None of the package specs leave leftover files in the source directory
anymore, so let's stop using BuildSourcesEphemeral=yes and check in CI
that we don't regress.
Let's stop using BuildSourcesEphemeral= and instead make sure we don't
generate any auxiliary files during the mkosi build process.
We achieve this through a combination of trap to remove any new files
we create and bind mounts from /tmp over existing files whenever we need
to modify an existing file.
We also add a CI step to ensure we don't regress
Currently, if you boot PID 1 in a container you always see a complaint
that BPF LSM won't work. That's fine, and log worthy, but probably not
above debug level. After all this is a really common case, and we should
gracefully adopt to our execution environment.
* 38b41a729e Clean up debuginfo files as well in %clean
* 7bc5883654 Fix missing question mark
* d22561d59e Also drop auxiliary files related to sysusers compat
* e825459f2d Change python-zstd depenedency to python-zstandard
* 0a3907745e Version 257.4
* 1bdfa29ce2 Neuter sysusers macros
Boolean values have to be handled separately for RestrictNamespaces=
because
they get stored in a field with reverse meaning (which namespaces are
retained),
so let's check which field we're parsing and set the proper value
accordingly.
https://github.com/systemd/systemd/pull/32941
added support for firecracker/cloud-hypervisor and
their unix-domain socket to AF_VSOCK multiplex.
but I forgot to add the pattern in the ssh config drop-in.
fix it now!
We only consider something not a tty if it's not connected to a tty
and not connected to /dev/null, so let's use the environment variable
instead to tell machinectl shell that it shouldn't do any of its TTY
stuff.
tianocore does some weird shit with its terminal emulation and regular
fills half the terminal with grey background and then invokes us with
this not cleared up. Hence let us clear this up for it: as part of the
ansi sequence based reset let's position the cursor explicitly at the
beginning of the current line, and erase everything till the end of the
screen. This makes boot output in tianocore vms much much cleaner.
Note that this does *not* erase any terminal output *before* the cursor
position where we take over, because that typically contains valuable
information still we should not erase.
@poettering hrm, there's still one thing unclear to me: we currently
have no way for canceling factory reset via IPC. And adding that to
varlink service solely doesn't seem feasible either, since the state
departs from the active state of `factory-reset.target` and it would
become impossible to re-request it without restarting
`factory-reset.target` _and all dependencies_, which feels
unmaintainable.
Boolean values have to be handled separately for RestrictNamespaces= because
they get stored in a field with reverse meaning (which namespaces are retained),
so let's check which field we're parsing and set the proper value accordingly.
At the moment the gpt-auto generator does its things we already
transitioned into the host OS, i.e. the root fs and /usr/ are mounted.
Hence suppress image policy checks for those two partitions.
This actually matters, because the root hash/usr hash is taken into
consideration for the image policy checks, but we don't have that in
gpt-auto and hence would refuse operation claiming policy conflicts
event though we never actually operate on the root fs via the dissection
logic.
The partition enumeration only runs on the main system, and we test that
early, hence no point in repeating this in functions further down the
call chain. But let's keep it in place as assert()s, just in case.
Also, move the top-level in_initrd() into add_mounts(), so that the
tests are nicely encapsulated in the code they protect.
This new helper patches a provide image policy, setting the policy for
specified designators to "ignore".
This is useful for contexts where we only want to mount some subset of
the available partitions, and hence don't care about the parts of the
policy that cover the others. Specifically this is useful in
systemd-gpt-auto-generator, which runs at a moment the root file system
is already established, and hence the policy for the root file system
can be ignored, the facts are already established.
* 4ab2a9e539 Drop old self-Obsoletes and provides
* ec182495e7 Drop libbpf versioned dependency version to 1.4.7
* 1f8d2b0ebd Make self-obsoletes for the sysusers split conditional
* 0d95af264f Include epoch in versioned libbpf dependency
* 8230f501b6 Make sure we pull in libbpf >= 1.5.0 if libbpf is installed
Prompted by 45623d4ad6
We do make use of the os-release ids to determine whether to initial resume
if they're present, hence log at warning level if invalid. While at it,
raise the level for the kernel version too, which is generally interesting
to the user if something goes wrong.
First of all, it seems very unlikely that we'd be in the pending state
if not booted via EFI in the first place. Moreover, the operation didn't
work out, hence let's not spurious report success.
It is strictly mandatory that this is done during initial
transaction, and not later when the system is already running.
Hence let's refuse manual start for all of the involved units.
Additionally, refuse manual stop for systemd-factory-reset-complete.service,
as it flags the factory reset completion through
/run/systemd/factory-reset-complete, which never gets removed
for the whole boot.
If all transfer definitions are features and disabled, a wrong error
is reported that there are no transfer definitions.
This breaks the features and vaccum verb, as they work on disabled
features, too.
