_path;
+ _cleanup_free_ char16_t *loaded_image_path = NULL;
EFI_STATUS err;
uint64_t init_usec;
bool menu = false;

37
SOURCES/0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch
Unescape View File

@ -0,0 +1,37 @@
From 517bf132e5508a2ac140dbea3650e89205dee052 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Fri, 21 Jun 2024 16:15:24 +0200
Subject: [PATCH] ci: allow to pass parameters together with rhel-only note
Supported parameters:
* feature - for feature related commits (cross-version)
* bugfix - for bugfix related commits (cross-version)
* doc - for documentation related commits (usually version specific)
* workaround - for workaround related commits (usually version specific)
* ci - for CI related commits (version specific)
* test - for test related commits (version specific)
* other - for commits that do not fit into any of the above categories or use just `rhel-only`
rhel-only: ci
Related: RHEL-36636
---
.github/advanced-commit-linter.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/advanced-commit-linter.yml b/.github/advanced-commit-linter.yml
index 3609fe4612..3e3e3fe2bf 100644
--- a/.github/advanced-commit-linter.yml
+++ b/.github/advanced-commit-linter.yml
@@ -4,8 +4,8 @@ policy:
- github: systemd/systemd
exception:
note:
- - rhel-only
- - RHEL-only
+ - 'rhel-only: (feature|bugfix|doc|workaround|ci|test|other)'
+ - 'RHEL-only: (feature|bugfix|doc|workaround|ci|test|other)'
tracker:
- keyword:
- 'Resolves: '

88
SOURCES/0045-boot-Do-not-require-a-loaded-image-path.patch
Unescape View File

@ -1,88 +0,0 @@
From 8cbb38625364640f390b2df2cda44ff3877fb16d Mon Sep 17 00:00:00 2001
From: Jan Janssen <medhefgo@web.de>
Date: Mon, 14 Nov 2022 14:37:13 +0100
Subject: [PATCH] boot: Do not require a loaded image path
If the device path to text protocol is not available (looking angrily at
Apple) we would fail to boot because we cannot get the loaded image
path. As this is only used for cosmetic purposes, we can just silently
continue.
Fixes: #25363
(cherry picked from commit af7ef648cddeb96da525de2410565d166f75cc96)
Related: #2138081
---
src/boot/efi/boot.c | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index 17d4ec2d09..b490a1d972 100644
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -471,7 +471,6 @@ static void print_status(Config *config, char16_t *loaded_image_path) {
_cleanup_free_ char16_t *device_part_uuid = NULL;
assert(config);
- assert(loaded_image_path);
clear_screen(COLOR_NORMAL);
console_query_mode(&x_max, &y_max);
@@ -619,7 +618,6 @@ static bool menu_run(
assert(config);
assert(chosen_entry);
- assert(loaded_image_path);
EFI_STATUS err;
UINTN visible_max = 0;
@@ -1478,7 +1476,7 @@ static void config_entry_add_type1(
entry->loader = xstra_to_path(value);
/* do not add an entry for ourselves */
- if (loaded_image_path && strcaseeq16(entry->loader, loaded_image_path)) {
+ if (strcaseeq16(entry->loader, loaded_image_path)) {
entry->type = LOADER_UNDEFINED;
break;
}
@@ -1908,12 +1906,11 @@ static ConfigEntry *config_entry_add_loader_auto(
assert(root_dir);
assert(id);
assert(title);
- assert(loader || loaded_image_path);
if (!config->auto_entries)
return NULL;
- if (loaded_image_path) {
+ if (!loader) {
loader = L"\\EFI\\BOOT\\BOOT" EFI_MACHINE_TYPE_NAME ".efi";
/* We are trying to add the default EFI loader here,
@@ -2562,7 +2559,6 @@ static void export_variables(
char16_t uuid[37];
assert(loaded_image);
- assert(loaded_image_path);
efivar_set_time_usec(LOADER_GUID, L"LoaderTimeInitUSec", init_usec);
efivar_set(LOADER_GUID, L"LoaderInfo", L"systemd-boot " GIT_VERSION, 0);
@@ -2591,7 +2587,6 @@ static void config_load_all_entries(
assert(config);
assert(loaded_image);
- assert(loaded_image_path);
assert(root_dir);
config_load_defaults(config, root_dir);
@@ -2676,9 +2671,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
if (err != EFI_SUCCESS)
return log_error_status_stall(err, L"Error getting a LoadedImageProtocol handle: %r", err);
- err = device_path_to_str(loaded_image->FilePath, &loaded_image_path);
- if (err != EFI_SUCCESS)
- return log_error_status_stall(err, L"Error getting loaded image path: %r", err);
+ (void) device_path_to_str(loaded_image->FilePath, &loaded_image_path);
export_variables(loaded_image, loaded_image_path, init_usec);

59
SOURCES/0045-journal-again-create-user-journals-for-users-with-hi.patch
Unescape View File

@ -0,0 +1,59 @@
From 8ca92aa84573b47bb6ee6a5853ecd08463b97af8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 9 Jan 2024 11:28:04 +0100
Subject: [PATCH] journal: again create user journals for users with high uids
This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d
'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped
in an additional check of uid_is_container(uid). The problem is that that change
is not backwards-compatible at all and very hard for users to handle.
There is no common agreement on mappings of high-range uids. Systemd declares
ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/,
but this is only a recent change and various sites allocated those ranges
in a different way, in particular FreeIPA uses (used?) uids from this range
for human users. On big sites with lots of users changing uids is obviously a
hard problem. We generally assume that uids cannot be "freed" and/or changed
and/or reused safely, so we shouldn't demand the same from others.
This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN /
SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing
huge problems for existing systems with were created with a different
definition and couldn't be easily updated. For that case, we added a
configuration time switch and we now parse /etc/login.defs to actually use the
value that is appropriate for the local system.
Unfortunately, login.defs doesn't have a concept of container allocation ranges
(and we don't have code to parse and use those nonexistent names either), so we
can't tell users to adjust logind.defs to work around the changed definition.
login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing,
because they are used to define where the add allocations for subuids, which is
generally a much smaller range. Maybe we should talk with other folks about
the appropriate allocation ranges and define some new settings in login.defs.
But this would require discussion and coordination with other projects first.
Actualy, it seems that this change was needed at all. The code in the container
does not log to the outside journal. It talks to its own journald, which does
journal splitting using its internal logic based on shifted uids. So let's
revert the change to fix user systems.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843.
rhel-only: bugfix
Related: RHEL-40924
---
src/basic/uid-classification.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c
index e2d2cebc6d..2c8b06c0d3 100644
--- a/src/basic/uid-classification.c
+++ b/src/basic/uid-classification.c
@@ -127,5 +127,5 @@ bool uid_for_system_journal(uid_t uid) {
/* Returns true if the specified UID shall get its data stored in the system journal. */
- return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY || uid_is_container(uid);
+ return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY;
}

75
SOURCES/0046-boot-Manually-convert-filepaths-if-needed.patch
Unescape View File

@ -1,75 +0,0 @@
From 806165285b822436023df84ca0a3e5b28a3099d6 Mon Sep 17 00:00:00 2001
From: Jan Janssen <medhefgo@web.de>
Date: Mon, 14 Nov 2022 15:24:32 +0100
Subject: [PATCH] boot: Manually convert filepaths if needed
The conversion of a filepath device path to text is needed for the stub
loader to find credential files.
(cherry picked from commit 679007044fbbcf82c66cf20b99f2f5086b7df6b4)
Related: #2138081
---
src/boot/efi/util.c | 40 ++++++++++++++++++++++++++++++++++++----
1 file changed, 36 insertions(+), 4 deletions(-)
diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c
index 5547d288de..57436dbf0c 100644
--- a/src/boot/efi/util.c
+++ b/src/boot/efi/util.c
@@ -772,19 +772,51 @@ EFI_STATUS make_file_device_path(EFI_HANDLE device, const char16_t *file, EFI_DE
EFI_STATUS device_path_to_str(const EFI_DEVICE_PATH *dp, char16_t **ret) {
EFI_DEVICE_PATH_TO_TEXT_PROTOCOL *dp_to_text;
EFI_STATUS err;
+ _cleanup_free_ char16_t *str = NULL;
assert(dp);
assert(ret);
err = BS->LocateProtocol(&(EFI_GUID) EFI_DEVICE_PATH_TO_TEXT_PROTOCOL_GUID, NULL, (void **) &dp_to_text);
- if (err != EFI_SUCCESS)
- return err;
+ if (err != EFI_SUCCESS) {
+ /* If the device path to text protocol is not available we can still do a best-effort attempt
+ * to convert it ourselves if we are given filepath-only device path. */
+
+ size_t size = 0;
+ for (const EFI_DEVICE_PATH *node = dp; !IsDevicePathEnd(node);
+ node = NextDevicePathNode(node)) {
+
+ if (DevicePathType(node) != MEDIA_DEVICE_PATH ||
+ DevicePathSubType(node) != MEDIA_FILEPATH_DP)
+ return err;
+
+ size_t path_size = DevicePathNodeLength(node);
+ if (path_size <= offsetof(FILEPATH_DEVICE_PATH, PathName) || path_size % sizeof(char16_t))
+ return EFI_INVALID_PARAMETER;
+ path_size -= offsetof(FILEPATH_DEVICE_PATH, PathName);
+
+ _cleanup_free_ char16_t *old = str;
+ str = xmalloc(size + path_size);
+ if (old) {
+ memcpy(str, old, size);
+ str[size / sizeof(char16_t) - 1] = '\\';
+ }
+
+ memcpy(str + (size / sizeof(char16_t)),
+ ((uint8_t *) node) + offsetof(FILEPATH_DEVICE_PATH, PathName),
+ path_size);
+ size += path_size;
+ }
+
+ *ret = TAKE_PTR(str);
+ return EFI_SUCCESS;
+ }
- char16_t *str = dp_to_text->ConvertDevicePathToText(dp, false, false);
+ str = dp_to_text->ConvertDevicePathToText(dp, false, false);
if (!str)
return EFI_OUT_OF_RESOURCES;
- *ret = str;
+ *ret = TAKE_PTR(str);
return EFI_SUCCESS;
}

67
SOURCES/0046-tmpfiles-make-purge-hard-to-mis-use.patch
Unescape View File

@ -0,0 +1,67 @@
From 6ad266a125eabbf27dfbe64aae9a0d9060c2bd08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 18 Jun 2024 20:32:10 +0200
Subject: [PATCH] tmpfiles: make --purge hard to (mis-)use
Follow-up for https://github.com/systemd/systemd/pull/33383.
rhel-only: bugfix
Related: RHEL-40924
---
src/tmpfiles/tmpfiles.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 8cc8c1ccd6..14048545db 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -4197,6 +4197,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_IMAGE_POLICY,
ARG_REPLACE,
ARG_DRY_RUN,
+ ARG_DESTROY_DATA,
ARG_NO_PAGER,
};
@@ -4220,10 +4221,18 @@ static int parse_argv(int argc, char *argv[]) {
{ "replace", required_argument, NULL, ARG_REPLACE },
{ "dry-run", no_argument, NULL, ARG_DRY_RUN },
{ "no-pager", no_argument, NULL, ARG_NO_PAGER },
+
+ /* This is not documented on purpose.
+ * If you think --purge should be allowed without jumping through hoops,
+ * consider opening a bug report with the description of the use case.
+ */
+ { "destroy-data", no_argument, NULL, ARG_DESTROY_DATA },
+
{}
};
int c, r;
+ bool destroy_data = false;
assert(argc >= 0);
assert(argv);
@@ -4330,6 +4339,10 @@ static int parse_argv(int argc, char *argv[]) {
arg_dry_run = true;
break;
+ case ARG_DESTROY_DATA:
+ destroy_data = true;
+ break;
+
case ARG_NO_PAGER:
arg_pager_flags |= PAGER_DISABLE;
break;
@@ -4349,6 +4362,10 @@ static int parse_argv(int argc, char *argv[]) {
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Refusing --purge without specification of a configuration file.");
+ if (FLAGS_SET(arg_operation, OPERATION_PURGE) && !arg_dry_run && !destroy_data)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Refusing --purge without --destroy-data.");
+
if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Option --replace= is not supported with --cat-config/--tldr.");

433
SOURCES/0047-boot-Rework-security-arch-override.patch
Unescape View File

@ -1,433 +0,0 @@
From 519625977d19b7842d9b2ded8be12ed0aecbaefc Mon Sep 17 00:00:00 2001
From: Jan Janssen <medhefgo@web.de>
Date: Tue, 15 Nov 2022 18:22:38 +0100
Subject: [PATCH] boot: Rework security arch override
This simplifies the caller interface for security arch overrides by only
having to pass a validator and an optional context.
(cherry picked from commit 5489c13bae119dc5f6e65be8d7f241aa7d54c023)
Related: #2138081
---
src/boot/efi/linux.c | 61 ++++++++-------------
src/boot/efi/secure-boot.c | 105 +++++++++++++++++++++++++++++--------
src/boot/efi/secure-boot.h | 28 +++-------
src/boot/efi/shim.c | 104 +++++++++++-------------------------
4 files changed, 146 insertions(+), 152 deletions(-)
diff --git a/src/boot/efi/linux.c b/src/boot/efi/linux.c
index 75b9507709..dd7eb48c8c 100644
--- a/src/boot/efi/linux.c
+++ b/src/boot/efi/linux.c
@@ -20,35 +20,26 @@
#define STUB_PAYLOAD_GUID \
{ 0x55c5d1f8, 0x04cd, 0x46b5, { 0x8a, 0x20, 0xe5, 0x6c, 0xbb, 0x30, 0x52, 0xd0 } }
-static EFIAPI EFI_STATUS security_hook(
- const SecurityOverride *this, uint32_t authentication_status, const EFI_DEVICE_PATH *file) {
+typedef struct {
+ const void *addr;
+ size_t len;
+ const EFI_DEVICE_PATH *device_path;
+} ValidationContext;
- assert(this);
- assert(this->hook == security_hook);
+static bool validate_payload(
+ const void *ctx, const EFI_DEVICE_PATH *device_path, const void *file_buffer, size_t file_size) {
- if (file == this->payload_device_path)
- return EFI_SUCCESS;
+ const ValidationContext *payload = ASSERT_PTR(ctx);
- return this->original_security->FileAuthenticationState(
- this->original_security, authentication_status, file);
-}
-
-static EFIAPI EFI_STATUS security2_hook(
- const SecurityOverride *this,
- const EFI_DEVICE_PATH *device_path,
- void *file_buffer,
- size_t file_size,
- BOOLEAN boot_policy) {
-
- assert(this);
- assert(this->hook == security2_hook);
+ if (device_path != payload->device_path)
+ return false;
- if (file_buffer == this->payload && file_size == this->payload_len &&
- device_path == this->payload_device_path)
- return EFI_SUCCESS;
+ /* Security arch (1) protocol does not provide a file buffer. Instead we are supposed to fetch the payload
+ * ourselves, which is not needed as we already have everything in memory and the device paths match. */
+ if (file_buffer && (file_buffer != payload->addr || file_size != payload->len))
+ return false;
- return this->original_security2->FileAuthentication(
- this->original_security2, device_path, file_buffer, file_size, boot_policy);
+ return true;
}
static EFI_STATUS load_image(EFI_HANDLE parent, const void *source, size_t len, EFI_HANDLE *ret_image) {
@@ -79,19 +70,13 @@ static EFI_STATUS load_image(EFI_HANDLE parent, const void *source, size_t len,
/* We want to support unsigned kernel images as payload, which is safe to do under secure boot
* because it is embedded in this stub loader (and since it is already running it must be trusted). */
- SecurityOverride security_override = {
- .hook = security_hook,
- .payload = source,
- .payload_len = len,
- .payload_device_path = &payload_device_path.payload.Header,
- }, security2_override = {
- .hook = security2_hook,
- .payload = source,
- .payload_len = len,
- .payload_device_path = &payload_device_path.payload.Header,
- };
-
- install_security_override(&security_override, &security2_override);
+ install_security_override(
+ validate_payload,
+ &(ValidationContext) {
+ .addr = source,
+ .len = len,
+ .device_path = &payload_device_path.payload.Header,
+ });
EFI_STATUS ret = BS->LoadImage(
/*BootPolicy=*/false,
@@ -101,7 +86,7 @@ static EFI_STATUS load_image(EFI_HANDLE parent, const void *source, size_t len,
len,
ret_image);
- uninstall_security_override(&security_override, &security2_override);
+ uninstall_security_override();
return ret;
}
diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c
index 171b2c96b3..0e615c55e0 100644
--- a/src/boot/efi/secure-boot.c
+++ b/src/boot/efi/secure-boot.c
@@ -127,10 +127,60 @@ out_deallocate:
return err;
}
-static EFI_STATUS install_security_override_one(EFI_GUID guid, SecurityOverride *override) {
+static struct SecurityOverride {
+ /* Our own security arch instances that we register onto original_handle, thereby replacing the
+ * firmware provided instances. */
+ EFI_SECURITY_ARCH_PROTOCOL override;
+ EFI_SECURITY2_ARCH_PROTOCOL override2;
+
+ /* These are saved so we can uninstall our own instance later. */
+ EFI_HANDLE original_handle, original_handle2;
+ EFI_SECURITY_ARCH_PROTOCOL *original_security;
+ EFI_SECURITY2_ARCH_PROTOCOL *original_security2;
+
+ security_validator_t validator;
+ const void *validator_ctx;
+} security_override;
+
+static EFIAPI EFI_STATUS security_hook(
+ const EFI_SECURITY_ARCH_PROTOCOL *this,
+ uint32_t authentication_status,
+ const EFI_DEVICE_PATH *file) {
+
+ assert(security_override.validator);
+ assert(security_override.original_security);
+
+ if (security_override.validator(security_override.validator_ctx, file, NULL, 0))
+ return EFI_SUCCESS;
+
+ return security_override.original_security->FileAuthenticationState(
+ security_override.original_security, authentication_status, file);
+}
+
+static EFIAPI EFI_STATUS security2_hook(
+ const EFI_SECURITY2_ARCH_PROTOCOL *this,
+ const EFI_DEVICE_PATH *device_path,
+ void *file_buffer,
+ size_t file_size,
+ BOOLEAN boot_policy) {
+
+ assert(security_override.validator);
+ assert(security_override.original_security2);
+
+ if (security_override.validator(security_override.validator_ctx, device_path, file_buffer, file_size))
+ return EFI_SUCCESS;
+
+ return security_override.original_security2->FileAuthentication(
+ security_override.original_security2, device_path, file_buffer, file_size, boot_policy);
+}
+
+static EFI_STATUS install_security_override_one(
+ EFI_GUID guid, void *override, EFI_HANDLE *ret_original_handle, void **ret_original_security) {
EFI_STATUS err;
assert(override);
+ assert(ret_original_handle);
+ assert(ret_original_security);
_cleanup_free_ EFI_HANDLE *handles = NULL;
size_t n_handles = 0;
@@ -152,8 +202,8 @@ static EFI_STATUS install_security_override_one(EFI_GUID guid, SecurityOverride
if (err != EFI_SUCCESS)
return log_error_status_stall(err, u"Error overriding security arch protocol: %r", err);
- override->original = security;
- override->original_handle = handles[0];
+ *ret_original_security = security;
+ *ret_original_handle = handles[0];
return EFI_SUCCESS;
}
@@ -161,35 +211,46 @@ static EFI_STATUS install_security_override_one(EFI_GUID guid, SecurityOverride
* Specification) with the provided override instances. If not running in secure boot or the protocols are
* not available nothing happens. The override instances are provided with the necessary info to undo this
* in uninstall_security_override(). */
-void install_security_override(SecurityOverride *override, SecurityOverride *override2) {
- assert(override);
- assert(override2);
+void install_security_override(security_validator_t validator, const void *validator_ctx) {
+ assert(validator);
if (!secure_boot_enabled())
return;
- (void) install_security_override_one((EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, override);
- (void) install_security_override_one((EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, override2);
-}
+ security_override = (struct SecurityOverride) {
+ { .FileAuthenticationState = security_hook, },
+ { .FileAuthentication = security2_hook, },
+ .validator = validator,
+ .validator_ctx = validator_ctx,
+ };
-void uninstall_security_override(SecurityOverride *override, SecurityOverride *override2) {
- assert(override);
- assert(override2);
+ (void) install_security_override_one(
+ (EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID,
+ &security_override.override,
+ &security_override.original_handle,
+ (void **) &security_override.original_security);
+ (void) install_security_override_one(
+ (EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID,
+ &security_override.override2,
+ &security_override.original_handle2,
+ (void **) &security_override.original_security2);
+}
+void uninstall_security_override(void) {
/* We use assert_se here to guarantee the system is not in a weird state in the unlikely case of an
* error restoring the original protocols. */
- if (override->original_handle)
+ if (security_override.original_handle)
assert_se(BS->ReinstallProtocolInterface(
- override->original_handle,
- &(EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID,
- override,
- override->original) == EFI_SUCCESS);
+ security_override.original_handle,
+ &(EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID,
+ &security_override.override,
+ security_override.original_security) == EFI_SUCCESS);
- if (override2->original_handle)
+ if (security_override.original_handle2)
assert_se(BS->ReinstallProtocolInterface(
- override2->original_handle,
- &(EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID,
- override2,
- override2->original) == EFI_SUCCESS);
+ security_override.original_handle2,
+ &(EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID,
+ &security_override.override2,
+ security_override.original_security2) == EFI_SUCCESS);
}
diff --git a/src/boot/efi/secure-boot.h b/src/boot/efi/secure-boot.h
index 91b6770edb..e98de81c2a 100644
--- a/src/boot/efi/secure-boot.h
+++ b/src/boot/efi/secure-boot.h
@@ -17,23 +17,11 @@ SecureBootMode secure_boot_mode(void);
EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path);
-typedef struct {
- void *hook;
-
- /* End of EFI_SECURITY_ARCH(2)_PROTOCOL. The rest is our own protocol instance data. */
-
- EFI_HANDLE original_handle;
- union {
- void *original;
- EFI_SECURITY_ARCH_PROTOCOL *original_security;
- EFI_SECURITY2_ARCH_PROTOCOL *original_security2;
- };
-
- /* Used by the stub to identify the embedded image. */
- const void *payload;
- size_t payload_len;
- const EFI_DEVICE_PATH *payload_device_path;
-} SecurityOverride;
-
-void install_security_override(SecurityOverride *override, SecurityOverride *override2);
-void uninstall_security_override(SecurityOverride *override, SecurityOverride *override2);
+typedef bool (*security_validator_t)(
+ const void *ctx,
+ const EFI_DEVICE_PATH *device_path,
+ const void *file_buffer,
+ size_t file_size);
+
+void install_security_override(security_validator_t validator, const void *validator_ctx);
+void uninstall_security_override(void);
diff --git a/src/boot/efi/shim.c b/src/boot/efi/shim.c
index 3ae058cb84..ac224336bc 100644
--- a/src/boot/efi/shim.c
+++ b/src/boot/efi/shim.c
@@ -23,7 +23,7 @@
#endif
struct ShimLock {
- EFI_STATUS __sysv_abi__ (*shim_verify) (void *buffer, uint32_t size);
+ EFI_STATUS __sysv_abi__ (*shim_verify) (const void *buffer, uint32_t size);
/* context is actually a struct for the PE header, but it isn't needed so void is sufficient just do define the interface
* see shim.c/shim.h and PeHeader.h in the github shim repo */
@@ -41,79 +41,45 @@ bool shim_loaded(void) {
return BS->LocateProtocol((EFI_GUID*) SHIM_LOCK_GUID, NULL, (void**) &shim_lock) == EFI_SUCCESS;
}
-static bool shim_validate(void *data, uint32_t size) {
- struct ShimLock *shim_lock;
-
- if (!data)
- return false;
-
- if (BS->LocateProtocol((EFI_GUID*) SHIM_LOCK_GUID, NULL, (void**) &shim_lock) != EFI_SUCCESS)
- return false;
-
- if (!shim_lock)
- return false;
-
- return shim_lock->shim_verify(data, size) == EFI_SUCCESS;
-}
-
-static EFIAPI EFI_STATUS security2_hook(
- const SecurityOverride *this,
- const EFI_DEVICE_PATH *device_path,
- void *file_buffer,
- UINTN file_size,
- BOOLEAN boot_policy) {
-
- assert(this);
- assert(this->hook == security2_hook);
-
- if (shim_validate(file_buffer, file_size))
- return EFI_SUCCESS;
-
- return this->original_security2->FileAuthentication(
- this->original_security2, device_path, file_buffer, file_size, boot_policy);
-}
-
-static EFIAPI EFI_STATUS security_hook(
- const SecurityOverride *this,
- uint32_t authentication_status,
- const EFI_DEVICE_PATH *device_path) {
+static bool shim_validate(
+ const void *ctx, const EFI_DEVICE_PATH *device_path, const void *file_buffer, size_t file_size) {
EFI_STATUS err;
+ _cleanup_free_ char *file_buffer_owned = NULL;
- assert(this);
- assert(this->hook == security_hook);
+ if (!file_buffer) {
+ if (!device_path)
+ return false;
- if (!device_path)
- return this->original_security->FileAuthenticationState(
- this->original_security, authentication_status, device_path);
+ EFI_HANDLE device_handle;
+ EFI_DEVICE_PATH *file_dp = (EFI_DEVICE_PATH *) device_path;
+ err = BS->LocateDevicePath(&FileSystemProtocol, &file_dp, &device_handle);
+ if (err != EFI_SUCCESS)
+ return false;
- EFI_HANDLE device_handle;
- EFI_DEVICE_PATH *dp = (EFI_DEVICE_PATH *) device_path;
- err = BS->LocateDevicePath(&FileSystemProtocol, &dp, &device_handle);
- if (err != EFI_SUCCESS)
- return err;
+ _cleanup_(file_closep) EFI_FILE *root = NULL;
+ err = open_volume(device_handle, &root);
+ if (err != EFI_SUCCESS)
+ return false;
- _cleanup_(file_closep) EFI_FILE *root = NULL;
- err = open_volume(device_handle, &root);
- if (err != EFI_SUCCESS)
- return err;
+ _cleanup_free_ char16_t *dp_str = NULL;
+ err = device_path_to_str(file_dp, &dp_str);
+ if (err != EFI_SUCCESS)
+ return false;
- _cleanup_free_ char16_t *dp_str = NULL;
- err = device_path_to_str(dp, &dp_str);
- if (err != EFI_SUCCESS)
- return err;
+ err = file_read(root, dp_str, 0, 0, &file_buffer_owned, &file_size);
+ if (err != EFI_SUCCESS)
+ return false;
- char *file_buffer;
- size_t file_size;
- err = file_read(root, dp_str, 0, 0, &file_buffer, &file_size);
- if (err != EFI_SUCCESS)
- return err;
+ file_buffer = file_buffer_owned;
+ }
- if (shim_validate(file_buffer, file_size))
- return EFI_SUCCESS;
+ struct ShimLock *shim_lock;
+ err = BS->LocateProtocol((EFI_GUID *) SHIM_LOCK_GUID, NULL, (void **) &shim_lock);
+ if (err != EFI_SUCCESS)
+ return false;
- return this->original_security->FileAuthenticationState(
- this->original_security, authentication_status, device_path);
+ return shim_lock->shim_verify(file_buffer, file_size) == EFI_SUCCESS;
}
EFI_STATUS shim_load_image(EFI_HANDLE parent, const EFI_DEVICE_PATH *device_path, EFI_HANDLE *ret_image) {
@@ -122,20 +88,14 @@ EFI_STATUS shim_load_image(EFI_HANDLE parent, const EFI_DEVICE_PATH *device_path
bool have_shim = shim_loaded();
- SecurityOverride security_override = {
- .hook = security_hook,
- }, security2_override = {
- .hook = security2_hook,
- };
-
if (have_shim)
- install_security_override(&security_override, &security2_override);
+ install_security_override(shim_validate, NULL);
EFI_STATUS ret = BS->LoadImage(
/*BootPolicy=*/false, parent, (EFI_DEVICE_PATH *) device_path, NULL, 0, ret_image);
if (have_shim)
- uninstall_security_override(&security_override, &security2_override);
+ uninstall_security_override();
return ret;
}

33
SOURCES/0047-fedora-use-system-auth-in-pam-systemd-user.patch
Unescape View File

@ -0,0 +1,33 @@
From 79519b922b59c2282223742327cc8d75c7b219d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 14 Dec 2022 22:24:53 +0100
Subject: [PATCH] fedora: use system-auth in pam systemd-user
Adjust upstream config to use our shared stack
rhel-only: feature
Related: RHEL-40924
---
src/login/systemd-user.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
index 8a3c9e0165..74ef5f2552 100644
--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
@@ -7,7 +7,7 @@
-account sufficient pam_systemd_home.so
{% endif %}
account sufficient pam_unix.so no_pass_expiry
-account required pam_permit.so
+account include system-auth
{% if HAVE_SELINUX %}
session required pam_selinux.so close
@@ -20,4 +20,4 @@ session required pam_namespace.so
-session optional pam_systemd_home.so
{% endif %}
session optional pam_umask.so silent
-session optional pam_systemd.so
+session include system-auth

185
SOURCES/0048-boot-Replace-firmware-security-hooks-directly.patch
Unescape View File

@ -1,185 +0,0 @@
From 8d0b70887a09b9d4a8b669620579d3b6780f0755 Mon Sep 17 00:00:00 2001
From: Jan Janssen <medhefgo@web.de>
Date: Tue, 15 Nov 2022 18:53:02 +0100
Subject: [PATCH] boot: Replace firmware security hooks directly
For some firmware, replacing their own security arch instance with our
override using ReinstallProtocolInterface() is not enough as they will
not use it. This commit goes back to how this was done before by
directly modifying the security protocols.
Fixes: #25336
(cherry picked from commit 967a868563996e928f1fade5bcafc82a7219742b)
Related: #2138081
---
src/boot/efi/secure-boot.c | 119 +++++++++++++------------------------
1 file changed, 40 insertions(+), 79 deletions(-)
diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c
index 0e615c55e0..65457bf423 100644
--- a/src/boot/efi/secure-boot.c
+++ b/src/boot/efi/secure-boot.c
@@ -128,15 +128,10 @@ out_deallocate:
}
static struct SecurityOverride {
- /* Our own security arch instances that we register onto original_handle, thereby replacing the
- * firmware provided instances. */
- EFI_SECURITY_ARCH_PROTOCOL override;
- EFI_SECURITY2_ARCH_PROTOCOL override2;
-
- /* These are saved so we can uninstall our own instance later. */
- EFI_HANDLE original_handle, original_handle2;
- EFI_SECURITY_ARCH_PROTOCOL *original_security;
- EFI_SECURITY2_ARCH_PROTOCOL *original_security2;
+ EFI_SECURITY_ARCH_PROTOCOL *security;
+ EFI_SECURITY2_ARCH_PROTOCOL *security2;
+ EFI_SECURITY_FILE_AUTHENTICATION_STATE original_hook;
+ EFI_SECURITY2_FILE_AUTHENTICATION original_hook2;
security_validator_t validator;
const void *validator_ctx;
@@ -148,13 +143,13 @@ static EFIAPI EFI_STATUS security_hook(
const EFI_DEVICE_PATH *file) {
assert(security_override.validator);
- assert(security_override.original_security);
+ assert(security_override.security);
+ assert(security_override.original_hook);
if (security_override.validator(security_override.validator_ctx, file, NULL, 0))
return EFI_SUCCESS;
- return security_override.original_security->FileAuthenticationState(
- security_override.original_security, authentication_status, file);
+ return security_override.original_hook(security_override.security, authentication_status, file);
}
static EFIAPI EFI_STATUS security2_hook(
@@ -165,92 +160,58 @@ static EFIAPI EFI_STATUS security2_hook(
BOOLEAN boot_policy) {
assert(security_override.validator);
- assert(security_override.original_security2);
+ assert(security_override.security2);
+ assert(security_override.original_hook2);
if (security_override.validator(security_override.validator_ctx, device_path, file_buffer, file_size))
return EFI_SUCCESS;
- return security_override.original_security2->FileAuthentication(
- security_override.original_security2, device_path, file_buffer, file_size, boot_policy);
+ return security_override.original_hook2(
+ security_override.security2, device_path, file_buffer, file_size, boot_policy);
}
-static EFI_STATUS install_security_override_one(
- EFI_GUID guid, void *override, EFI_HANDLE *ret_original_handle, void **ret_original_security) {
+/* This replaces the platform provided security arch protocols hooks (defined in the UEFI Platform
+ * Initialization Specification) with our own that uses the given validator to decide if a image is to be
+ * trusted. If not running in secure boot or the protocols are not available nothing happens. The override
+ * must be removed with uninstall_security_override() after LoadImage() has been called.
+ *
+ * This is a hack as we do not own the security protocol instances and modifying them is not an official part
+ * of their spec. But there is little else we can do to circumvent secure boot short of implementing our own
+ * PE loader. We could replace the firmware instances with our own instance using
+ * ReinstallProtocolInterface(), but some firmware will still use the old ones. */
+void install_security_override(security_validator_t validator, const void *validator_ctx) {
EFI_STATUS err;
- assert(override);
- assert(ret_original_handle);
- assert(ret_original_security);
-
- _cleanup_free_ EFI_HANDLE *handles = NULL;
- size_t n_handles = 0;
-
- err = BS->LocateHandleBuffer(ByProtocol, &guid, NULL, &n_handles, &handles);
- if (err != EFI_SUCCESS)
- /* No security arch protocol around? */
- return err;
-
- /* There should only ever be one security arch protocol instance, but let's be paranoid here. */
- assert(n_handles == 1);
-
- void *security = NULL;
- err = BS->LocateProtocol(&guid, NULL, &security);
- if (err != EFI_SUCCESS)
- return log_error_status_stall(err, u"Error getting security arch protocol: %r", err);
-
- err = BS->ReinstallProtocolInterface(handles[0], &guid, security, override);
- if (err != EFI_SUCCESS)
- return log_error_status_stall(err, u"Error overriding security arch protocol: %r", err);
-
- *ret_original_security = security;
- *ret_original_handle = handles[0];
- return EFI_SUCCESS;
-}
-
-/* This replaces the platform provided security arch protocols (defined in the UEFI Platform Initialization
- * Specification) with the provided override instances. If not running in secure boot or the protocols are
- * not available nothing happens. The override instances are provided with the necessary info to undo this
- * in uninstall_security_override(). */
-void install_security_override(security_validator_t validator, const void *validator_ctx) {
assert(validator);
if (!secure_boot_enabled())
return;
security_override = (struct SecurityOverride) {
- { .FileAuthenticationState = security_hook, },
- { .FileAuthentication = security2_hook, },
.validator = validator,
.validator_ctx = validator_ctx,
};
- (void) install_security_override_one(
- (EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID,
- &security_override.override,
- &security_override.original_handle,
- (void **) &security_override.original_security);
- (void) install_security_override_one(
- (EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID,
- &security_override.override2,
- &security_override.original_handle2,
- (void **) &security_override.original_security2);
+ EFI_SECURITY_ARCH_PROTOCOL *security = NULL;
+ err = BS->LocateProtocol(&(EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, NULL, (void **) &security);
+ if (err == EFI_SUCCESS) {
+ security_override.security = security;
+ security_override.original_hook = security->FileAuthenticationState;
+ security->FileAuthenticationState = security_hook;
+ }
+
+ EFI_SECURITY2_ARCH_PROTOCOL *security2 = NULL;
+ err = BS->LocateProtocol(&(EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, NULL, (void **) &security2);
+ if (err == EFI_SUCCESS) {
+ security_override.security2 = security2;
+ security_override.original_hook2 = security2->FileAuthentication;
+ security2->FileAuthentication = security2_hook;
+ }
}
void uninstall_security_override(void) {
- /* We use assert_se here to guarantee the system is not in a weird state in the unlikely case of an
- * error restoring the original protocols. */
-
- if (security_override.original_handle)
- assert_se(BS->ReinstallProtocolInterface(
- security_override.original_handle,
- &(EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID,
- &security_override.override,
- security_override.original_security) == EFI_SUCCESS);
-
- if (security_override.original_handle2)
- assert_se(BS->ReinstallProtocolInterface(
- security_override.original_handle2,
- &(EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID,
- &security_override.override2,
- security_override.original_security2) == EFI_SUCCESS);
+ if (security_override.original_hook)
+ security_override.security->FileAuthenticationState = security_override.original_hook;
+ if (security_override.original_hook2)
+ security_override.security2->FileAuthentication = security_override.original_hook2;
}

317
SOURCES/0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch
Unescape View File

@ -0,0 +1,317 @@
From b91be007c4172b50e5ca570c3c3cd64fecbf377b Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Tue, 25 Jun 2024 14:00:45 +0200
Subject: [PATCH] net-naming-scheme: start rhel10 naming and include rhel8 and
rhel9 ones
Also add RHEL8,9,10 versions to version-info.xml file
rhel-only: feature
Resolves: RHEL-22621
---
man/systemd.net-naming-scheme.xml | 186 ++++++++++++++++++++++++++++++
man/version-info.xml | 33 ++++++
src/shared/netif-naming-scheme.c | 17 +++
src/shared/netif-naming-scheme.h | 20 ++++
4 files changed, 256 insertions(+)
diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
index ff811c2bd7..690e3d2c27 100644
--- a/man/systemd.net-naming-scheme.xml
+++ b/man/systemd.net-naming-scheme.xml
@@ -525,7 +525,193 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><constant>rhel-10.0</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>v255</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-10.0"/>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <para>By default <constant>rhel-10.0</constant> is used.</para>
+
+ <refsect2>
+ <title>RHEL-9 schemes</title>
+ <para>It is also possible to pick a scheme from RHEL-9</para>
+ <variablelist>
+ <varlistentry>
+ <term><constant>rhel-9.0</constant></term>
+
+ <listitem><para>Since version <constant>v247</constant> we no longer set
+ <varname>ID_NET_NAME_SLOT</varname> if we detect that a PCI device associated with a slot is a PCI
+ bridge as that would create naming conflict when there are more child devices on that bridge. Now,
+ this is relaxed and we will use slot information to generate the name based on it but only if
+ the PCI device has multiple functions. This is safe because distinct function number is a part of
+ the device name for multifunction devices.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-9.0"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-9.1</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-9.0</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-9.1"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-9.2</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-9.0</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-9.2"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-9.3</constant></term>
+
+ <listitem><para>Naming was changed for SR-IOV virtual device representors.</para>
+
+ <para>The <literal>r<replaceable>slot</replaceable></literal> suffix was added to differentiate SR-IOV
+ virtual device representors attached to a single physical device interface.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-9.3"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-9.4</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-9.3</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-9.4"/>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
+ <title>RHEL-8 schemes</title>
+ <para>It is also possible to pick a scheme from RHEL-8</para>
+ <variablelist>
+ <varlistentry>
+ <term><constant>rhel-8.0</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>v239</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.0"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.1</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.0</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.1"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.2</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.0</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.2"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.3</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.0</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.3"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.4</constant></term>
+
+ <listitem><para>If the PCI slot is assocated with PCI bridge and that has multiple child network
+ controllers then all of them might derive the same value of <varname>ID_NET_NAME_SLOT</varname>
+ property. That could cause naming conflict if the property is selected as a device name. Now, we detect the
+ situation, slot - bridge relation, and we don't produce the <varname>ID_NET_NAME_SLOT</varname> property to
+ avoid possible naming conflict.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.4"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.5</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.4</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.5"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.6</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.4</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.6"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.7</constant></term>
+
+ <listitem><para>PCI hotplug slot names for the s390 PCI driver are a hexadecimal representation
+ of the <filename>function_id</filename> device attribute. This attribute is now used to build the
+ <varname>ID_NET_NAME_SLOT</varname>. Before that, all slot names were parsed as decimal
+ numbers, which could either result in an incorrect value of the <varname>ID_NET_NAME_SLOT</varname>
+ property or none at all.</para>
+
+ <para>Some firmware and hypervisor implementations report unreasonable high numbers for the onboard
+ index. To prevent the generation of bogus onbard interface names, index numbers greater than 16381
+ (2^14-1) were ignored. For s390 PCI devices index values up to 65535 (2^16-1) are valid. To account
+ for that, the limit is increased to now 65535.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.7"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.8</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.8"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.9</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.9"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.10</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.10"/>
+ </listitem>
+ </varlistentry>
</variablelist>
+ </refsect2>
<para>Note that <constant>latest</constant> may be used to denote the latest scheme known (to this
particular version of systemd).</para>
diff --git a/man/version-info.xml b/man/version-info.xml
index bd210b20d3..274450d408 100644
--- a/man/version-info.xml
+++ b/man/version-info.xml
@@ -81,4 +81,37 @@
<para id="v255">Added in version 255.</para>
<para id="v256">Added in version 256.</para>
<para id="v257">Added in version 257.</para>
+ <para id="rhel-8.0">Added in rhel-8.0.</para>
+ <para id="rhel-8.1">Added in rhel-8.1.</para>
+ <para id="rhel-8.2">Added in rhel-8.2.</para>
+ <para id="rhel-8.3">Added in rhel-8.3.</para>
+ <para id="rhel-8.4">Added in rhel-8.4.</para>
+ <para id="rhel-8.5">Added in rhel-8.5.</para>
+ <para id="rhel-8.6">Added in rhel-8.6.</para>
+ <para id="rhel-8.7">Added in rhel-8.7.</para>
+ <para id="rhel-8.8">Added in rhel-8.8.</para>
+ <para id="rhel-8.9">Added in rhel-8.9.</para>
+ <para id="rhel-8.10">Added in rhel-8.10.</para>
+ <para id="rhel-9.0">Added in rhel-9.0.</para>
+ <para id="rhel-9.1">Added in rhel-9.1.</para>
+ <para id="rhel-9.2">Added in rhel-9.2.</para>
+ <para id="rhel-9.3">Added in rhel-9.3.</para>
+ <para id="rhel-9.4">Added in rhel-9.4.</para>
+ <para id="rhel-9.5">Added in rhel-9.5.</para>
+ <para id="rhel-9.6">Added in rhel-9.6.</para>
+ <para id="rhel-9.7">Added in rhel-9.7.</para>
+ <para id="rhel-9.8">Added in rhel-9.8.</para>
+ <para id="rhel-9.9">Added in rhel-9.9.</para>
+ <para id="rhel-9.10">Added in rhel-9.10.</para>
+ <para id="rhel-10.0">Added in rhel-10.0.</para>
+ <para id="rhel-10.1">Added in rhel-10.1.</para>
+ <para id="rhel-10.2">Added in rhel-10.2.</para>
+ <para id="rhel-10.3">Added in rhel-10.3.</para>
+ <para id="rhel-10.4">Added in rhel-10.4.</para>
+ <para id="rhel-10.5">Added in rhel-10.5.</para>
+ <para id="rhel-10.6">Added in rhel-10.6.</para>
+ <para id="rhel-10.7">Added in rhel-10.7.</para>
+ <para id="rhel-10.8">Added in rhel-10.8.</para>
+ <para id="rhel-10.9">Added in rhel-10.9.</para>
+ <para id="rhel-10.10">Added in rhel-10.10.</para>
</refsect1>
diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c
index 2955b6e8d5..e4d4c0ba88 100644
--- a/src/shared/netif-naming-scheme.c
+++ b/src/shared/netif-naming-scheme.c
@@ -24,6 +24,23 @@ static const NamingScheme naming_schemes[] = {
{ "v253", NAMING_V253 },
{ "v254", NAMING_V254 },
{ "v255", NAMING_V255 },
+ { "rhel-8.0", NAMING_RHEL_8_0 },
+ { "rhel-8.1", NAMING_RHEL_8_1 },
+ { "rhel-8.2", NAMING_RHEL_8_2 },
+ { "rhel-8.3", NAMING_RHEL_8_3 },
+ { "rhel-8.4", NAMING_RHEL_8_4 },
+ { "rhel-8.5", NAMING_RHEL_8_5 },
+ { "rhel-8.6", NAMING_RHEL_8_6 },
+ { "rhel-8.7", NAMING_RHEL_8_7 },
+ { "rhel-8.8", NAMING_RHEL_8_8 },
+ { "rhel-8.9", NAMING_RHEL_8_9 },
+ { "rhel-8.10", NAMING_RHEL_8_10 },
+ { "rhel-9.0", NAMING_RHEL_9_0 },
+ { "rhel-9.1", NAMING_RHEL_9_1 },
+ { "rhel-9.2", NAMING_RHEL_9_2 },
+ { "rhel-9.3", NAMING_RHEL_9_3 },
+ { "rhel-9.4", NAMING_RHEL_9_4 },
+ { "rhel-10.0", NAMING_RHEL_10_0 },
/* … add more schemes here, as the logic to name devices is updated … */
EXTRA_NET_NAMING_MAP
diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
index 62afdc514a..b0697c141e 100644
--- a/src/shared/netif-naming-scheme.h
+++ b/src/shared/netif-naming-scheme.h
@@ -63,6 +63,26 @@ typedef enum NamingSchemeFlags {
* systemd version 255, naming scheme "v255". */
NAMING_V255 = NAMING_V254 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT,
+ NAMING_RHEL_8_0 = NAMING_V239,
+ NAMING_RHEL_8_1 = NAMING_V239,
+ NAMING_RHEL_8_2 = NAMING_V239,
+ NAMING_RHEL_8_3 = NAMING_V239,
+ NAMING_RHEL_8_4 = NAMING_V239 | NAMING_BRIDGE_NO_SLOT,
+ NAMING_RHEL_8_5 = NAMING_RHEL_8_4,
+ NAMING_RHEL_8_6 = NAMING_RHEL_8_4,
+ NAMING_RHEL_8_7 = NAMING_RHEL_8_4 | NAMING_SLOT_FUNCTION_ID | NAMING_16BIT_INDEX,
+ NAMING_RHEL_8_8 = NAMING_RHEL_8_7,
+ NAMING_RHEL_8_9 = NAMING_RHEL_8_7,
+ NAMING_RHEL_8_10 = NAMING_RHEL_8_7,
+
+ NAMING_RHEL_9_0 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT,
+ NAMING_RHEL_9_1 = NAMING_RHEL_9_0,
+ NAMING_RHEL_9_2 = NAMING_RHEL_9_0,
+ NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R,
+ NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
+
+ NAMING_RHEL_10_0 = NAMING_V255,
+
EXTRA_NET_NAMING_SCHEMES
_NAMING_SCHEME_FLAGS_INVALID = -EINVAL,

31
SOURCES/0049-networkd-ipv4acd.c-Use-net-if.h-for-getting-IFF_LOOP.patch
Unescape View File

@ -1,31 +0,0 @@
From a43bf9f897002744610a9ea5ce7bdc91c3e3dc83 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Tue, 8 Nov 2022 12:21:35 -0800
Subject: [PATCH] networkd-ipv4acd.c: Use net/if.h for getting IFF_LOOPBACK
definition
This helps in avoiding compiling errors on musl. Definition of
IFF_LOOPBACK is the reason for including linux/if_arp.h, this however
could be obtained from net/if.h glibc header equally and makes it
portable as well.
(cherry picked from commit 239e4a42a69c31e55e58618d800e0d68c68931d3)
Related: #2138081
---
src/network/networkd-ipv4acd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/network/networkd-ipv4acd.c b/src/network/networkd-ipv4acd.c
index 4127657ebd..877dee00ec 100644
--- a/src/network/networkd-ipv4acd.c
+++ b/src/network/networkd-ipv4acd.c
@@ -1,6 +1,7 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
-#include <linux/if_arp.h>
+#include <net/if.h> /* IFF_LOOPBACK */
+#include <net/if_arp.h> /* ARPHRD_ETHER */
#include "sd-dhcp-client.h"
#include "sd-ipv4acd.h"

79
SOURCES/0091-Copy-40-redhat.rules-from-RHEL-8.patch → SOURCES/0049-rules-copy-40-redhat.rules-from-RHEL-9.patch
Unescape View File

@ -1,27 +1,40 @@
From 6b5b5fefcb68cb53427747be4984531bdeddcf7e Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Fri, 2 Jul 2021 13:25:51 +0200
Subject: [PATCH] Copy 40-redhat.rules from RHEL-8
From ee9a767142ec66b1ca93af9401dc8f723ae59881 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Wed, 12 Jun 2024 14:23:30 +0200
Subject: [PATCH] rules: copy 40-redhat.rules from RHEL 9
RHEL-only
Also split rules into 40-redhat-hotplug.rules, 40-redhat-s390.rules and 40-redhat.rules.
Related: #2138081
rhel-only: feature
Resolves: RHEL-40360
---
rules.d/40-redhat.rules | 46 +++++++++++++++++++++++++++++++++++++++++
rules.d/meson.build | 3 ++-
2 files changed, 48 insertions(+), 1 deletion(-)
rules.d/40-redhat-hotplug.rules | 23 +++++++++++++++++++++++
rules.d/40-redhat-s390.rules | 24 ++++++++++++++++++++++++
rules.d/40-redhat.rules | 8 ++++++++
rules.d/meson.build | 5 ++++-
4 files changed, 59 insertions(+), 1 deletion(-)
create mode 100644 rules.d/40-redhat-hotplug.rules
create mode 100644 rules.d/40-redhat-s390.rules
create mode 100644 rules.d/40-redhat.rules
diff --git a/rules.d/40-redhat.rules b/rules.d/40-redhat.rules
diff --git a/rules.d/40-redhat-hotplug.rules b/rules.d/40-redhat-hotplug.rules
new file mode 100644
index 0000000000..3c95cd2df0
index 0000000000..5555eeac75
--- /dev/null
+++ b/rules.d/40-redhat.rules
@@ -0,0 +1,46 @@
+++ b/rules.d/40-redhat-hotplug.rules
@@ -0,0 +1,23 @@
+# do not edit this file, it will be overwritten on update
+
+# CPU hotadd request
+SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1"
+SUBSYSTEM!="cpu", GOTO="cpu_online_end"
+ACTION!="add", GOTO="cpu_online_end"
+CONST{arch}=="ppc64*", GOTO="cpu_online_end"
+CONST{arch}=="s390*", ATTR{configure}=="0", GOTO="cpu_online_end"
+
+TEST=="online", ATTR{online}=="0", ATTR{online}="1"
+
+LABEL="cpu_online_end"
+
+# Memory hotadd request
+SUBSYSTEM!="memory", GOTO="memory_hotplug_end"
@ -34,13 +47,13 @@ index 0000000000..3c95cd2df0
+ATTR{state}=="offline", ATTR{state}="$env{.state}"
+
+LABEL="memory_hotplug_end"
+
+# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded
+ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
+
+# load SCSI generic (sg) driver
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
diff --git a/rules.d/40-redhat-s390.rules b/rules.d/40-redhat-s390.rules
new file mode 100644
index 0000000000..64698b90e8
--- /dev/null
+++ b/rules.d/40-redhat-s390.rules
@@ -0,0 +1,24 @@
+# do not edit this file, it will be overwritten on update
+
+# Rule for prandom character device node permissions
+KERNEL=="prandom", MODE="0644"
@ -64,17 +77,33 @@ index 0000000000..3c95cd2df0
+KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n"
+
+LABEL="zfcp_scsi_device_end"
diff --git a/rules.d/40-redhat.rules b/rules.d/40-redhat.rules
new file mode 100644
index 0000000000..975d56fdfd
--- /dev/null
+++ b/rules.d/40-redhat.rules
@@ -0,0 +1,8 @@
+# do not edit this file, it will be overwritten on update
+
+# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded
+ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
+
+# load SCSI generic (sg) driver
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
diff --git a/rules.d/meson.build b/rules.d/meson.build
index 8d2878a36d..70f48e877b 100644
index 3040fae8a4..edf419f449 100644
--- a/rules.d/meson.build
+++ b/rules.d/meson.build
@@ -5,7 +5,8 @@ install_data(
@@ -5,7 +5,10 @@ install_data(
install_dir : udevrulesdir)
rules = [
- [files('60-autosuspend.rules',
+ [files('40-redhat.rules',
+ [files('40-redhat-hotplug.rules',
+ '40-redhat-s390.rules',
+ '40-redhat.rules',
+ '60-autosuspend.rules',
'60-block.rules',
'60-cdrom_id.rules',
'60-drm.rules',
'60-dmi-id.rules',

Some files were not shown because too many files have changed in this diff Show More

Write Preview
Loading…
Cancel
Save