Maintaining the fmf metadata and script upstream makes it painful
to reuse downstream so let's move the metadata and testing script
downstream and load it upstream instead.
* 2ecfbec1a4 Support specifying extra mkosi repositories to the test script
* f5b47b1302 Use old setup sysusers files on Fedora < 43
* 2da5793357 Merge #196 `Migrate fmf metadata and test script from the upstream repository`
* e346d9f33e Limit sdubby dependency to Fedora
Without this change, when e.g. event_timeout= is specified in udev.conf,
udevadm and friends which loads udev.conf warn about unknown key:
===
$ udevadm info /sys/class/net/lo
/run/udev/udev.conf.d/test-17.conf:1: Unknown key 'event_timeout', ignoring.
/run/udev/udev.conf.d/test-17.conf:2: Unknown key 'timeout_signal', ignoring.
===
Follow-up for 07f5e35fe7 (v256).
Previously, we would fail. But this doesn't seem useful: we may want to
mark the update as done even if /etc/ or /var/ no updates were necessary
and there was no need to create /etc/ or /var/ yet.
The idea is to use this when building an image to mark the image as not
needing updates after the reboot. In general it is impossible to say if
any of the early boot update services can be safely skipped, except when
the creator of the image knows all the contents there and has made sure
that all the updates have been processed. (This is in fact what happens
in a typical package-based installation: the packages have scriptlets which
implement the changes during or after the installation process.)
With this patch, the image build process can do 'systemd-update-done --root=…'
at the appropriate point to avoid triggering of ldconfig.service,
systemd-hwdb-update.service, etc.
I didn't write --image=, because it doesn't seem immediately useful. The
approach with --root is most useful when we're building the image "offline",
which means that we have a directory we're working on.
The man page was right, but the comment in the generated file was wrong. The
timestamp is *not* the timestamp when the update is being done. While at it,
say to what directory the message applies. This makes it easier for a casual
reader to figure out what is happening.
Also rename the function to better reflect what it does.
Inspired by https://github.com/systemd/systemd/issues/36045.
When using vmspawn on particleos image we really want that the TPM state
is retained between invocation, since the encryption key is locked to
the TPM after all. Hence let's support that.
This adds --tpm-state= which can be used to configure a path to store
the TPM state in. It can also be used to force tpm state to be transient
or to let vmpsawn pick the path automatically.
While we are at it, let's also revamp the runtime dir handling in
vmspawn: let's no longer place the sockets the auxiliary services listen
on within their own runtime directories. Instead, just drop the runtime
directories for them entirely (since neither virtiofsd, nor swtpm
actually use them). Also, let systemd clean up the sockets
automatically.
Currently this is picked up from the main branch of the fork which is
suboptimal. The packit folks implemented this new option for us which
should fix the problem.
There's no need to build various systemd tools from source again to
build the mkosi image when we can just install the packages that were
already built from source into the tools tree so let's do that to avoid
unnecessary compiling.
Currently DelegateNamespaces= only works for services spawned by the
system manager. User managers will always unshare the user namespace
first even if they're running with CAP_SYS_ADMIN.
Let's add support for DelegateNamespaces= for user managers if they're
running with CAP_SYS_ADMIN. By default, we'll still delegate all
namespaces
for user managers, but this can now be overridden by explicitly passing
DelegateNamespaces=.
If a user manager is running without CAP_SYS_ADMIN, the user manager is
still always unshared first just like before.
A unit might be pending in the empty queue still when we add a PID to
the cgroup. At that point, let's explicitly remove the unit from that
queue.
Fixes: #36781
Let's improve error handling in case one tries to unlock a TPM2 locked
volume on a different machine via TPM than it was originally enrolled
on. Let's recognize this case and print a clearer error message.
So far we'd directly use the pidfd passed into event_add_child_pidref(),
hoping it would not be closed by the caller before we are done. This was
violated by vmspawn however.
Let's make this safe, and simply duplicate the fd, and make us
independent of the caller.
