Drop two patches with workaround (selinux, kernel)
This commit is contained in:
Zbigniew Jędrzejewski-Szmek
parent
593a204189
commit
db38445a7e
3 changed files with 1 additions and 142 deletions
|
|
@ -1,69 +0,0 @@
|
|||
From 0792bb7a9d25a1ab8a5f208f2f5cea8a362dc1c6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Fri, 10 Jan 2025 17:00:08 +0100
|
||||
Subject: [PATCH] Revert "units: use PrivateTmp=disconnected instead of 'yes'
|
||||
if DefaultDependencies=no"
|
||||
|
||||
This reverts commit 1f6e1928488d461d19fd1e4b4d645b0ea5ea8bf5.
|
||||
---
|
||||
units/systemd-coredump@.service.in | 2 +-
|
||||
units/systemd-oomd.service.in | 2 +-
|
||||
units/systemd-resolved.service.in | 2 +-
|
||||
units/systemd-timesyncd.service.in | 2 +-
|
||||
4 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
|
||||
index c74dc7a5a1..fa3206d07b 100644
|
||||
--- a/units/systemd-coredump@.service.in
|
||||
+++ b/units/systemd-coredump@.service.in
|
||||
@@ -26,7 +26,7 @@ NoNewPrivileges=yes
|
||||
OOMScoreAdjust=500
|
||||
PrivateDevices=yes
|
||||
PrivateNetwork=yes
|
||||
-PrivateTmp=disconnected
|
||||
+PrivateTmp=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=read-only
|
||||
ProtectHostname=yes
|
||||
diff --git a/units/systemd-oomd.service.in b/units/systemd-oomd.service.in
|
||||
index 670d5e6140..82bd6245f8 100644
|
||||
--- a/units/systemd-oomd.service.in
|
||||
+++ b/units/systemd-oomd.service.in
|
||||
@@ -37,7 +37,7 @@ MemoryLow=64M
|
||||
NoNewPrivileges=yes
|
||||
OOMScoreAdjust=-900
|
||||
PrivateDevices=yes
|
||||
-PrivateTmp=disconnected
|
||||
+PrivateTmp=yes
|
||||
ProtectClock=yes
|
||||
ProtectHome=yes
|
||||
ProtectHostname=yes
|
||||
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
|
||||
index e181b2528a..4aa0788ac4 100644
|
||||
--- a/units/systemd-resolved.service.in
|
||||
+++ b/units/systemd-resolved.service.in
|
||||
@@ -29,7 +29,7 @@ LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
-PrivateTmp=disconnected
|
||||
+PrivateTmp=yes
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
|
||||
index 835d6327e7..cf233fbffd 100644
|
||||
--- a/units/systemd-timesyncd.service.in
|
||||
+++ b/units/systemd-timesyncd.service.in
|
||||
@@ -31,7 +31,7 @@ LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
-PrivateTmp=disconnected
|
||||
+PrivateTmp=yes
|
||||
ProtectProc=invisible
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
--
|
||||
2.47.1
|
||||
|
||||
64
38724.patch
64
38724.patch
|
|
@ -1,64 +0,0 @@
|
|||
From 5bc3a82e81355a0aa1fd25bb6232145f868fac12 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Tue, 26 Aug 2025 15:00:02 +0200
|
||||
Subject: [PATCH] debug: disable ioctl(PIDFD_GET_INFO)
|
||||
|
||||
In https://bodhi.fedoraproject.org/updates/FEDORA-2025-a0ce059969 it was
|
||||
reported that the tests fail:
|
||||
|
||||
> Rootless podman tests all show something like this eventually
|
||||
>
|
||||
> OCI runtime error: crun: join keyctl `7509a871d2ab7df6549f5cb5bd2d4daf990cc45c0022f116bd0882966ae53f30`: Disk quota exceeded
|
||||
>
|
||||
> Each container creates its own keyring but I assume they get leaked so at one
|
||||
> point we run our of available keyrings and all following tests fail like
|
||||
> that. Given I only see this on this update and from looking at the podman
|
||||
> tests logs it only starts happening after we run a bunch of our own systemd
|
||||
> services I wonder if systemd maybe leaks keyrings and thus it fails?
|
||||
|
||||
After some very tediuos bisecting, I got the answer that
|
||||
dcf0ef3f42b0ea12e199540a4088bd582875ddfa is the first bad commit. This doesn't
|
||||
make much sense. I thought that maybe the answer is wrong somehow, or the fd we
|
||||
pass in has problems, but everything seems to work correctly. Both
|
||||
pidfd_get_pid_ioctl and pidfd_get_pid_fdinfo work fine and return the same
|
||||
answer. Nevertheless, skipping the call to pidfd_get_pid_ioctl makes the
|
||||
problem go away.
|
||||
|
||||
bisection recipe:
|
||||
1. compile systemd, systemd-executor, pam_systemd:
|
||||
$ ninja -C build systemd systemd-executor pam_systemd.so
|
||||
(Not all intermediate commits compile :) )
|
||||
2. use the compiled manager for the user running the tests:
|
||||
# /etc/systemd/system/user@1000.service.d/override.conf
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/home/fedora/src/systemd/build/systemd --user
|
||||
3. install the new code:
|
||||
# cp ~fedora/src/systemd/build/pam_systemd.so /usr/lib64/security/ && systemctl restart user@1000
|
||||
3. log out and log in again (via ssh)
|
||||
4. run the test:
|
||||
$ grep -Ec '[a-f0-9]{64}: empty' /proc/keys && podman run -it fedora date && grep -Ec '[a-f0-9]{64}: empty' /proc/keys
|
||||
17
|
||||
Tue Aug 26 12:47:44 UTC 2025
|
||||
18
|
||||
|
||||
It seems that both the pam module and the user manager somehow matter.
|
||||
|
||||
This smells like a kernel bug or some strange race condition.
|
||||
---
|
||||
src/basic/pidfd-util.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/basic/pidfd-util.c b/src/basic/pidfd-util.c
|
||||
index 9910819aa79d9..b317be267f445 100644
|
||||
--- a/src/basic/pidfd-util.c
|
||||
+++ b/src/basic/pidfd-util.c
|
||||
@@ -74,7 +74,7 @@ int pidfd_get_namespace(int fd, unsigned long ns_type_cmd) {
|
||||
}
|
||||
|
||||
static int pidfd_get_info(int fd, struct pidfd_info *info) {
|
||||
- static bool cached_supported = true;
|
||||
+ static bool cached_supported = false;
|
||||
|
||||
assert(fd >= 0);
|
||||
assert(info);
|
||||
10
systemd.spec
10
systemd.spec
|
|
@ -133,18 +133,10 @@ Patch: https://github.com/systemd/systemd/pull/26494.patch
|
|||
%if %{without upstream}
|
||||
# Those are downstream-only patches, but we don't want them in packit builds.
|
||||
|
||||
# Temporarily drop use of PrivateTmp=disconnected. This is causing failures
|
||||
# in various places:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2334015
|
||||
# https://github.com/coreos/fedora-coreos-tracker/issues/1857
|
||||
Patch: 0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch
|
||||
|
||||
# Create user journals for users with high UIDs
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2251843
|
||||
Patch: https://github.com/systemd/systemd/pull/30846.patch
|
||||
|
||||
# Workaround for a kernel issue. Fixed in kernel-core-6.17.0-0.rc3.31.fc44.x86_64.
|
||||
Patch: https://github.com/systemd/systemd/pull/38724.patch
|
||||
|
||||
# userdb: create userdb root directory with correct label
|
||||
# We can drop this after SELinux policy is updated to handle the transition.
|
||||
Patch: https://github.com/systemd/systemd/pull/38769.patch
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue