* 5650452e6b Install new files for upstream build
* 607afcd060 salsa: disable arm64/ppc64el again
* b1bb6d4849 systemd-tests: drop unused overrides
* b3790a36ca getty-static: add missing Documentation=
* 1cea27caba Backport patch to fix autopkgtest with new util-linux due to file move
* 2e74a7f969 Update changelog for 258.1-1 release
* 9250e242b9 Make /run/lock world writable by default
'rev' moved to bsdextrautils and TEST-50-DISSECT uses it, so it now
fails:
[ 83.534905] bash[3581]: +++ grep '^now' /proc/timer_list
[ 83.535479] bash[3582]: +++ cut '-d ' -f3
[ 83.535774] bash[3583]: +++ rev
[ 83.535774] bash[3583]: bash: line 1: rev: command not found
Otherwise it pulls in libz-ng-compat1 which isn't 100% compatible with
libz1, and more importantly it requires an ldconfig drop-in in /etc/
(/etc/ld.so.conf.d/zlib-ng-compat-x86_64.conf) which breaks hermetic-usr
and TEST-07-PID1:
systemd[5582]: /usr/lib/systemd/systemd: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory
If systemd-pcrphase-initrd.service and friends failed for some reasons,
the test VM will reboot infinitely and the test will timeout. Let's
propagate the failure to the host and fail the test earlier in that case.
The test for the EnterNamespace= feature [0] has been both broken and
disabled since the migration to the mkosi framework, as it's missing the
libdw.pc file for pkg-config, so the test is skipped completely, and
it's also missing gcc to actually build the test binary.
[0] Part of TEST-87-AUX-UTILS-VM.coredump.sh
* e50fce1d4b Fix installation of new manpages
* 8b45d3d793 Install new files for upstream build
* a401468f75 autopkgest: install bsdutils and bsdextrautils for unit tests
* 587584577e Explicitly disable bpf-framework for stage1 builds
* 209a8475d9 systemd: recommend login package
5728s TEST-75-RESOLVED.sh[439]: /usr/lib/systemd/tests/testdata/units/TEST-75-RESOLVED.sh: line 154: keymgr: command not found
The command was split out into a new package
4971s TEST-74-AUX-UTILS.sh[1212]: + script -ec 'networkctl edit --runtime "$NETWORK_NAME"' /dev/null
4971s TEST-74-AUX-UTILS.sh[1269]: .//usr/lib/systemd/tests/testdata/units/TEST-74-AUX-UTILS.networkctl.sh: line 55: script: command not found
Currently works due to a transitive dependency somewhere else
that is being dropped, pull it in directly given the tool is
used by the tests
Some distributions does not have man package, but named man-db or so,
and most distribution specific mkosi.conf files already have them.
Let's drop man from the global config.
* 7d9cf5c9347 Update systemd to version 257.9 / rev 456 via SR 1303345
* 439d743e5d6 Update systemd to version 257.7 / rev 455 via SR 1297651
* 4f72c6a6279 Update systemd to version 257.7 / rev 454 via SR 1296831
* 3b0afa5c6d1 Update systemd to version 257.7 / rev 453 via SR 1294979
* d0eccd20f5a Update systemd to version 257.7 / rev 452 via SR 1292221
* f9d183f8c57 Update systemd to version 257.7 / rev 451 via SR 1291008
* cbd6908247d Update systemd to version 257.7 / rev 450 via SR 1289968
* 6e5c00f9f92 Update systemd to version 257.6 / rev 449 via SR 1286997
Signed-off-by: val4oss <github.widget541@passmail.net>
* Add the missing package for mkosi opensuse conf, otherwise TEST-04-JOURNAL
fails with "/usr/lib/systemd/systemd-journal-remote: No such file or
directory"
Signed-off-by: val4oss <github.widget541@passmail.net>
* 786b8fe1c8 Return false from want_efi() for UKI outputs
* fac86dbc93 mkosi-tools: add qemu/pipewire packages for gui profile for debian
* 3bb98f0e6e Add ncdu to tools tree packages
* 1332b32cb4 config: Fix type for devicetree setting
* eff03569ee initrd: Add intel_pmc_ssram_telemetry module by default
* e04305b030 Make Bootable= determine whether we build a UKI for esp images
* 7252146429 mkosi-obs: use --force also for unzstd
* f58e31e228 mkosi-obs: do not fail if there are no bootloaders in the ESP
* fac3bd4bf1 rhel: Look up entitlement keys and certificates in sandbox
* da814d9634 opensuse: Add support for RISC-V for Tumbleweed
* b1d66c88d0 fedora: Rework rawhide GPG key logic
* b9360f25df Include {sys,conf}ext info in metadata file
* 94c6db6148 Set MakeInitrd=yes in documentation for building custom initrd
* d134013ca8 mkosi-tools: add grub2-common to openSUSE tools tree
* c97d345395 mkosi-tools: virtiofsd is only available on a subset of architectures on debian/ubuntu
There's no guarantee that $GIT_BRANCH is always the same across
stable release branches and main. But we still need to make sure
we switch commits if we're switching between main and release branches.
To make this work, let's not check if the current HEAD commit is an
ancestor of the currently configured origin branch. Instead, let's
check if any of the origin branches contains the current HEAD commit.
This still makes sure that we won't switch commits if we're working
on a local branch while making sure that we do switch commits if we're
switching between main and stable release branches with different
git branches configured for the packaging repo checkout.
Since c5de7b14ae
file searching implies a new mount api syscall by default,
to trigger automounts.
This is problematic in NSS plugins, as they are dlopen'ed inside
processes by glibc, for two reasons.
First of all, potentially searching on a networked filesystem
automount could lead to nasty surprises, such as the process
responsible for setting up the network filesystem trying to
search on that same filesystem.
More importantly, the new mount api syscall was never part of
the filesystem seccomp filter that we provide by default, and
given mounting/remounting/bind mounting is one of the possible
ways to bypass sandboxing it is very likely not allowed when
custom filters are used in sandboxed processes, if they don't
need to do these operations otherwise.
The filesystem seccomp mask we provide has been updated, however
this only takes effect on the next restart of a service. When
systemd is upgraded via a package upgrade, the new nss plugin is
installed and will be immediately dlopen'ed by glibc when needed,
without waiting for the process to restart, which means the existing
seccomp filter applies, causing the filter to trigger.
Given it's not really possible for any arbitrary program to
predict which NSS modules glibc will load, given programs do not
configure that and instead nsswitch is set up by the sysadmin,
it's impossible to handle at each process level. It's also not
possible to know when it will be triggered, given the plugin
is not linked in each binary tools like need-restart cannot
even pre-emptively restart services that may be affected.
This means in practice, upgrading from systemd << v258 to >= v258
requires a reboot to avoid either subtle or catastrophic system
failures.
By avoiding to trigger automounts in nss-systemd we can avoid
both issues.
userdb drop-ins are searched for in:
/etc/userdb/
/run/userdb/
/run/host/userdb/
/usr/local/lib/userdb/
/usr/lib/userdb/
none of which are supported as automounts anyway.
Note that this happens only when the userdbd service is not running,
as otherwise nss-systemd will go through the varlink IPC, rather than
doing the searches in-process.
So invert CHASE_NO_AUTOFS to CHASE_AUTOFS and set it in the places where
we do want to trigger automounts, like looking for the ESP.
Follow-up for c5de7b14ae
Fixes https://github.com/systemd/systemd/issues/38565
mkosi patches up /etc/os-release to add local IDs and fixup certain
issues, so when tests patch /usr/lib/ on the fly, copy to the version in
/etc/ too to avoid test failures when querying
6370s 10/98 systemd:integration-tests / TEST-07-PID1 FAIL 31.03s exit
status 1
6370s 25/98 systemd:integration-tests / TEST-29-PORTABLE FAIL 12.76s
exit status 1
6370s 33/98 systemd:integration-tests / TEST-43-PRIVATEUSER-UNPRIV FAIL
6.57s exit status 1
6370s 37/98 systemd:integration-tests / TEST-50-DISSECT FAIL 16.97s exit
status 1
This is particularly an issue when running these tests on debian unstable,
where mkosi has to fixup os-release to make it valid and avoid further
breakages:
https://github.com/systemd/mkosi/blob/main/mkosi/distributions/debian.py#L234
* 5598b7f579 fedora: be more persistent when guessing what rawhide could be
* cdd2d1570e Use apt-ftparchive instead of reprepro
* eeb4ce6302 fix dead/404 link
* 30a487d183 mkosi-tools: Drop systemd-boot-efi package
* ad4b4d2cbe Add debug logging for version reported by systemd tools
* 95f5c77fb7 mkosi-tools: move systemd-boot package to conf file matching older releases
* 7da22f33e0 README: clarify that companion tools can also be enabled from the git repo
* ec3fe91532 Drop microsecond resolution for datetime.now()
* 9f7a53b687 mkosi-initrd: install raid rule with 70 prefix
* 32c3ff4677 ci: give a hint about possible fixes for failing reuse lints
* 489c5e9ecc build(deps): bump github/codeql-action from 3.29.2 to 3.29.5
* cb1a3c9049 FirmwareVariables: allow generating during image build
* 6104923534 env: export $EFI_ARCHITECTURE in hook scripts on EFI arches
* fef33f96a2 mkosi-tools: ukify moved to systemd-ukify in openSUSE
* ec4475a846 ensure builds with cache over device boundaries
* 7be5159f24 Change UnifiedKernelImages to enum and accept signed/unsigned
* 071ac4a575 mkosi-vm: install systemd-boot-efi-signed where available
* 1865be628e opensuse: Install OpenSUSE-release if another release package is not installed
* 0381b17819 qemu: Disable hpet for x86 VMs
* 4f63700eb3 mkosi-tools: install systemd-boot-tools for bootctl
* 1230ed333b man: remove duplicate 'the' in FirmwareVariables description
rpmautospec-rpm-macros is only in EPEL 9 so let's gate it properly
on that by splitting up the epel packages config file into two.
erofs-utils is in EPEL 9 and in CentOS Stream 10.
It does not exist for CentOS Stream 10, it's only relevant for CentOS
Stream 9 in some corner cases which don't apply to us, so let's not enable
it to avoid complexity instead of only enabling it for CentOS Stream 9.
Follow up for 3800adc9e5
Both EPEL 9 and 10 now have the packages we need except for dhcp-server
so let's get rid of the EPEL conditionals and simply skip the tests that
require dhcp-server on CentOS.
While we're at it, make sure we use the new Architecture=uefi match in
mkosi to simplify the uefi checks.
* 184472f0f1 mkosi-tools: make sure p11-kit dir exists when configuring module
* 9fb807884e mkosi-tools: Explicitly install p11-kit
* 9131877d60 Support matching against architectures with uefi support
* f1eab5a783 Rename sandbox verb to box
* d609f55d98 Fix /var/tmp directory cleanup
* 4997b9495c build(deps): bump github/codeql-action from 3.28.18 to 3.29.2
* cc380fbc8a Install new files for upstream build
* 45f81ec53e Install new files for upstream build
* 105837d0ba Update changelog for 257.7-1 release
* bb17074bfd systemd-boot: reduce harmless noise on cleanup
* 363898fe05 systemd-boot: remove fb too on removal
