| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
This reverts commit d4ff79bbe1f33fb17e7add3bd520c08f405a79b1.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Judging by https://launchpad.net/~upstream-systemd-ci/+archive/ubuntu/systemd-ci/+packages,
it got updated about 15 hours ago and the "build check" action has been
failing with
```
The following packages have unmet dependencies:
kbd : Depends: console-setup but it is not going to be installed or
E: Unable to correct problems, you have held broken packages.
console-setup-mini but it is not going to be installed
```
since then
|
| |\
| |
| | |
Create ro private /var/tmp dir when /var/tmp is read-only
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Read-only /var/tmp is more likely, because it's backed by a real device. /tmp
is (by default) backed by tmpfs, but it doesn't have to be. In both cases the
same consideration applies.
If we boot with read-only /var/tmp, any unit with PrivateTmp=yes would fail
because we cannot create the subdir under /var/tmp to mount the private directory.
But many services actually don't require /var/tmp (either because they only use
it occasionally, or because they only use /tmp, or even because they don't use the
temporary directories at all, and PrivateTmp=yes is used to isolate them from
the rest of the system).
To handle both cases let's create a read-only directory under /run/systemd and
mount it as the private /tmp or /var/tmp. (Read-only to not fool the service into
dumping too much data in /run.)
$ sudo systemd-run -t -p PrivateTmp=yes bash
Running as unit: run-u14.service
Press ^] three times within 1s to disconnect TTY.
[root@workstation /]# ls -l /tmp/
total 0
[root@workstation /]# ls -l /var/tmp/
total 0
[root@workstation /]# touch /tmp/f
[root@workstation /]# touch /var/tmp/f
touch: cannot touch '/var/tmp/f': Read-only file system
This commit has more changes than I like to put in one commit, but it's touching all
the same paths so it's hard to split.
exec_runtime_make() was using the wrong cleanup function, so the directory would be
left behind on error.
|
| | | |
|
| |\ \
| | |
| | | |
Fix RPM *_create_package macros
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Commit b0ca726585 "rpm: avoid hiding errors from systemd commands" remove hiding errors and output
for other macros, but did not do that for %sysusers_create_package and %tmpfiles_create_package.
This change syncs their behaviour with %sysusers_create and %tmpfiles_create
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The last line in this macros was actually "SYSTEMD_INLINE_EOF " with a space at the end,
but the shell was instructed to look for a line without space.
Macros %sysusers_create_inline and %tmpfiles_create_inline did not have this mistake.
An example:
[root@rosa-2019 bind-server]# cat /etc/passwd | grep named
[root@rosa-2019 bind-server]# cat /tmp/bs
systemd-sysusers --replace=/usr/lib/sysusers.d/named.conf - <<SYSTEMD_INLINE_EOF >/dev/null 2>&1 || :
u named - "BIND DNS Server" /var/lib/named
g named - -
m named named
SYSTEMD_INLINE_EOF
[root@rosa-2019 bind-server]# sh /tmp/bs
/tmp/bs: line 5: warning: here-document at line 1 delimited by end-of-file (wanted `SYSTEMD_INLINE_EOF')
[root@rosa-2019 bind-server]# bash /tmp/bs
/tmp/bs: line 5: warning: here-document at line 1 delimited by end-of-file (wanted `SYSTEMD_INLINE_EOF')
[root@rosa-2019 bind-server]# bash --version
GNU bash, version 5.0.17(1)-release (x86_64-openmandriva-linux-gnu)
The user and group named were NOT created!
Now I remove the trailing space after "SYSTEMD_INLINE_EOF" and rerun:
[root@rosa-2019 bind-server]# sh /tmp/bs
[root@rosa-2019 bind-server]# tail -n 1 /etc/group
named:x:485:named
[root@rosa-2019 bind-server]#
The user and group have been created correctly.
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
Fixes: #16439
Alternative-To: #16440
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Let's add a catalog entry explaining further details.
Most importantly though: talk to PID 1 directly, via the private D-Bus
socket, so that this actually works correctly during early boot, where
D-Bus is not around.
|
| | | |
| | |
| | |
| | | |
Fixes #16447.
|
| | | | |
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
coverity: switch back to Fedora 31
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Apparently systemd is no longer installed in fedora containers
by default
```
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348:
starting container process caused "exec: \"/sbin/init\": stat /sbin/init: no such file or directory": unknown.
The command "$CI_MANAGERS/fedora.sh SETUP" failed and exited with 127 during .
```
|
| |/ / /
| | |
| | |
| | |
| | | |
Apparently 6 days ago fedora:latest started to point to fedora:32,
which comes with gcc-10. Coverity doesn't support it yet.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
The test would always fail with a long uname. In F33 this is right
now "5.8.0-0.rc2.20200622git625d3449788f.1.fc33.x86_64" which caused the
test to always fail.
|
| |\ \ \
| | | |
| | | | |
fix multi matches when use "||"
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: gaoyi <ymuemc@163.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
NULSTR_FOREACH may read the illegal match
Signed-off-by: gaoyi <ymuemc@163.com>
|
| | | | | |
|
| |\ \ \ \
| |/ / /
|/| | | |
SELlinux followup error/logging fixes
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Fixes: abad72be4df9d5a13ceecd5b4d073adb370882b7
Follow up: #16426
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
_label wrappers return -errno on failure instead of returning -1 and
setting global errno.
Fixes: 8d9cbd809db492df9d94c0c664bd0d2e53416531
Follow up: #16426
|
| |/ / |
|
| |\ \
| | |
| | | |
Handle new capabilities gracefully
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
We never return anything higher than 63, so using "long unsigned"
as the type only confused the reader. (We can still use "long unsigned"
and safe_atolu() to parse the kernel file.)
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We would refuse to print capabilities which were didn't have a name
for. The kernel adds new capabilities from time to time, most recently
cap_bpf. 'systmectl show -p CapabilityBoundingSet ...' would fail with
"Failed to parse bus message: Invalid argument" because
capability_set_to_string_alloc() would fail with -EINVAL. So let's
print such capabilities in hexadecimal:
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search
cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap
cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin
cap_net_raw cap_ipc_lock cap_ipc_owner 0x10 0x11 0x12 0x13 0x14 0x15 0x16
0x17 0x18 0x19 0x1a ...
For symmetry, also allow capabilities that we don't know to be specified.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1853736.
|
| |\ \ \
| | | |
| | | | |
selinux: create standard user-runtime nodes with default context
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Reproducible with:
systemd-run -p TemporaryFileSystem=/root -t /bin/bash
ls -dZ /root
Prior:
root:object_r:tmpfs_t:s0 /root
Past:
root:object_r:user_home_dir_t:s0 /root
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Currently systemd-user-runtime-dir does not create the files in
/run/user/$UID/systemd/inaccessible with the default SELinux label.
The user and role part of these labels should be based on the user
related to $UID and not based on the process context of
systemd-user-runtime-dir.
Since v246-rc1 (9664be199af6) /run/user/$UID/systemd is also created by
systemd-user-runtime-dir and should also be created with the default
SELinux context.
|
| | | | | |
|
| |/ / / |
|
| | | | |
|
| | | |
| | |
| | | |
This commit enables the microphone mute button and the screen rotate button, even if the latter is improperly linked. I have documented how to achieve this in https://wiki.archlinux.org/index.php/MSI_P15#Fn_Keys .
|
| | | | |
|
| | | |
| | |
| | | |
This makes it easier for people than just recommending the syscall.
|
| | | | |
|
| |/ / |
|
| | | |
|
| | |
| |
| |
| |
| | |
The call would always fail with:
systemd-userwork[780]: Failed to dlopen(libnss_systemd.so.2), ignoring: /usr/lib64libnss_systemd.so.2: cannot open shared object file: No such file or directory
|
| |\ \
| | |
| | | |
Bridge without carrier fails
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
failures
For some reason the wait-online is failing intermittently; it's unclear
exactly why, but this hopefully avoids the failure for unrelated PR.
This is a workaround (not fix) for #16105
|
| | | |
| | |
| | |
| | | |
This just clutters up the logs.
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
Container Interface: expose the host's os-release metadata to nspawn and portable guests
|
| | | | | |
|
