This option makes mkosi "remember" all the CLI options specified on
the command line when building an image. This means they don't need
to be specified again when booting the image afterwards or doing any
other operation on the image with "mkosi xxx".
As an example of how this is useful, currently, when running "mkosi
-d opensuse -f" to build an opensuse image and then running "mkosi
sandbox -- meson test -C build TEST-86-MULTI-UKI-PROFILE", running
the test will try to add virtiofs mounts of the fedora~rawhide build
directory on my machine instead of the opensuse one. With the History=
option enabled, it will use the opensuse tumbleweed directory as expected.
We stop setting --extra-search-path and --output-dir in the integration test
wrapper as these are settings that are "remembered" by enabling the History=
option.
Now that we have mkosi sandbox, meson runs with the mkosi tools tree
mounted (if one is used at all), so we can implement all the qemu feature
checks in meson itself, removing the need for mkosi configure scripts.
Let's get rid of the configure script for this use case by just
implementing the necessary logic in integration-test-wrapper.py.
We need to get rid of our usage of configure scripts to allow enabling
the History= setting.
Add verb that takes a PKCS#1 signature (plain rsa) as input and a
certificates, and outputs a PKCS#7 binary detached signature (p7s),
which is what the kernel dm-verity driver expects.
Co-authored-by: Luca Boccassi <bluca@debian.org>
Previously, we'd name the import services numerically. Let's instead use
the local target file name, i.e. the object we are creating with these
services locally. That's useful so that we can robustely order against
these service instances, should we need to one day.
This is useful for bind mounting a freshly downloaded and unpacked tar
disk images to /sysroot to mount into.
Specifically, with a kernel command line like this one:
rd.systemd.pull=verify=no,machine,tar:root:http://_gateway:8081/image.tar root=bind:/run/machines/root ip=any
The first parameter downloads the root image, the second one then binds
it to /sysroot so that we can boot into it.
Previously, one of the io.systemd.Machine.Open() tests would invoke a
command line via machined, and then check if it ran properly. This was
implemented in a racy fashion: the client side would immediately close
the pty fd allocated for the operation, thus triggering an immediate
SIGHUP on the other side. Now, depending whether this client was quicker
in closing or the server was quicker in executing the command line this
was a race.
Fix this comprehensively: let's first wait for the varlink operation to
complete via the new "systemd-notify --fork" logic (because varlinkctl
sends out READY=1 once handing off to --exec). Secondly let's use
varlinkctl's --exec logic to invoke a process which keeps open the open
pty until we kill it (we just use sleep for that).
(Also add some more tests for the varlinkctl --exec stuff)
When the user/customer sets the time on the system which is prior
than that of the systemd build time, as systemd doesn't allow time
before it's build date after a reboot, systemd is resetting it but
there is no error or exception present in the setTime method due
to which user/customer is unaware of why the time is reset back to
the systemd-build time.
Added a condition check in the set_time() method to return an
error when tried to set time past the systemd build date.
Tested: Verified that it throws an error when we try to set the
time prior to systemd build date.
Change-Id: Ia6b58320bdb7234a21885a44af8fd3bda64c3789
Add --join-signature=hash:sig - when a verity signature partition
has been deferred in a previous run, this allows attaching a signature
that was created offline, for example on a build system like OBS where
the private key is not available to the build process.
Can be specified multiple times, the right partition to act upon will
be selected by matching the data+verity partitions UUIDs with the
provided roothash(es)
Add --join-signature=hash:sig - when a verity signature partition
has been deferred in a previous run, this allows attaching a signature
that was created offline, for example on a build system like OBS where
the private key is not available to the build process.
Can be specified multiple times, the right partition to act upon will
be selected by matching the data+verity partitions UUIDs with the
provided roothash(es)
- FUSE is unconditionally enabled in the container, as our kernel base
line (v5.4) supports userns-safe FUSE, which is supported since v4.18.
- Create /dev/net/tun only when it is accessible.
- Replaces several loops with FOREACH_ARRAY().
This fixes some typos in the documentation, both grammar as well as
incorrect field names.
It also changes the casing of CheckSum to Checksum in L2TP to match
other casings.
Follow-up for 985ea98e7f.
When DevicePolicy= is enabled, but DeviceAllow= for /dev/net/tun is not
specified, bind-mounting the device node from the host system is
meaningless, as it cannot be used in the container anyway.
Let's check the device node is accessible before creating or
bind-mounting.
- Add missing '--' delimiter
- Use the new BuildSubdirectory JSON field to figure out the build
subdirectory.
- Remove the /usr/include path mapping for now. This means we can't
jump into system headers anymore if they don't exist on the host,
we can find a way to add this back later if it turns out to be
crucial.
We want systemd-pty-forward to be something that can be dropped in
somewhere without too much thought. To enable this, let's make sure
we forward various signals to the forked process. This makes sure that
any signals are delivered to the actual child process regardless of whether
it's running within systemd-pty-forward or not.
In https://github.com/systemd/mkosi/pull/3497, mkosi has started parsing
options passed after the verb as regular mkosi options instead of options
for the invoked command. We adapt to this change by adding '--' as a delimiter
everywhere where required.
09fbff57fc introduced new knob
for such functionality. However, that seems unnecessary.
The mount option string is ubiquitous in that all of fstab,
kernel cmdline, credentials, systemd-mount, ... speak it.
And we already have x-systemd.device-bound= that's parsed
by pid1 instead of fstab-generator. It feels hence more natural
for graceful options to be an extension of that, rather than
its own property.
There's also one nice side effect that the setting itself
is now more graceful for systemd versions not supporting
such feature.
Based on this patch i had submitted to RedHat
(https://issues.redhat.com/browse/RHEL-56280), i am submitting this
patch to this upstream systemd.
There is no way to explicitly enable/disable IPv6 AAAA queries.
Problem was that i am using RHEL9 and some applications does not use a
newer glibc that supports `no-aaaa` option in `/etc/resolv.conf`. So
some applications will still resolve IPv6 AAAA even with `no-aaaa`
option and it is inconsistent across the system where some work and some
don't.
So this systemd-resolved patch catch-all queries and disable IPv6 AAAA
queries for all applications in the OS by having an option
`RefuseRecordTypes=AAAA` to disable IPv6 AAAA queries.
Although https://github.com/systemd/systemd/pull/28136 tries to fix this
automatically but it still does not work with
`net.ipv6.conf.all.disable_ipv6 = 1`. Also tried with explicitly
removing the conditional and force set `family = AF_INET` and still
resolves AAAA records.
The issue is that i want to explicitly disable IPv6 AAAA queries instead
of systemd-resolved to figure out itself which address family it is
using, which always have problems.
This adds `--json=MODE` command line option to `udevadm test`.
This may be useful for parsing e.g. network interface name or device
node symlinks.
Closes#23661.
This adds --json=MODE option for 'udevadm test' command.
When specified, all messages, except for the final result, will be
written to stderr, and the final result is shown in JSON format to
stdout. It may be useful for parsing the test result.
- Also configures route to the gateway and prefix route in the specified
table, if necessary.
- Also set preferred source address of the route.
Closes#36168.
