Previously, we'd name the import services numerically. Let's instead use
the local target file name, i.e. the object we are creating with these
services locally. That's useful so that we can robustely order against
these service instances, should we need to one day.
Previously, one of the io.systemd.Machine.Open() tests would invoke a
command line via machined, and then check if it ran properly. This was
implemented in a racy fashion: the client side would immediately close
the pty fd allocated for the operation, thus triggering an immediate
SIGHUP on the other side. Now, depending whether this client was quicker
in closing or the server was quicker in executing the command line this
was a race.
Fix this comprehensively: let's first wait for the varlink operation to
complete via the new "systemd-notify --fork" logic (because varlinkctl
sends out READY=1 once handing off to --exec). Secondly let's use
varlinkctl's --exec logic to invoke a process which keeps open the open
pty until we kill it (we just use sleep for that).
(Also add some more tests for the varlinkctl --exec stuff)
When the user/customer sets the time on the system which is prior
than that of the systemd build time, as systemd doesn't allow time
before it's build date after a reboot, systemd is resetting it but
there is no error or exception present in the setTime method due
to which user/customer is unaware of why the time is reset back to
the systemd-build time.
Added a condition check in the set_time() method to return an
error when tried to set time past the systemd build date.
Tested: Verified that it throws an error when we try to set the
time prior to systemd build date.
Change-Id: Ia6b58320bdb7234a21885a44af8fd3bda64c3789
Add --join-signature=hash:sig - when a verity signature partition
has been deferred in a previous run, this allows attaching a signature
that was created offline, for example on a build system like OBS where
the private key is not available to the build process.
Can be specified multiple times, the right partition to act upon will
be selected by matching the data+verity partitions UUIDs with the
provided roothash(es)
Add --join-signature=hash:sig - when a verity signature partition
has been deferred in a previous run, this allows attaching a signature
that was created offline, for example on a build system like OBS where
the private key is not available to the build process.
Can be specified multiple times, the right partition to act upon will
be selected by matching the data+verity partitions UUIDs with the
provided roothash(es)
Follow-up for 985ea98e7f.
When DevicePolicy= is enabled, but DeviceAllow= for /dev/net/tun is not
specified, bind-mounting the device node from the host system is
meaningless, as it cannot be used in the container anyway.
Let's check the device node is accessible before creating or
bind-mounting.
We want systemd-pty-forward to be something that can be dropped in
somewhere without too much thought. To enable this, let's make sure
we forward various signals to the forked process. This makes sure that
any signals are delivered to the actual child process regardless of whether
it's running within systemd-pty-forward or not.
09fbff57fc introduced new knob
for such functionality. However, that seems unnecessary.
The mount option string is ubiquitous in that all of fstab,
kernel cmdline, credentials, systemd-mount, ... speak it.
And we already have x-systemd.device-bound= that's parsed
by pid1 instead of fstab-generator. It feels hence more natural
for graceful options to be an extension of that, rather than
its own property.
There's also one nice side effect that the setting itself
is now more graceful for systemd versions not supporting
such feature.
Based on this patch i had submitted to RedHat
(https://issues.redhat.com/browse/RHEL-56280), i am submitting this
patch to this upstream systemd.
There is no way to explicitly enable/disable IPv6 AAAA queries.
Problem was that i am using RHEL9 and some applications does not use a
newer glibc that supports `no-aaaa` option in `/etc/resolv.conf`. So
some applications will still resolve IPv6 AAAA even with `no-aaaa`
option and it is inconsistent across the system where some work and some
don't.
So this systemd-resolved patch catch-all queries and disable IPv6 AAAA
queries for all applications in the OS by having an option
`RefuseRecordTypes=AAAA` to disable IPv6 AAAA queries.
Although https://github.com/systemd/systemd/pull/28136 tries to fix this
automatically but it still does not work with
`net.ipv6.conf.all.disable_ipv6 = 1`. Also tried with explicitly
removing the conditional and force set `family = AF_INET` and still
resolves AAAA records.
The issue is that i want to explicitly disable IPv6 AAAA queries instead
of systemd-resolved to figure out itself which address family it is
using, which always have problems.
This adds --json=MODE option for 'udevadm test' command.
When specified, all messages, except for the final result, will be
written to stderr, and the final result is shown in JSON format to
stdout. It may be useful for parsing the test result.
When '--resolve-names=late', systemd-udevd resolves user/group names
during each event being processed, and does not verify names on parse.
When '--resolve-names=never', systemd-udevd refuses any user/group names
on parse. Hence, the parser of udev rules behaves diffrently. Let's not
convert 'never' -> 'late' silently, and use the specified option as is.
This also updates man page and shell completion for --resolve-names
option.
PCR 7 covers the SecureBoot policy, in particular "dbx", i.e. the
denylist of bad actors. That list is pretty much as frequently updated
as firmware these days (as fwupd took over automatic updating). This
means literal PCR 7 policies are problematic: they likely break soon,
and are as brittle as any other literal PCR policies.
hence, pick safer defaults, i.e. exclude PCR 7 from the default mask.
This means the mask is now empty.
Generally, people should really switch to signed PCR policies covering
PCR 11, in combination with systemd-pcrlock for the other PCRs.
There's finally quota on tmpfs, hence let's use it to make it harder for
users to DoS the system by consuming all disk space in /tmp/ and
/dev/shm/.
This enforces a default limit of 80% quota of the backing fs for these
two dirs for users, but this can be overriden in the user record, if
desired.
This also adds two other interesting features:
1. mount units gain GracefulOptions= which takes optional mount options
that are added only if supported by the kernel. (this is used to enable
usrquota on /tmp/, if available.)
2. The PAM logic in service management now supports reading passwords
from service credentials and via the askpw logic. This used for make
testing easy (so that we can run0 into a homed user which strictly
requires a password).
TEST-74-AUX-UTILS covers many subtests, as it's a catch-all job, and a few
need a VM to run. The job is thus marked VM-only. But that means in settings
where we can't run VM tests (no KVM available), the entire thing is skipped,
losing tons of coverage that doesn't need skipping.
Move the VM-only subtests to TEST-87-AUX-UTILS-VM that is configured to only
run in VMs under both runners. This way we keep the existing tests as-is, and
we can add new VM-only tests without worrying. This is how the rest of the
tests are organized.
Follow-up for f4faac2073
Also, when a filename is specified, also search udev rules file in
udev/rules.d directories.
This also refuses non-existing files, and file neither nor a regular
nor a directory, e.g. /dev/null.
systemctl has a --job-mode= argument, and adding the same argument to
systemd-run is useful for starting transient scopes with dependencies.
For example, if a transient scope BindsTo a service that is stopping,
specifying --job-mode=replace will wait for the service to stop before
starting it again, while the default job mode of "fail" will cause the
systemd-run invocation to fail.
systemctl has a --job-mode= argument, and adding the same argument to
systemd-run is useful for starting transient scopes with dependencies.
For example, if a transient scope BindsTo a service that is stopping,
specifying --job-mode=replace will wait for the service to stop before
starting it again, while the default job mode of "fail" will cause the
systemd-run invocation to fail.
Let consider the following udev rules:
```
PROGRAM="/usr/bin/systemd-escape foo-bar-baz", ENV{SYSTEMD_WANTS}+="test1@$result.service"
PROGRAM="/usr/bin/systemd-escape aaa-bbb-ccc", ENV{SYSTEMD_WANTS}+="test2@$result.service"
```
Then, a device expectedly gains a property:
```
SYSTEMD_WANTS=test1@foo\x2dbar\x2dbaz.service test2@aaa\x2dbbb\x2dccc.service
```
After the event being processed by udevd, PID1 processes the device, the
property previously was parsed with
`extract_first_word(EXTRACT_UNQUOTE)`, then the device unit gained the
following dependencies:
```
Wants=test1@foox2dbarx2dbaz.servicetest2@aaax2dbbbx2dccc.service
```
So both `%i` and `%I` for the template services did not match with the
original data, and it was hard to use `systemd-escape` in `PROGRAM=`
udev rule token.
This makes the property parsed with
`extract_first_word(EXTRACT_UNQUOTE|EXTRACT_RETAIN_ESCAPE)`, hence the
device unit now gains the following dependencies:
```
Wants=test1@foo\x2dbar\x2dbaz.service test2@aaa\x2dbbb\x2dccc.service
```
and `%I` for the template services match with the original data.
Fixes a bug caused by ceed8f0c8b (v233).
Fixes#16735.
Replaces #16737 and #35768.
On CentOS Stream 9/10 booting mkosi qemu with --firmware=linux doesn't
add the virtual TPM to the virtual machine which means TEST-74-AUX-UTILS.run.sh
fails because it requires a TPM.
Let's move the systemd-pcrlock logic that requires a TPM to
TEST-70-TPM.pcrlock to avoid the problem.
When doing offline signing we need to know the exact payload
to sign, and the 'calculate' verb doesn't really show that, it
shows the PCR values. But what we sign is the hash of the policy.
So add a new verb that outputs the json payload that goes in the
.pcrsig section, without the .sig object, so that we can take them
and give the .pol object to an offline and asynchronous signing
service, such as SUSE's Open Build Service, and then add the .sig
object to the json and attach it to a UKI.
