diff --git a/0001-test-login-skip-consistency-checks-when-logind-is-no.patch b/0001-test-login-skip-consistency-checks-when-logind-is-no.patch deleted file mode 100644 index aed3a27..0000000 --- a/0001-test-login-skip-consistency-checks-when-logind-is-no.patch +++ /dev/null @@ -1,169 +0,0 @@ -From aee1d734a5034d47005a339ec5b2b39583795039 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 16 Dec 2020 15:56:44 +0100 -Subject: [PATCH] test-login: skip consistency checks when logind is not active -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There are two ways in swich sd_login_* functions acquire data: -some are derived from the cgroup path, but others use the data serialized -by logind. - -When the tests are executed under Fedora's mock, without systemd-spawn -but instead in a traditional chroot, test-login gets confused: -the "outside" cgroup path is visible, so sd_pid_get_unit() and -sd_pid_get_session() work, but sd_session_is_active() and other functions -that need logind data fail. - -Such a buildroot setup is fairly bad, but it can be encountered in the wild, so -let's just skip the tests in that case. - -/* Information printed is from the live system */ -sd_pid_get_unit(0, …) → "session-237.scope" -sd_pid_get_user_unit(0, …) → "n/a" -sd_pid_get_slice(0, …) → "user-1000.slice" -sd_pid_get_session(0, …) → "237" -sd_pid_get_owner_uid(0, …) → 1000 -sd_pid_get_cgroup(0, …) → "/user.slice/user-1000.slice/session-237.scope" -sd_uid_get_display(1000, …) → "(null)" -sd_uid_get_sessions(1000, …) → [0] "" -sd_uid_get_seats(1000, …) → [0] "" -Assertion 'r >= 0' failed at src/libsystemd/sd-login/test-login.c:104, function test_login(). Aborting. ---- - src/libsystemd/sd-login/test-login.c | 98 +++++++++++++++------------- - 1 file changed, 52 insertions(+), 46 deletions(-) - -diff --git a/src/libsystemd/sd-login/test-login.c b/src/libsystemd/sd-login/test-login.c -index 5b2ff93e1c..f762b8475b 100644 ---- a/src/libsystemd/sd-login/test-login.c -+++ b/src/libsystemd/sd-login/test-login.c -@@ -112,68 +112,74 @@ static void test_login(void) { - - if (session) { - r = sd_session_is_active(session); -- assert_se(r >= 0); -- log_info("sd_session_is_active(\"%s\") → %s", session, yes_no(r)); -+ if (r == -ENXIO) -+ log_notice("sd_session_is_active failed with ENXIO, it seems logind is not running."); -+ else { -+ /* All those tests will fail with ENXIO, so let's skip them. */ - -- r = sd_session_is_remote(session); -- assert_se(r >= 0); -- log_info("sd_session_is_remote(\"%s\") → %s", session, yes_no(r)); -+ assert_se(r >= 0); -+ log_info("sd_session_is_active(\"%s\") → %s", session, yes_no(r)); - -- r = sd_session_get_state(session, &state); -- assert_se(r == 0); -- log_info("sd_session_get_state(\"%s\") → \"%s\"", session, state); -+ r = sd_session_is_remote(session); -+ assert_se(r >= 0); -+ log_info("sd_session_is_remote(\"%s\") → %s", session, yes_no(r)); - -- assert_se(sd_session_get_uid(session, &u) >= 0); -- log_info("sd_session_get_uid(\"%s\") → "UID_FMT, session, u); -- assert_se(u == u2); -+ r = sd_session_get_state(session, &state); -+ assert_se(r == 0); -+ log_info("sd_session_get_state(\"%s\") → \"%s\"", session, state); - -- assert_se(sd_session_get_type(session, &type) >= 0); -- log_info("sd_session_get_type(\"%s\") → \"%s\"", session, type); -+ assert_se(sd_session_get_uid(session, &u) >= 0); -+ log_info("sd_session_get_uid(\"%s\") → "UID_FMT, session, u); -+ assert_se(u == u2); - -- assert_se(sd_session_get_class(session, &class) >= 0); -- log_info("sd_session_get_class(\"%s\") → \"%s\"", session, class); -+ assert_se(sd_session_get_type(session, &type) >= 0); -+ log_info("sd_session_get_type(\"%s\") → \"%s\"", session, type); - -- r = sd_session_get_display(session, &display); -- assert_se(IN_SET(r, 0, -ENODATA)); -- log_info("sd_session_get_display(\"%s\") → \"%s\"", session, strna(display)); -+ assert_se(sd_session_get_class(session, &class) >= 0); -+ log_info("sd_session_get_class(\"%s\") → \"%s\"", session, class); - -- r = sd_session_get_remote_user(session, &remote_user); -- assert_se(IN_SET(r, 0, -ENODATA)); -- log_info("sd_session_get_remote_user(\"%s\") → \"%s\"", -- session, strna(remote_user)); -+ r = sd_session_get_display(session, &display); -+ assert_se(IN_SET(r, 0, -ENODATA)); -+ log_info("sd_session_get_display(\"%s\") → \"%s\"", session, strna(display)); - -- r = sd_session_get_remote_host(session, &remote_host); -- assert_se(IN_SET(r, 0, -ENODATA)); -- log_info("sd_session_get_remote_host(\"%s\") → \"%s\"", -- session, strna(remote_host)); -+ r = sd_session_get_remote_user(session, &remote_user); -+ assert_se(IN_SET(r, 0, -ENODATA)); -+ log_info("sd_session_get_remote_user(\"%s\") → \"%s\"", -+ session, strna(remote_user)); - -- r = sd_session_get_seat(session, &seat); -- if (r >= 0) { -- assert_se(seat); -+ r = sd_session_get_remote_host(session, &remote_host); -+ assert_se(IN_SET(r, 0, -ENODATA)); -+ log_info("sd_session_get_remote_host(\"%s\") → \"%s\"", -+ session, strna(remote_host)); - -- log_info("sd_session_get_seat(\"%s\") → \"%s\"", session, seat); -+ r = sd_session_get_seat(session, &seat); -+ if (r >= 0) { -+ assert_se(seat); -+ -+ log_info("sd_session_get_seat(\"%s\") → \"%s\"", session, seat); - - #pragma GCC diagnostic push - #pragma GCC diagnostic ignored "-Wdeprecated-declarations" -- r = sd_seat_can_multi_session(seat); -+ r = sd_seat_can_multi_session(seat); - #pragma GCC diagnostic pop -- assert_se(r == 1); -- log_info("sd_session_can_multi_seat(\"%s\") → %s", seat, yes_no(r)); -+ assert_se(r == 1); -+ log_info("sd_session_can_multi_seat(\"%s\") → %s", seat, yes_no(r)); - -- r = sd_seat_can_tty(seat); -- assert_se(r >= 0); -- log_info("sd_session_can_tty(\"%s\") → %s", seat, yes_no(r)); -+ r = sd_seat_can_tty(seat); -+ assert_se(r >= 0); -+ log_info("sd_session_can_tty(\"%s\") → %s", seat, yes_no(r)); - -- r = sd_seat_can_graphical(seat); -- assert_se(r >= 0); -- log_info("sd_session_can_graphical(\"%s\") → %s", seat, yes_no(r)); -- } else { -- log_info_errno(r, "sd_session_get_seat(\"%s\"): %m", session); -- assert_se(r == -ENODATA); -+ r = sd_seat_can_graphical(seat); -+ assert_se(r >= 0); -+ log_info("sd_session_can_graphical(\"%s\") → %s", seat, yes_no(r)); -+ } else { -+ log_info_errno(r, "sd_session_get_seat(\"%s\"): %m", session); -+ assert_se(r == -ENODATA); -+ } -+ -+ assert_se(sd_uid_get_state(u, &state2) == 0); -+ log_info("sd_uid_get_state("UID_FMT", …) → %s", u, state2); - } -- -- assert_se(sd_uid_get_state(u, &state2) == 0); -- log_info("sd_uid_get_state("UID_FMT", …) → %s", u, state2); - } - - if (seat) { -@@ -214,7 +220,7 @@ static void test_login(void) { - assert_se(sd_get_seats(NULL) == r); - - r = sd_seat_get_active(NULL, &t, NULL); -- assert_se(IN_SET(r, 0, -ENODATA)); -+ assert_se(IN_SET(r, 0, -ENODATA, -ENXIO)); - log_info("sd_seat_get_active(NULL, …) (active session on current seat) → %s / \"%s\"", e(r), strnull(t)); - free(t); - diff --git a/0001-test-path-util-do-not-fail-if-the-fd_is_mount_point-.patch b/0001-test-path-util-do-not-fail-if-the-fd_is_mount_point-.patch deleted file mode 100644 index 932cd5a..0000000 --- a/0001-test-path-util-do-not-fail-if-the-fd_is_mount_point-.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 2e9d763e7cbeb33954bbe3f96fd94de2cd62edf7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 12 Nov 2020 14:28:24 +0100 -Subject: [PATCH] test-path-util: do not fail if the fd_is_mount_point check - fails - -This test fails on i686 and ppc64le in koji: -/* test_path */ -Assertion 'fd_is_mount_point(fd, "/", 0) > 0' failed at src/test/test-path-util.c:85, function test_path(). Aborting. - -I guess some permission error is the most likely. ---- - src/test/test-path-util.c | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - -diff --git a/src/test/test-path-util.c b/src/test/test-path-util.c -index f4f8d0550b..be428334f3 100644 ---- a/src/test/test-path-util.c -+++ b/src/test/test-path-util.c -@@ -40,8 +40,6 @@ static void test_path_simplify(const char *in, const char *out, const char *out_ - } - - static void test_path(void) { -- _cleanup_close_ int fd = -1; -- - log_info("/* %s */", __func__); - - test_path_compare("/goo", "/goo", 0); -@@ -80,10 +78,6 @@ static void test_path(void) { - assert_se(streq(basename("/aa///file..."), "file...")); - assert_se(streq(basename("file.../"), "")); - -- fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY); -- assert_se(fd >= 0); -- assert_se(fd_is_mount_point(fd, "/", 0) > 0); -- - test_path_simplify("aaa/bbb////ccc", "aaa/bbb/ccc", "aaa/bbb/ccc"); - test_path_simplify("//aaa/.////ccc", "/aaa/./ccc", "/aaa/ccc"); - test_path_simplify("///", "/", "/"); -@@ -120,6 +114,22 @@ static void test_path(void) { - assert_se(!path_equal_ptr(NULL, "/a")); - } - -+static void test_path_is_mountpoint(void) { -+ _cleanup_close_ int fd = -1; -+ int r; -+ -+ log_info("/* %s */", __func__); -+ -+ fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY); -+ assert_se(fd >= 0); -+ -+ r = fd_is_mount_point(fd, "/", 0); -+ if (r < 0) -+ log_warning_errno(r, "Failed to check if / is a mount point, ignoring: %m"); -+ else -+ assert_se(r == 1); -+} -+ - static void test_path_equal_root(void) { - /* Nail down the details of how path_equal("/", ...) works. */ - -@@ -714,6 +724,7 @@ int main(int argc, char **argv) { - - test_print_paths(); - test_path(); -+ test_path_is_mountpoint(); - test_path_equal_root(); - test_find_executable_full(); - test_find_executable(argv[0]); diff --git a/0001-test-path-util-ignore-test-failure.patch b/0001-test-path-util-ignore-test-failure.patch deleted file mode 100644 index 86c410c..0000000 --- a/0001-test-path-util-ignore-test-failure.patch +++ /dev/null @@ -1,33 +0,0 @@ -From e8bca4ba55f855260eda684a16e8feb5f20b1deb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 12 Nov 2020 15:06:12 +0100 -Subject: [PATCH] test-path-util: ignore test failure - ---- - src/test/test-path-util.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/src/test/test-path-util.c b/src/test/test-path-util.c -index be428334f3..207c659b8b 100644 ---- a/src/test/test-path-util.c -+++ b/src/test/test-path-util.c -@@ -120,14 +120,17 @@ static void test_path_is_mountpoint(void) { - - log_info("/* %s */", __func__); - -+ (void) system("uname -a"); -+ (void) system("mountpoint /"); -+ - fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY); - assert_se(fd >= 0); - - r = fd_is_mount_point(fd, "/", 0); - if (r < 0) - log_warning_errno(r, "Failed to check if / is a mount point, ignoring: %m"); -- else -- assert_se(r == 1); -+ else if (r == 0) -+ log_warning("/ is not a mountpoint?"); - } - - static void test_path_equal_root(void) { diff --git a/10-oomd-defaults.conf b/10-oomd-defaults.conf index 3660cd2..0254657 100644 --- a/10-oomd-defaults.conf +++ b/10-oomd-defaults.conf @@ -1,2 +1,2 @@ [OOM] -DefaultMemoryPressureDurationSec=10s +DefaultMemoryPressureDurationSec=20s diff --git a/10-oomd-user-service-defaults.conf b/10-oomd-user-service-defaults.conf index 6e71de7..94d5c87 100644 --- a/10-oomd-user-service-defaults.conf +++ b/10-oomd-user-service-defaults.conf @@ -1,3 +1,3 @@ [Service] ManagedOOMMemoryPressure=kill -ManagedOOMMemoryPressureLimit=10% +ManagedOOMMemoryPressureLimit=50% diff --git a/18892.patch b/18892.patch deleted file mode 100644 index 675aaf1..0000000 --- a/18892.patch +++ /dev/null @@ -1,495 +0,0 @@ -From e0ae456a554d0fce250f9a009c561b97f20c41f8 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Mar 2021 17:47:45 +0100 -Subject: [PATCH 1/6] dns-query: export CNAME_MAX, so that we can use it in - other files, too -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Let's rename it a bit, to be more explanatory while exporting it. - -(And let's bump the CNAME limit to 16 — 8 just sounded so little) ---- - src/resolve/resolved-dns-query.c | 3 +-- - src/resolve/resolved-dns-query.h | 2 ++ - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c -index 7554d1e82f4..aa9d65d4a82 100644 ---- a/src/resolve/resolved-dns-query.c -+++ b/src/resolve/resolved-dns-query.c -@@ -10,7 +10,6 @@ - #include "resolved-etc-hosts.h" - #include "string-util.h" - --#define CNAME_MAX 8 - #define QUERIES_MAX 2048 - #define AUXILIARY_QUERIES_MAX 64 - -@@ -977,7 +976,7 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) - assert(q); - - q->n_cname_redirects++; -- if (q->n_cname_redirects > CNAME_MAX) -+ if (q->n_cname_redirects > CNAME_REDIRECT_MAX) - return -ELOOP; - - r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna); -diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h -index ea296167b61..5d12171b0a1 100644 ---- a/src/resolve/resolved-dns-query.h -+++ b/src/resolve/resolved-dns-query.h -@@ -145,3 +145,5 @@ static inline uint64_t dns_query_reply_flags_make(DnsQuery *q) { - dns_query_fully_confidential(q)) | - (q->answer_query_flags & (SD_RESOLVED_FROM_MASK|SD_RESOLVED_SYNTHETIC)); - } -+ -+#define CNAME_REDIRECT_MAX 16 - -From d29958261a3df80f5cf0e98b1cd307790a92b13b Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Mar 2021 17:48:43 +0100 -Subject: [PATCH 2/6] resolved: tighten checks in - dns_resource_record_get_cname_target() - -Let's refuse to consider CNAME/DNAME replies matching for RR types where -that is not really conceptually allow (i.e. on CNAME/DNAME lookups -themselves). - -(And add a similar check to dns_resource_key_match_cname_or_dname() too, -which implements a smilar match) ---- - src/resolve/resolved-dns-rr.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c -index 823117e5c92..7e76e0c6cc0 100644 ---- a/src/resolve/resolved-dns-rr.c -+++ b/src/resolve/resolved-dns-rr.c -@@ -244,6 +244,9 @@ int dns_resource_key_match_cname_or_dname(const DnsResourceKey *key, const DnsRe - if (cname->class != key->class && key->class != DNS_CLASS_ANY) - return 0; - -+ if (!dns_type_may_redirect(key->type)) -+ return 0; -+ - if (cname->type == DNS_TYPE_CNAME) - r = dns_name_equal(dns_resource_key_name(key), dns_resource_key_name(cname)); - else if (cname->type == DNS_TYPE_DNAME) -@@ -1743,9 +1746,16 @@ int dns_resource_record_get_cname_target(DnsResourceKey *key, DnsResourceRecord - assert(key); - assert(cname); - -+ /* Checks if the RR `cname` is a CNAME/DNAME RR that matches the specified `key`. If so, returns the -+ * target domain. If not, returns -EUNATCH */ -+ - if (key->class != cname->key->class && key->class != DNS_CLASS_ANY) - return -EUNATCH; - -+ if (!dns_type_may_redirect(key->type)) /* This key type is not subject to CNAME/DNAME redirection? -+ * Then let's refuse right-away */ -+ return -EUNATCH; -+ - if (cname->key->type == DNS_TYPE_CNAME) { - r = dns_name_equal(dns_resource_key_name(key), - dns_resource_key_name(cname->key)); - -From 4838dc4f2be1d29da9ce9a930c48717a4491d70e Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Mar 2021 17:53:31 +0100 -Subject: [PATCH 3/6] resolved: handle multiple CNAME redirects in a single - reply from upstream - -www.netflix.com responds with a chain of CNAMEs in the same packet. -Let's handle that properly (so far we only followed CNAMEs a single step -when in the same packet) - -Fixes: #18819 ---- - src/resolve/resolved-dns-stub.c | 105 +++++++++++++++++--------------- - 1 file changed, 57 insertions(+), 48 deletions(-) - -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index c2734e57b9b..c3a28d390a4 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -162,79 +162,88 @@ static int dns_stub_collect_answer_by_question( - bool with_rrsig) { /* Add RRSIG RR matching each RR */ - - _cleanup_(dns_resource_key_unrefp) DnsResourceKey *redirected_key = NULL; -+ unsigned n_cname_redirects = 0; - DnsAnswerItem *item; - int r; - - assert(reply); - -- /* Copies all RRs from 'answer' into 'reply', if they match 'question'. */ -+ /* Copies all RRs from 'answer' into 'reply', if they match 'question'. There might be direct and -+ * indirect matches (i.e. via CNAME/DNAME). If they have an indirect one, remember where we need to -+ * go, and restart the loop */ -+ -+ for (;;) { -+ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *next_redirected_key = NULL; -+ -+ DNS_ANSWER_FOREACH_ITEM(item, answer) { -+ DnsResourceKey *k = NULL; -+ -+ if (redirected_key) { -+ /* There was a redirect in this packet, let's collect all matching RRs for the redirect */ -+ r = dns_resource_key_match_rr(redirected_key, item->rr, NULL); -+ if (r < 0) -+ return r; -+ -+ k = redirected_key; -+ } else if (question) { -+ /* We have a question, let's see if this RR matches it */ -+ r = dns_question_matches_rr(question, item->rr, NULL); -+ if (r < 0) -+ return r; -+ -+ k = question->keys[0]; -+ } else -+ r = 1; /* No question, everything matches */ - -- DNS_ANSWER_FOREACH_ITEM(item, answer) { -- if (question) { -- r = dns_question_matches_rr(question, item->rr, NULL); -- if (r < 0) -- return r; - if (r == 0) { - _cleanup_free_ char *target = NULL; - - /* OK, so the RR doesn't directly match. Let's see if the RR is a matching - * CNAME or DNAME */ - -- r = dns_resource_record_get_cname_target( -- question->keys[0], -- item->rr, -- &target); -+ assert(k); -+ -+ r = dns_resource_record_get_cname_target(k, item->rr, &target); - if (r == -EUNATCH) - continue; /* Not a CNAME/DNAME or doesn't match */ - if (r < 0) - return r; - -- dns_resource_key_unref(redirected_key); -+ /* Oh, wow, this is a redirect. Let's remember where this points, and store -+ * it in 'next_redirected_key'. Once we finished iterating through the rest -+ * of the RR's we'll start again, with the redirected RR key. */ -+ -+ n_cname_redirects++; -+ if (n_cname_redirects > CNAME_REDIRECT_MAX) /* don't loop forever */ -+ return -ELOOP; -+ -+ dns_resource_key_unref(next_redirected_key); - - /* There can only be one CNAME per name, hence no point in storing more than one here */ -- redirected_key = dns_resource_key_new(question->keys[0]->class, question->keys[0]->type, target); -- if (!redirected_key) -+ next_redirected_key = dns_resource_key_new(k->class, k->type, target); -+ if (!next_redirected_key) - return -ENOMEM; - } -- } - -- /* Mask the section info, we want the primary answers to always go without section info, so -- * that it is added to the answer section when we synthesize a reply. */ -+ /* Mask the section info, we want the primary answers to always go without section info, so -+ * that it is added to the answer section when we synthesize a reply. */ - -- r = reply_add_with_rrsig( -- reply, -- item->rr, -- item->ifindex, -- item->flags & ~DNS_ANSWER_MASK_SECTIONS, -- item->rrsig, -- with_rrsig); -- if (r < 0) -- return r; -- } -- -- if (!redirected_key) -- return 0; -- -- /* This is a CNAME/DNAME answer. In this case also append where the redirections point to to the main -- * answer section */ -- -- DNS_ANSWER_FOREACH_ITEM(item, answer) { -+ r = reply_add_with_rrsig( -+ reply, -+ item->rr, -+ item->ifindex, -+ item->flags & ~DNS_ANSWER_MASK_SECTIONS, -+ item->rrsig, -+ with_rrsig); -+ if (r < 0) -+ return r; -+ } - -- r = dns_resource_key_match_rr(redirected_key, item->rr, NULL); -- if (r < 0) -- return r; -- if (r == 0) -- continue; -+ if (!next_redirected_key) -+ break; - -- r = reply_add_with_rrsig( -- reply, -- item->rr, -- item->ifindex, -- item->flags & ~DNS_ANSWER_MASK_SECTIONS, -- item->rrsig, -- with_rrsig); -- if (r < 0) -- return r; -+ dns_resource_key_unref(redirected_key); -+ redirected_key = TAKE_PTR(next_redirected_key); - } - - return 0; - -From 39005e187095062718621880e5d8ad707ac8fe8f Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Mar 2021 18:01:27 +0100 -Subject: [PATCH 4/6] resolved: split out helper that checks whether we shall - reply with EDNS0 DO - -Just some refactoring, no actual code changes. ---- - src/resolve/resolved-dns-stub.c | 22 ++++++++++++++-------- - 1 file changed, 14 insertions(+), 8 deletions(-) - -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index c3a28d390a4..b4df5837aad 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -561,6 +561,19 @@ static int dns_stub_send( - return 0; - } - -+static int dns_stub_reply_with_edns0_do(DnsQuery *q) { -+ assert(q); -+ -+ /* Reply with DNSSEC DO set? Only if client supports it; and we did any DNSSEC verification -+ * ourselves, or consider the data fully authenticated because we generated it locally, or the client -+ * set cd */ -+ -+ return DNS_PACKET_DO(q->request_packet) && -+ (q->answer_dnssec_result >= 0 || /* we did proper DNSSEC validation … */ -+ dns_query_fully_authenticated(q) || /* … or we considered it authentic otherwise … */ -+ DNS_PACKET_CD(q->request_packet)); /* … or client set CD */ -+} -+ - static int dns_stub_send_reply( - DnsQuery *q, - int rcode) { -@@ -571,14 +584,7 @@ static int dns_stub_send_reply( - - assert(q); - -- /* Reply with DNSSEC DO set? Only if client supports it; and we did any DNSSEC verification -- * ourselves, or consider the data fully authenticated because we generated it locally, or -- * the client set cd */ -- edns0_do = -- DNS_PACKET_DO(q->request_packet) && -- (q->answer_dnssec_result >= 0 || /* we did proper DNSSEC validation … */ -- dns_query_fully_authenticated(q) || /* … or we considered it authentic otherwise … */ -- DNS_PACKET_CD(q->request_packet)); /* … or client set CD */ -+ edns0_do = dns_stub_reply_with_edns0_do(q); /* let's check if we shall reply with EDNS0 DO? */ - - r = dns_stub_assign_sections( - q, - -From b97fc57178932689bdcb9030e1e2bf299d49ce0b Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Mar 2021 16:50:04 +0100 -Subject: [PATCH 5/6] resolved: fully follow CNAMEs in the DNS stub after all - -In 2f4d8e577ca7bc51fb054b8c2c8dd57c2e188a41 I argued that following -CNAMEs in the stub is not necessary anymore. However, I think it' better -to revert to the status quo ante and follow it after all, given it is -easy for us and makes sure our D-Bus/varlink replies are more similar to -our DNS stub replies that way, and we save clients potential roundtrips. - -Hence, whenever we hit a CNAME/DNAME redirect, let's restart the query -like we do for the D-Bus/Varlink case, and collect replies as we go. ---- - src/resolve/resolved-dns-stub.c | 38 +++++++++++++++++++++++---------- - 1 file changed, 27 insertions(+), 11 deletions(-) - -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index b4df5837aad..85c4eda469c 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -586,13 +586,6 @@ static int dns_stub_send_reply( - - edns0_do = dns_stub_reply_with_edns0_do(q); /* let's check if we shall reply with EDNS0 DO? */ - -- r = dns_stub_assign_sections( -- q, -- q->request_packet->question, -- edns0_do); -- if (r < 0) -- return log_debug_errno(r, "Failed to assign sections: %m"); -- - r = dns_stub_make_reply_packet( - &reply, - DNS_PACKET_PAYLOAD_SIZE_MAX(q->request_packet), -@@ -743,13 +736,37 @@ static void dns_stub_query_complete(DnsQuery *q) { - } - } - -- /* Note that we don't bother with following CNAMEs here. We propagate the authoritative/additional -- * sections from the upstream answer however, hence if the upstream server collected that information -- * already we don't have to collect it ourselves anymore. */ -+ /* Take all data from the current reply, and merge it into the three reply sections we are building -+ * up. We do this before processing CNAME redirects, so that we gradually build up our sections, and -+ * and keep adding all RRs in the CNAME chain. */ -+ r = dns_stub_assign_sections( -+ q, -+ q->request_packet->question, -+ dns_stub_reply_with_edns0_do(q)); -+ if (r < 0) { -+ log_debug_errno(r, "Failed to assign sections: %m"); -+ dns_query_free(q); -+ return; -+ } - - switch (q->state) { - - case DNS_TRANSACTION_SUCCESS: -+ r = dns_query_process_cname(q); -+ if (r == -ELOOP) { /* CNAME loop, let's send what we already have */ -+ log_debug_errno(r, "Detected CNAME loop, returning what we already have."); -+ (void) dns_stub_send_reply(q, q->answer_rcode); -+ break; -+ } -+ if (r < 0) { -+ log_debug_errno(r, "Failed to process CNAME: %m"); -+ break; -+ } -+ if (r == DNS_QUERY_RESTARTED) -+ return; -+ -+ _fallthrough_; -+ - case DNS_TRANSACTION_RCODE_FAILURE: - (void) dns_stub_send_reply(q, q->answer_rcode); - break; -@@ -888,7 +905,6 @@ static void dns_stub_process_query(Manager *m, DnsStubListenerExtra *l, DnsStrea - r = dns_query_new(m, &q, p->question, p->question, NULL, 0, - SD_RESOLVED_PROTOCOLS_ALL| - SD_RESOLVED_NO_SEARCH| -- SD_RESOLVED_NO_CNAME| - (DNS_PACKET_DO(p) ? SD_RESOLVED_REQUIRE_PRIMARY : 0)| - SD_RESOLVED_CLAMP_TTL); - if (r < 0) { - -From 5d7da51ee1d27e86a0487a4b2abc3cfb0ed44c23 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Mar 2021 18:20:59 +0100 -Subject: [PATCH 6/6] resolved: when synthesizing stub replies from multiple - upstream packet, let's avoid RR duplicates - -If we synthesize a stub reply from multiple upstream packet (i.e. a -series of CNAME/DNAME redirects), it might happen that we add the same -RR to a different reply section at a different CNAME/DNAME redirect -chain element. Let's clean this up once we are about to send the reply -message to the client: let's remove sections from "lower-priority" -sections when they are already listed in a "higher-priority" section. ---- - src/resolve/resolved-dns-answer.c | 25 +++++++++++++++++++++++++ - src/resolve/resolved-dns-answer.h | 1 + - src/resolve/resolved-dns-stub.c | 20 ++++++++++++++++++++ - 3 files changed, 46 insertions(+) - -diff --git a/src/resolve/resolved-dns-answer.c b/src/resolve/resolved-dns-answer.c -index ce3cbce308d..a667ab5ede4 100644 ---- a/src/resolve/resolved-dns-answer.c -+++ b/src/resolve/resolved-dns-answer.c -@@ -640,6 +640,31 @@ int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rm) { - return 1; - } - -+int dns_answer_remove_by_answer_keys(DnsAnswer **a, DnsAnswer *b) { -+ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *prev = NULL; -+ DnsAnswerItem *item; -+ int r; -+ -+ /* Removes all items from '*a' that have a matching key in 'b' */ -+ -+ DNS_ANSWER_FOREACH_ITEM(item, b) { -+ -+ if (prev && dns_resource_key_equal(item->rr->key, prev)) /* Skip this one, we already looked at it */ -+ continue; -+ -+ r = dns_answer_remove_by_key(a, item->rr->key); -+ if (r < 0) -+ return r; -+ -+ /* Let's remember this entry's RR key, to optimize the loop a bit: if we have an RRset with -+ * more than one item then we don't need to remove the key multiple times */ -+ dns_resource_key_unref(prev); -+ prev = dns_resource_key_ref(item->rr->key); -+ } -+ -+ return 0; -+} -+ - int dns_answer_copy_by_key( - DnsAnswer **a, - DnsAnswer *source, -diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h -index c2fd0c078f4..7d19eee4e2b 100644 ---- a/src/resolve/resolved-dns-answer.h -+++ b/src/resolve/resolved-dns-answer.h -@@ -68,6 +68,7 @@ int dns_answer_reserve_or_clone(DnsAnswer **a, size_t n_free); - - int dns_answer_remove_by_key(DnsAnswer **a, const DnsResourceKey *key); - int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rr); -+int dns_answer_remove_by_answer_keys(DnsAnswer **a, DnsAnswer *b); - - int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags, DnsResourceRecord *rrsig); - int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags, DnsResourceRecord *rrsig); -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index 85c4eda469c..8e781dd7389 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -574,6 +574,24 @@ static int dns_stub_reply_with_edns0_do(DnsQuery *q) { - DNS_PACKET_CD(q->request_packet)); /* … or client set CD */ - } - -+static void dns_stub_suppress_duplicate_section_rrs(DnsQuery *q) { -+ /* If we follow a CNAME/DNAME chain we might end up populating our sections with redundant RRs -+ * because we built up the sections from multiple reply packets (one from each CNAME/DNAME chain -+ * element). E.g. it could be that an RR that was included in the first reply's additional section -+ * ends up being relevant as main answer in a subsequent reply in the chain. Let's clean this up, and -+ * remove everything in the "higher priority" sections from the "lower priority" sections. -+ * -+ * Note that this removal matches by RR keys instead of the full RRs. This is because RRsets should -+ * always end up in one section fully or not at all, but never be split among sections. -+ * -+ * Specifically: we remove ANSWER section RRs from the AUTHORITATIVE and ADDITIONAL sections, as well -+ * as AUTHORITATIVE section RRs from the ADDITIONAL section. */ -+ -+ dns_answer_remove_by_answer_keys(&q->reply_authoritative, q->reply_answer); -+ dns_answer_remove_by_answer_keys(&q->reply_additional, q->reply_answer); -+ dns_answer_remove_by_answer_keys(&q->reply_additional, q->reply_authoritative); -+} -+ - static int dns_stub_send_reply( - DnsQuery *q, - int rcode) { -@@ -594,6 +612,8 @@ static int dns_stub_send_reply( - if (r < 0) - return log_debug_errno(r, "Failed to build reply packet: %m"); - -+ dns_stub_suppress_duplicate_section_rrs(q); -+ - r = dns_stub_add_reply_packet_body( - reply, - q->reply_answer, diff --git a/18915.patch b/18915.patch deleted file mode 100644 index 534b5bf..0000000 --- a/18915.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 8b0f54c9290564e8c27c9c8ac464cdcc2c659ad5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sat, 6 Mar 2021 19:06:08 +0100 -Subject: [PATCH 1/3] pid1: return varlink error on the right connection - ---- - src/core/core-varlink.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/core/core-varlink.c b/src/core/core-varlink.c -index d695106658b..b3df8cd893c 100644 ---- a/src/core/core-varlink.c -+++ b/src/core/core-varlink.c -@@ -142,7 +142,7 @@ static int vl_method_subscribe_managed_oom_cgroups( - /* We only take one subscriber for this method so return an error if there's already an existing one. - * This shouldn't happen since systemd-oomd is the only client of this method. */ - if (FLAGS_SET(flags, VARLINK_METHOD_MORE) && m->managed_oom_varlink_request) -- return varlink_error(m->managed_oom_varlink_request, VARLINK_ERROR_SUBSCRIPTION_TAKEN, NULL); -+ return varlink_error(link, VARLINK_ERROR_SUBSCRIPTION_TAKEN, NULL); - - r = json_build(&arr, JSON_BUILD_EMPTY_ARRAY); - if (r < 0) -@@ -188,6 +188,7 @@ static int vl_method_subscribe_managed_oom_cgroups( - if (!FLAGS_SET(flags, VARLINK_METHOD_MORE)) - return varlink_reply(link, v); - -+ assert(!m->managed_oom_varlink_request); - m->managed_oom_varlink_request = varlink_ref(link); - return varlink_notify(m->managed_oom_varlink_request, v); - } -@@ -475,8 +476,7 @@ void manager_varlink_done(Manager *m) { - assert(m); - - /* Send the final message if we still have a subscribe request open. */ -- if (m->managed_oom_varlink_request) -- m->managed_oom_varlink_request = varlink_close_unref(m->managed_oom_varlink_request); -+ m->managed_oom_varlink_request = varlink_close_unref(m->managed_oom_varlink_request); - - m->varlink_server = varlink_server_unref(m->varlink_server); - } - -From 39ad3f1c092b5dffcbb4b1d12eb9ca407f010a3c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sun, 7 Mar 2021 16:42:35 +0100 -Subject: [PATCH 2/3] varlink: avoid using dangling ref in - varlink_close_unref() - -Fixes #18025, https://bugzilla.redhat.com/show_bug.cgi?id=1931034. - -We drop the reference stored in Manager.managed_oom_varlink_request in two code paths: -vl_disconnect() which is installed as a disconnect callback, and in manager_varlink_done(). -But we also make a disconnect from manager_varlink_done(). So we end up with the following -call stack: - -(gdb) bt - 0 vl_disconnect (s=0x112c7b0, link=0xea0070, userdata=0xe9bcc0) at ../src/core/core-varlink.c:414 - 1 0x00007f1366e9d5ac in varlink_detach_server (v=0xea0070) at ../src/shared/varlink.c:1210 - 2 0x00007f1366e9d664 in varlink_close (v=0xea0070) at ../src/shared/varlink.c:1228 - 3 0x00007f1366e9d6b5 in varlink_close_unref (v=0xea0070) at ../src/shared/varlink.c:1240 - 4 0x0000000000524629 in manager_varlink_done (m=0xe9bcc0) at ../src/core/core-varlink.c:479 - 5 0x000000000048ef7b in manager_free (m=0xe9bcc0) at ../src/core/manager.c:1357 - 6 0x000000000042602c in main (argc=5, argv=0x7fff439c43d8) at ../src/core/main.c:2909 - -When we enter vl_disconnect(), m->managed_oom_varlink_request.n_ref==1. -When we exit from vl_discconect(), m->managed_oom_varlink_request==NULL. But -varlink_close_unref() has a copy of the pointer in *v. When we continue executing -varlink_close_unref(), this pointer is dangling, and the call to varlink_unref() -is done with an invalid pointer. ---- - src/shared/varlink.c | 33 +++++++++++++++++++++++++-------- - 1 file changed, 25 insertions(+), 8 deletions(-) - -diff --git a/src/shared/varlink.c b/src/shared/varlink.c -index 31128e02e06..6ed72075ba5 100644 ---- a/src/shared/varlink.c -+++ b/src/shared/varlink.c -@@ -1206,8 +1206,9 @@ int varlink_close(Varlink *v) { - - varlink_set_state(v, VARLINK_DISCONNECTED); - -- /* Let's take a reference first, since varlink_detach_server() might drop the final (dangling) ref -- * which would destroy us before we can call varlink_clear() */ -+ /* Let's take a reference first, since varlink_detach_server() might drop the final ref from the -+ * disconnect callback, which would invalidate the pointer we are holding before we can call -+ * varlink_clear(). */ - varlink_ref(v); - varlink_detach_server(v); - varlink_clear(v); -@@ -1220,17 +1221,33 @@ Varlink* varlink_close_unref(Varlink *v) { - if (!v) - return NULL; - -- (void) varlink_close(v); -+ /* A reference is given to us to be destroyed. But when calling varlink_close(), a callback might -+ * also drop a reference. We allow this, and will hold a temporary reference to the object to make -+ * sure that the object still exists when control returns to us. If there's just one reference -+ * remaining after varlink_close(), even though there were at least two right before, we'll handle -+ * that gracefully instead of crashing. -+ * -+ * In other words, this call drops the donated reference, but if the internal call to varlink_close() -+ * dropped a reference to, we don't drop the reference afain. This allows the caller to say: -+ * global_object->varlink = varlink_close_unref(global_object->varlink); -+ * even though there is some callback which has access to global_object and may drop the reference -+ * stored in global_object->varlink. Without this step, the same code would have to be written as: -+ * Varlink *t = TAKE_PTR(global_object->varlink); -+ * varlink_close_unref(t); -+ */ -+ /* n_ref >= 1 */ -+ varlink_ref(v); /* n_ref >= 2 */ -+ varlink_close(v); /* n_ref >= 1 */ -+ if (v->n_ref > 1) -+ v->n_ref--; /* n_ref >= 1 */ - return varlink_unref(v); - } - - Varlink* varlink_flush_close_unref(Varlink *v) { -- if (!v) -- return NULL; -+ if (v) -+ varlink_flush(v); - -- (void) varlink_flush(v); -- (void) varlink_close(v); -- return varlink_unref(v); -+ return varlink_close_unref(v); - } - - static int varlink_enqueue_json(Varlink *v, JsonVariant *m) { - -From a19c1a4baaa1dadc80885e3ad41f19a6c6c450fd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 8 Mar 2021 09:21:25 +0100 -Subject: [PATCH 3/3] oomd: "downgrade" level of message - -PID1 already logs about the service being started, so this line isn't necessary -in normal use. Also, by the time it is emitted, the service has already -signalled readiness, so let's not say "starting" but "started". ---- - src/oom/oomd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/oom/oomd.c b/src/oom/oomd.c -index 674d53fdcfe..6e2a5889d1e 100644 ---- a/src/oom/oomd.c -+++ b/src/oom/oomd.c -@@ -170,7 +170,7 @@ static int run(int argc, char *argv[]) { - - notify_msg = notify_start(NOTIFY_READY, NOTIFY_STOPPING); - -- log_info("systemd-oomd starting%s!", arg_dry_run ? " in dry run mode" : ""); -+ log_debug("systemd-oomd started%s.", arg_dry_run ? " in dry run mode" : ""); - - r = sd_event_loop(m->event); - if (r < 0) diff --git a/9cc6a94790eecfc808335b759355a4005d66f6e3.patch b/9cc6a94790eecfc808335b759355a4005d66f6e3.patch deleted file mode 100644 index e709085..0000000 --- a/9cc6a94790eecfc808335b759355a4005d66f6e3.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 9cc6a94790eecfc808335b759355a4005d66f6e3 Mon Sep 17 00:00:00 2001 -From: "Jonathan G. Underwood" -Date: Tue, 22 Dec 2020 20:04:52 +0000 -Subject: [PATCH] cryptsetup: add support for workqueue options - -This commit adds support for disabling the read and write -workqueues with the new crypttab options no-read-workqueue -and no-write-workqueue. These correspond to the cryptsetup -options --perf-no_read_workqueue and --perf-no_write_workqueue -respectively. ---- - man/crypttab.xml | 19 +++++++++++++++++++ - src/cryptsetup/cryptsetup.c | 12 ++++++++++++ - src/shared/cryptsetup-util.h | 8 ++++++++ - 3 files changed, 39 insertions(+) - -diff --git a/man/crypttab.xml b/man/crypttab.xml -index 2062a5b8e70..72fe2e692da 100644 ---- a/man/crypttab.xml -+++ b/man/crypttab.xml -@@ -342,6 +342,25 @@ - - - -+ -+ -+ -+ Bypass dm-crypt internal workqueue and process read requests synchronously. The -+ default is to queue these requests and process them asynchronously. -+ -+ This requires kernel 5.9 or newer. -+ -+ -+ -+ -+ -+ Bypass dm-crypt internal workqueue and process write requests synchronously. The -+ default is to queue these requests and process them asynchronously. -+ -+ This requires kernel 5.9 or newer. -+ -+ -+ - - - -diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c -index 7b21a7457a1..65cbd1aec83 100644 ---- a/src/cryptsetup/cryptsetup.c -+++ b/src/cryptsetup/cryptsetup.c -@@ -60,6 +60,8 @@ static bool arg_verify = false; - static bool arg_discards = false; - static bool arg_same_cpu_crypt = false; - static bool arg_submit_from_crypt_cpus = false; -+static bool arg_no_read_workqueue = false; -+static bool arg_no_write_workqueue = false; - static bool arg_tcrypt_hidden = false; - static bool arg_tcrypt_system = false; - static bool arg_tcrypt_veracrypt = false; -@@ -236,6 +238,10 @@ static int parse_one_option(const char *option) { - arg_same_cpu_crypt = true; - else if (streq(option, "submit-from-crypt-cpus")) - arg_submit_from_crypt_cpus = true; -+ else if (streq(option, "no-read-workqueue")) -+ arg_no_read_workqueue = true; -+ else if (streq(option, "no-write-workqueue")) -+ arg_no_write_workqueue = true; - else if (streq(option, "luks")) - arg_type = ANY_LUKS; - /* since cryptsetup 2.3.0 (Feb 2020) */ -@@ -1352,6 +1358,12 @@ static uint32_t determine_flags(void) { - if (arg_submit_from_crypt_cpus) - flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS; - -+ if (arg_no_read_workqueue) -+ flags |= CRYPT_ACTIVATE_NO_READ_WORKQUEUE; -+ -+ if (arg_no_write_workqueue) -+ flags |= CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE; -+ - #ifdef CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF - /* Try to decrease the risk of OOM event if memory hard key derivation function is in use */ - /* https://gitlab.com/cryptsetup/cryptsetup/issues/446/ */ -diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h -index fa2d2f65f3c..afac5cd46bd 100644 ---- a/src/shared/cryptsetup-util.h -+++ b/src/shared/cryptsetup-util.h -@@ -7,6 +7,14 @@ - #if HAVE_LIBCRYPTSETUP - #include - -+/* These next two are defined in libcryptsetup.h from cryptsetup version 2.3.4 forwards. */ -+#ifndef CRYPT_ACTIVATE_NO_READ_WORKQUEUE -+#define CRYPT_ACTIVATE_NO_READ_WORKQUEUE (1 << 24) -+#endif -+#ifndef CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE -+#define CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE (1 << 25) -+#endif -+ - extern int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags); - #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY - extern int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags); diff --git a/owner-check.sh b/owner-check.sh index 7086238..3273a3f 100755 --- a/owner-check.sh +++ b/owner-check.sh @@ -1,7 +1,11 @@ #!/bin/bash set -e -[ -z "$server" -o -z "login" ] && { echo '$server and $login need to be set'; exit 1 } +verb="$1" + +[ "$verb" = "-s" ] && do_send=1 || do_send= + +[ -n "$do_send" ] && [ -z "$server" -o -z "login" ] && { echo '$server and $login need to be set'; exit 1; } header= from=systemd-maint@fedoraproject.org @@ -11,26 +15,39 @@ port=587 for user in "$@"; do echo "checking $user…" - t=$(git shortlog --all --author $user --since "@{$time}" | wc -l) + + p=$(git log -1 --all --author "$user") + if [ -z "$p" ]; then + echo "No commits from $user, check spelling" + exit 1 + fi + + t=$(git shortlog --all --author "$user" --since "@{$time}" | wc -l) if [ $t != 0 ]; then echo "$t commits in the last two years, OK" + echo continue fi + echo "$p" | head -n6 + echo ".. adding to list" + if [ -z "$header" ]; then echo '$USER$;$EMAIL$' >.mail.list header=done fi echo "$user;$user@fedoraproject.org" >>.mail.list + echo done [ -z "$header" ] && exit 0 +[ -n "$do_send" ] || exit 0 echo "Sending mails…" set -x -massmail -F $from \ - -C $from \ +massmail -F "$from" \ + -C "$from" \ -S 'write access to the fedora systemd package' \ - -z $server -u $login -P $port \ + -z "$server" -u "$login" -P "$port" \ .mail.list /dev/null || groupadd -r -g 11 cdrom &>/dev/null || : getent group utmp &>/dev/null || groupadd -r -g 22 utmp &>/dev/null || : getent group tape &>/dev/null || groupadd -r -g 33 tape &>/dev/null || : getent group dialout &>/dev/null || groupadd -r -g 18 dialout &>/dev/null || : -getent group input &>/dev/null || groupadd -r input &>/dev/null || : +getent group input &>/dev/null || groupadd -r -g 104 input &>/dev/null || : getent group kvm &>/dev/null || groupadd -r -g 36 kvm &>/dev/null || : -getent group render &>/dev/null || groupadd -r render &>/dev/null || : +getent group render &>/dev/null || groupadd -r -g 105 render &>/dev/null || : +getent group sgx &>/dev/null || groupadd -r -g 106 sgx &>/dev/null || : getent group systemd-journal &>/dev/null || groupadd -r -g 190 systemd-journal 2>&1 || : getent group systemd-coredump &>/dev/null || groupadd -r systemd-coredump 2>&1 || : @@ -795,10 +829,16 @@ function mod_nss() { ' "$1" &>/dev/null || : # Add nss-resolve to hosts - grep -E -q '^hosts:.* resolve' "$1" || - sed -i.bak -r -e ' - s/^(hosts):(.*) files( mdns4_minimal .NOTFOUND=return.)? dns myhostname/\1:\2 files\3 resolve [!UNAVAIL=return] myhostname dns/ + if grep -E -q '^hosts:.* resolve' "$1"; then + sed -i.bak -r -e ' + s/^(hosts):(.*) files( .*) myhostname dns/\1:\2 files myhostname\3 dns/ ' "$1" &>/dev/null || : + + else + sed -i.bak -r -e ' + s/^(hosts):(.*) files( mdns4_minimal .NOTFOUND=return.)? dns myhostname/\1:\2 files myhostname\3 resolve [!UNAVAIL=return] dns/ + ' "$1" &>/dev/null || : + fi fi } @@ -898,7 +938,20 @@ getent group systemd-network &>/dev/null || groupadd -r -g 192 systemd-network 2 getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-network -d / -s /sbin/nologin -c "systemd Network Management" systemd-network &>/dev/null || : %post networkd -%systemd_post systemd-networkd.service systemd-networkd-wait-online.service +# systemd-networkd was split out in systemd-246.6-2. +# Ideally, we would have a trigger scriptlet to record enablement +# state when upgrading from systemd <= systemd-246.6-1. But, AFAICS, +# rpm doesn't allow us to trigger on another package, short of +# querying the rpm database ourselves, which seems risky. For rpm, +# systemd and systemd-networkd are completely unrelated. So let's use +# a hack to detect if an old systemd version is currently present in +# the file system. +# https://bugzilla.redhat.com/show_bug.cgi?id=1943263 +if [ $1 -eq 1 ] && ls /usr/lib/systemd/libsystemd-shared-24[0-6].so &>/dev/null; then + echo "Skipping presets for systemd-networkd.service, seems we are upgrading from old systemd." +else + %systemd_post systemd-networkd.service systemd-networkd-wait-online.service +fi %preun networkd %systemd_preun systemd-networkd.service systemd-networkd-wait-online.service @@ -924,6 +977,7 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net %ghost %dir %attr(0755,-,-) /etc/systemd/system/sysinit.target.wants %ghost %dir %attr(0755,-,-) /etc/systemd/system/system-update.target.wants %ghost %dir %attr(0755,-,-) /etc/systemd/system/timers.target.wants +%ghost %dir %attr(0700,-,-) /var/lib/portables %ghost %dir %attr(0755,-,-) /var/lib/rpm-state/systemd %files libs -f .file-list-libs @@ -938,6 +992,7 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net %files udev -f .file-list-udev %files container -f .file-list-container +%ghost %dir %attr(0700,-,-) /var/lib/machines %files journal-remote -f .file-list-remote @@ -952,6 +1007,129 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Thu Feb 10 2022 Zbigniew Jędrzejewski-Szmek - 248.10-1 +- Add Conflicts for older systemd and systemd-udev versions to fix issue with + files being moved between subpackages (rhbz#2051019) + +* Thu Jan 13 2022 Zbigniew Jędrzejewski-Szmek - 248.10-1 +- Latest upstream bugfix release: fixes for the manager, sd-boot, + systemd-networkd, systemd-resolved, systemd-journald, systemd-homed, + unusual protocols are disabled in systemd-importd, utmp entries, nss + modules, VirtualBox virtualization detection, various documentation + updates +- Users logged in locally get access to media nodes (webcams and such). +- Make systemd-xdg-autostart-service ignore missing condition check binary + (related to #2038750, but does not fix it) +- Allow mprotect(2), arch_prctl(2) in @default seccomp filter +- Fix sysusers without /proc (#2036217) +- Ordering of various units during early boot and shutdown is adjusted to fix + some corner cases +- Maximum numbers of files are bumped for /dev and /tmp +- CVE-2021-3997, #2039383: systemd-tmpfiles would exhaust the stack and crash + during excessive recursion on a very deeply nested directory structure + +* Thu Jan 13 2022 Zbigniew Jędrzejewski-Szmek - 248.9-1 +- Add missing requirements for libfido2 and libtss2 (#1975827) + +* Tue Oct 12 2021 Zbigniew Jędrzejewski-Szmek - 248.9-1 +- Rebuild of 248.8 with one patch removed (causing #2013386) and one patch + added (for #1998488). + +* Tue Oct 12 2021 Zbigniew Jędrzejewski-Szmek - 248.8-1 +- Latest bugfix release: fix for systemctl enable, documentation, + systemd-networkd, -coredump, -timesyncd, -udev, -nspawn, -oomd, + -repart, -resolved, systemd itself, seccomp filters, bootctl, + journalctl, TPM2, sd-event, sd-journal, nss-systemd, compatibility + with the latest kernels. + +* Fri Aug 6 2021 Zbigniew Jędrzejewski-Szmek - 248.7-1 +- Latest bugfix release: improved compatibility with latest glibc, + various small documentation fixes, and fixes for systemd-networkd bridging, + other minor fixes. +- systemctl set-property accepts glob patterns now (#1986258) + +* Thu Jul 22 2021 Zbigniew Jędrzejewski-Szmek - 248.6-1 +- Create 'sgx' group (and also use soft-static uids for input and render, + see https://pagure.io/setup/c/df3194a7295c2ca3cfa923981b046f4bd2754825 + and https://pagure.io/packaging-committee/issue/1078 (#1965815) +- Various bugfixes (#1963428, #1975564) +- Fix for a regression introduced in the previous release with + sd-event abort (#1984651) + +* Tue Jul 20 2021 Zbigniew Jędrzejewski-Szmek - 248.5-1 +- Various minor documentation and correctness fixes. +- CVE-2021-33910, #1984020: an unchecked stack allocation could be used to + crash systemd and cause the system to reboot by creating a very long + fuse mountpoint path. + +* Mon Jul 12 2021 Zbigniew Jędrzejewski-Szmek - 248.4-1 +- Assorted fixes (some systemd-resolved crashes, invalid + systemd-tmpfiles assertion, etc.) +- systemd-networkd workaround for TALOS-2020-1142, CVE-2020-13529. +- A big update of hardware descriptions. + +* Sat May 15 2021 Zbigniew Jędrzejewski-Szmek - 248.3-1 +- A fix for resolved crashes (#1946386, #1960227, #1950241) +- Some minor fixes for documentation, systemd-networkd, systemd-run, bootctl. + +* Fri May 7 2021 Zbigniew Jędrzejewski-Szmek - 248.2-1 +- Pull in some more patches from upstream (#1944646, #1885090, #1941340) +- Adjust modes of some %%ghost files (#1956059) + +* Thu May 6 2021 Zbigniew Jędrzejewski-Szmek - 248.1-1 +- Latest stable version: a long list of minor correctness fixes all around + (#1955475, #911766, #1958167, #1952919) +- Enable tpm2-tss dependency (#1949505) + +* Tue Apr 06 2021 Adam Williamson - 248-2 +- Re-enable resolved caching, we hope all major bugs are resolved now + +* Wed Mar 31 2021 Zbigniew Jędrzejewski-Szmek - 248-1 +- Latest upstream release, see + https://github.com/systemd/systemd/blob/v248/NEWS. +- The changes since -rc4 are rather small, various fixes all over the place. + A fix to how systemd-oomd selects a candidate to kill, and more debug logging + to make this more transparent. + +* Tue Mar 30 2021 Anita Zhang - 248~rc4-6 +- Increase oomd user memory pressure limit to 50% (#1941170) + +* Fri Mar 26 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-5 +- Do not preset systemd-networkd.service and systemd-networkd-wait-online.service + on upgrades from before systemd-networkd was split out (#1943263) +- In nsswitch.conf, move nss-myhostname to the front, before nss-mdns4 (#1943199) + +* Wed Mar 24 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-4 +- Revert patch that seems to cause problems with dns resolution + (see comments on https://bodhi.fedoraproject.org/updates/FEDORA-2021-1c1a870ceb) + +* Mon Mar 22 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-3 +- Fix hang when processing timers during DST switch in Europe/Dublin timezone (#1941335) +- Fix returning combined IPv4/IPv6 responses from systemd-resolved cache (#1940715) + (But note that the disablement of caching added previously is + retained until we can do more testing.) +- Minor fix to interface naming by udev +- Fix for systemd-repart --size + +* Fri Mar 19 2021 Adam Williamson - 248~rc4-2 +- Disable resolved cache via config snippet (#1940715) + +* Thu Mar 18 2021 Yu Watanabe - 248~rc4-1 +- Latest upstream prelease, see + https://github.com/systemd/systemd/blob/v248-rc4/NEWS. +- A bunch of documentation updates, correctness fixes, and systemd-networkd + features. +- Resolves #1933137, #1935084, #1933873, #1931181, #1933335, #1935062, #1927148. + +* Tue Mar 16 2021 Adam Williamson - 248~rc2-8 +- Drop the resolved cache disablement config snippet + +* Tue Mar 16 2021 Adam Williamson - 248~rc2-7 +- Backport PR #19009 to fix CNAME redirect resolving some more (#1933433) + +* Fri Mar 12 2021 Adam Williamson - 248~rc2-6 +- Disable resolved cache via config snippet (#1933433) + * Thu Mar 11 2021 Zbigniew Jędrzejewski-Szmek - 248~rc2-5 - Fix crash in pid1 during daemon-reexec (#1931034) diff --git a/sysusers.prov b/sysusers.prov index a6eda5d..f12e929 100755 --- a/sysusers.prov +++ b/sysusers.prov @@ -1,5 +1,40 @@ #!/bin/bash +process_u() { + if [ ! -z "${2##*[!0-9]*}" ]; then + # Single shared static ID. + echo "user($1) = $2" + echo "group($1) = $2" + elif [[ $2 == *:* ]]; then + # UID:. + uid=$(echo $2 | cut -d':' -f1 -) + group=$(echo $2 | cut -d':' -f2 -) + if [ ! -z "${group##*[!0-9]*}" ]; then + # UID:GID. + echo "user($1) = ${uid}" + echo "group($1) = ${group}" + else + # UID:. + echo "user($1) = ${uid}" + echo "group(${group})" + fi + else + # Dynamic (or something else uninteresting). + echo "user($1)" + echo "group($1)" + fi +} + +process_g() { + if [ ! -z "${2##*[!0-9]*}" ]; then + # Static GID. + echo "group($1) = $2" + else + # Dynamic (or something else uninteresting). + echo "group($1)" + fi +} + parse() { while read line; do [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue @@ -8,12 +43,10 @@ parse() { set -- $line case "$1" in ('u') - echo "user($2)" - echo "group($2)" - # TODO: user:group support + process_u "$2" "$3" ;; ('g') - echo "group($2)" + process_g "$2" "$3" ;; ('m') echo "user($2)"