v254 batch up to b858433a79633bdef1ebea7d5ea4cc2585dcbaab#472
Merged
bluca merged 74 commits intosystemd:v254-stablefrom Mar 5, 2025
Merged
v254 batch up to b858433a79633bdef1ebea7d5ea4cc2585dcbaab#472bluca merged 74 commits intosystemd:v254-stablefrom
bluca merged 74 commits intosystemd:v254-stablefrom
Conversation
Prompted by: systemd/systemd#27890 (comment) (cherry picked from commit f96a32c)
Let's clarify more explicitly that privileged calls to systemd-notify --pid= and sd_pid_notify() effectively override any configured NotifyAccess=main|exec for a service. (cherry picked from commit bbe9e03) (cherry picked from commit 9b186fc) (cherry picked from commit 196bd85) (cherry picked from commit e10bf30)
Unfortunately kernel reports EOF if there's an inconsistency between efivarfs var list and what's actually stored in firmware, c.f. #34304. A zero size env var is not allowed in efi and hence the variable doesn't really exist in the backing store as long as it is zero sized, and the kernel calls this "uncommitted". Hence we translate EOF back to ENOENT here, as with kernel behavior before torvalds/linux@3fab70c If the kernel changes behaviour (to flush dentries on resume), we can drop this at some point in the future. But note that the commit is 11 years old at this point so we'll need to deal with the current behaviour for a long time. Fix #34304. (cherry picked from commit 6013dee) (cherry picked from commit 87df05b) (cherry picked from commit 537b527) (cherry picked from commit 7ab4191)
…ANTS=
Let consider the following udev rules:
===
PROGRAM="/usr/bin/systemd-escape foo-bar-baz", ENV{SYSTEMD_WANTS}+="test1@$result.service"
PROGRAM="/usr/bin/systemd-escape aaa-bbb-ccc", ENV{SYSTEMD_WANTS}+="test2@$result.service"
===
Then, a device expectedly gains a property:
===
SYSTEMD_WANTS=test1@foo\x2dbar\x2dbaz.service test2@aaa\x2dbbb\x2dccc.service
===
After the event being processed by udevd, PID1 processes the device, the
property previously was parsed with extract_first_word(EXTRACT_UNQUOTE),
then the device unit gained the following dependencies:
===
Wants=test1@foox2dbarx2dbaz.service test2@aaax2dbbbx2dccc.service
===
So both '%i' and '%I' for the template services did not match with the original
data, and it was hard to use systemd-escape in PROGRAM= udev rule token.
This makes the property parsed with extract_first_word(EXTRACT_UNQUOTE|EXTRACT_RETAIN_ESCAPE),
hence the device unit now gains the following dependencies:
===
Wants=test1@foo\x2dbar\x2dbaz.service test2@aaa\x2dbbb\x2dccc.service
===
and '%I' for the template services match with the original data.
Fixes a bug caused by ceed8f0 (v233).
Fixes #16735.
Replaces #16737 and #35768.
(cherry picked from commit a467358)
(cherry picked from commit 0c1daaf)
(cherry picked from commit cfa5775)
(cherry picked from commit a783d12)
This was added originally as it was thought that Windows applied the same cap. Nowadays the specs do not mention it, and it is believed Windows no longer applies it either, so drop it in order to allow an arbitrary number of DTBs to be included Fixes systemd/systemd#35943 (cherry picked from commit 8c5b359) (cherry picked from commit 9518481) (cherry picked from commit 5cbe2b8) (cherry picked from commit e79cea6)
We were missing one service result (oom-kill), and the ratelimit one is called differently. Correct that so that we generate proper log messages for these cases. (cherry picked from commit a7620f5) (cherry picked from commit 13ce2fd) (cherry picked from commit dbc791b) (cherry picked from commit 760afe6)
Follow-up for 656bbff The commit reworked job merging logic so that reload jobs won't get merged. However, they might get dropped from transaction due to being deemed redundant, i.e. way before it even hits job_install(). Let's make sure reload jobs are always kept during transaction construction stage, too. (cherry picked from commit 7b940d8) (cherry picked from commit 1e7b1ce) (cherry picked from commit d770304) (cherry picked from commit 42082ed)
Fixes the following error:
```
../src/basic/random-util.c: In function "fallback_random_bytes":
../src/basic/random-util.c:45:26: error: initializer-string for array of "char" is too long [-Werror=unterminated-string-initialization]
45 | .label = "systemd fallback random bytes v1",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
```
(cherry picked from commit e722fe7)
(cherry picked from commit 8f2f04b)
(cherry picked from commit 57d2446)
(cherry picked from commit 85eafb5)
legionus/kbd#127 adds a Georgian mapping to kbd. console-setup already has one. Let's support it here, so it's used for Georgian installs on distros that use this table. Signed-off-by: Adam Williamson <awilliam@redhat.com> (cherry picked from commit f89d4c5) (cherry picked from commit 52b5a79) (cherry picked from commit c9e1a4a) (cherry picked from commit 48fd2d3)
This is printed by bus_manager_log_shutdown() in logind-dbus.c, near the start of the shutdown process. Clarify that events *will* happen, long after this message is sent. (cherry picked from commit 6c45c5a) (cherry picked from commit 6936658) (cherry picked from commit c25f8b9) (cherry picked from commit 8b516d4)
The UKI file has to be writable to be able to do boot counting in the UEFI firmware which involves renaming the file by writing to the file metadata which requires the file to be writable in the FAT filesystem. Fixes #36170 (cherry picked from commit 0e470e1) (cherry picked from commit 7358b67) (cherry picked from commit dcffc79) (cherry picked from commit 9d0ad1a)
errno handling for NSS is always a bit weird since NSS modules generally are not particularly careful with it. Hence let's initialize errno explicitly before we invoke getpwent() so that we know it's in a reasonable state afterwards on failure, or zero if not. We do this in most places we use NSS, including in userdb when it comes to getgrent(), just for getpwent() we don't so far. Address that. (cherry picked from commit 83e3b96) (cherry picked from commit 4fc9748) (cherry picked from commit 443dbf4) (cherry picked from commit c1d49aa)
Give access to USB/Bluetooth lights such as the Logitech Litra family of devices. The Logitech devices in particular are accessible through USB and Bluetooth. (cherry picked from commit 106f64c) (cherry picked from commit 2e14f59) (cherry picked from commit 3b5543a) (cherry picked from commit ac023ef)
When hardlink recreation is requested, it creates temporary files that will be deleted once the context is destroyed. The deletion (potentially) updates the directory's timestamps, so it's crucial that the deletion happens before the directory timestamps are restored when `COPY_RESTORE_DIRECTORY_TIMESTAMPS` is requested. (cherry picked from commit b662914) (cherry picked from commit 9e2ba7e) (cherry picked from commit 9ade693) (cherry picked from commit 0ef8791)
…Y=1 when notify-reload Follow-up for 3bd28bf SERVICE_RELOAD_SIGNAL state can only be reached via explicit reload jobs, and we have a clear distinction between that and plain RELOADING=1 notifications, the latter of which is issued by clients doing reload outside of our job engine. I.e. upon SERVICE_RELOAD_SIGNAL + RELOADING=1 we don't propagate reload jobs again, since that's done during transaction construction stage already. The handling of combined RELOADING=1 + READY=1 so far is bogus however, as it tries to propagate duplicate reload jobs. Amend this by following the logic for standalone RELOADING=1. (cherry picked from commit c337a13) (cherry picked from commit aef4add) (cherry picked from commit 7e6e8b3) (cherry picked from commit f6b973d)
fido2_generate_hmac_hash() sets req->keyring to "fido2-pin" when calling ask_password_auto(), suggesting that a key by this name can be read from the kernel keyring. But the keyring is never opened because the ASK_PASSWORD_ACCEPT_CACHED flag is not set. Set ASK_PASSWORD_ACCEPT_CACHED to allow automated / scripted setup of encrypted volumes with FIDO2. If the PIN turns out to be invalid, clear ASK_PASSWORD_ACCEPT_CACHED to avoid retrying and possible lockout. (cherry picked from commit 505c2f2) (cherry picked from commit f2054b8) (cherry picked from commit 012cde1) (cherry picked from commit 993f1e9)
…ocked In various scenarios we invoke containers with access to the kernel keyring blocked. Let's make sure we can handle this properly: when the invocation ID is stored in in the kernel keyring and we try to read it and get EPERM we should handle it gracefully, like EOPNOTSUPP. (cherry picked from commit f2e38b0) (cherry picked from commit a2abc3b) (cherry picked from commit 9cd3101) (cherry picked from commit e52806d)
The test expects _not_ to find the patterns but the run_and_grep would still print 'FAIL:' message. Use the dedicated -n option that inverts the semantics cleaner than shell's !. (cherry picked from commit c4b7596) (cherry picked from commit f45b42e) (cherry picked from commit 63725bc) (cherry picked from commit ec3def8)
Import thew new key from https://data.iana.org/root-anchors/root-anchors.xml. The old one remains valid, as per provided data. Fixes: #36260 (cherry picked from commit 8113361) (cherry picked from commit 961e351) (cherry picked from commit 6cb60bb) (cherry picked from commit 6a97871)
If we use TCP fastopen to connect to a DNS server via TCP, and it responds really quickly between our connection attempt and our immediate check back, then we have not identified the peer yet, and will not be able to use the peer metadata to fill in our packet info. Let's fix that, and simply not read from the socket until identification is complete. Fixes: #34956 (cherry picked from commit facc943) (cherry picked from commit 11da527) (cherry picked from commit 9bf15a2) (cherry picked from commit e22b61d)
|
We were not able to find or create Copr project Unless the HTTP status code above is >= 500, please check your configuration for:
|
1 similar comment
|
We were not able to find or create Copr project Unless the HTTP status code above is >= 500, please check your configuration for:
|
bluca
changed the title
/usr/bin/pacman-key: line 31: /usr/share/makepkg/util/message.sh: No such file or directory /usr/bin/pacman-key: line 32: /usr/share/makepkg/util/parseopts.sh: No such file or directory /usr/bin/pacman-key: line 620: parseopts: command not found (cherry picked from commit 66ffce7)
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/home/runner/work/_actions/systemd/mkosi/bbe715f42911f9660712377a5b39335b9391ae22/mkosi/__main__.py", line 60, in <module>
main()
File "/usr/lib/python3.12/contextlib.py", line 81, in inner
return func(*args, **kwds)
^^^^^^^^^^^^^^^^^^^
File "/home/runner/work/_actions/systemd/mkosi/bbe715f42911f9660712377a5b39335b9391ae22/mkosi/__main__.py", line 52, in main
run_verb(args, images)
File "/home/runner/work/_actions/systemd/mkosi/bbe715f42911f9660712377a5b39335b9391ae22/mkosi/__init__.py", line 2789, in run_verb
become_root()
File "/home/runner/work/_actions/systemd/mkosi/bbe715f42911f9660712377a5b39335b9391ae22/mkosi/run.py", line 125, in become_root
os.setresuid(0, 0, 0)
PermissionError: [Errno 1] Operation not permitted
(cherry picked from commit f47a460)
No longer pulled in by default (cherry picked from commit f30d2ff)
…v bug (cherry picked from commit 87acfc7)
/usr/lib/systemd/systemd: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory (cherry picked from commit 6fdd047)
F39 doesn't build anymore: GPG key at https://fedoraproject.org/fedora.gpg (0x31645531) is already installed Public key for filesystem-3.18-6.fc39.x86_64.rpm is not installed. Failing package is: filesystem-3.18-6.fc39.x86_64 GPG Keys are configured as: https://fedoraproject.org/fedora.gpg Public key for setup-2.14.4-1.fc39.noarch.rpm is not installed. Failing package is: setup-2.14.4-1.fc39.noarch GPG Keys are configured as: https://fedoraproject.org/fedora.gpg The GPG keys listed for the "updates" repository are already installed but they are not correct for this package. Check that the correct key URLs are configured for this repository.. Failing package is: fedora-gpg-keys-39-2.noarch GPG Keys are configured as: https://fedoraproject.org/fedora.gpg Public key for fedora-release-39-36.noarch.rpm is not installed. Failing package is: fedora-release-39-36.noarch GPG Keys are configured as: https://fedoraproject.org/fedora.gpg Public key for fedora-release-common-39-36.noarch.rpm is not installed. Failing package is: fedora-release-common-39-36.noarch GPG Keys are configured as: https://fedoraproject.org/fedora.gpg Public key for fedora-release-identity-basic-39-36.noarch.rpm is not installed. Failing package is: fedora-release-identity-basic-39-36.noarch GPG Keys are configured as: https://fedoraproject.org/fedora.gpg Public key for fedora-repos-39-2.noarch.rpm is not installed. Failing package is: fedora-repos-39-2.noarch GPG Keys are configured as: https://fedoraproject.org/fedora.gpg Error: GPG check FAILED These are throw-away CI images, so just skip the checks (cherry picked from commit 44a978a)
Now, ubuntu-24.04 has mold-2.30.0+dfsg-1build1 . See https://packages.ubuntu.com/noble/mold .
|
We were not able to find or create Copr project Unless the HTTP status code above is >= 500, please check your configuration for:
|
Otherwise mkosi tries to change user and fails
|
We were not able to find or create Copr project Unless the HTTP status code above is >= 500, please check your configuration for:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.