From d366b5965725a7ff1cd586e1ae2539e4cfc404db Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 20 Mar 2025 10:20:16 +0100 Subject: [PATCH 01/79] Fix test_sysusers_defined check https://src.fedoraproject.org/rpms/setup/c/7ced36d60b67c9e74f7951123225200597e3d2fa?branch=rawhide merged the two setup sysusers files into one and changed the name, so let's adapt the test_sysusers_defined check for those changes. --- systemd.spec | 2 +- test_sysusers_defined.py | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/systemd.spec b/systemd.spec index 145b35b..5187e35 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1060,7 +1060,7 @@ mv -v %{buildroot}/usr/sbin/* %{buildroot}%{_bindir}/ # and https://src.fedoraproject.org/rpms/setup/pull-request/10. # We skip this on upstream builds so that new users and groups # can be added without breaking the build. -%{python3} %{SOURCE4} /usr/lib/sysusers.d/20-setup-{users,groups}.conf %{buildroot}/usr/lib/sysusers.d/basic.conf +%{python3} %{SOURCE4} /usr/lib/sysusers.d/setup.conf %{buildroot}/usr/lib/sysusers.d/basic.conf %endif rm %{buildroot}/usr/lib/sysusers.d/basic.conf %endif diff --git a/test_sysusers_defined.py b/test_sysusers_defined.py index 6f04f15..7ea2fea 100755 --- a/test_sysusers_defined.py +++ b/test_sysusers_defined.py @@ -22,11 +22,7 @@ def parse_sysusers_file(filename): return users, groups setup_users, setup_groups = parse_sysusers_file(sys.argv[1]) -setup_users2, setup_groups2 = parse_sysusers_file(sys.argv[2]) -setup_users |= setup_users2 -setup_groups |= setup_groups2 - -basic_users, basic_groups = parse_sysusers_file(sys.argv[3]) +basic_users, basic_groups = parse_sysusers_file(sys.argv[2]) if d := basic_users - setup_users: exit(f'We have new users: {d}') From e346d9f33e530bd5e05885621b837073ea090cc4 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Thu, 20 Mar 2025 19:15:52 -0400 Subject: [PATCH 02/79] Limit sdubby dependency to Fedora dnf repoclosure raises an error even when a boolean dependency is missing. While technically a bug in dnf, since these dependencies are already conditional, simply adjusting the condition is simplest. https://github.com/rpm-software-management/dnf-plugins-core/issues/549 --- systemd.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd.spec b/systemd.spec index 145b35b..0655c6e 100644 --- a/systemd.spec +++ b/systemd.spec @@ -431,6 +431,8 @@ Provides: udev = %{version} Provides: udev%{_isa} = %{version} %if 0%{?fedora} || 0%{?rhel} >= 10 Requires: (grubby > 8.40-72 if grubby) +%endif +%if 0%{?fedora} Requires: (sdubby > 1.0-3 if sdubby) %endif # A backport of systemd-timesyncd is shipped as a separate package in EPEL so From 3e9051124e4447c238ae65af9ad1562924aeb18a Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 20 Mar 2025 09:34:33 +0100 Subject: [PATCH 03/79] Migrate fmf metadata and test script from the upstream repository Primarily, this allows us to get rid of dist-git-source which makes the fmf stuff reusable for CentOS Stream in gitlab which we'd like to make use of in the systemd backport in the Hyperscale SIG. Also in general making the integration touch points with Fedora CI and the other systems as small as possible seems like a good thing. --- plans/run-integration-tests.sh | 114 +++++++++++++++++++++++++++++++++ plans/upstream.fmf | 28 ++++---- 2 files changed, 131 insertions(+), 11 deletions(-) create mode 100755 plans/run-integration-tests.sh diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh new file mode 100755 index 0000000..a06b3a3 --- /dev/null +++ b/plans/run-integration-tests.sh @@ -0,0 +1,114 @@ +#!/bin/bash + +set -eux +set -o pipefail + +# Switch SELinux to permissive if possible, since the tests don't set proper contexts +setenforce 0 || true + +echo "CPU and Memory information:" +lscpu +lsmem + +echo "Clock source: $(cat /sys/devices/system/clocksource/clocksource0/current_clocksource)" + +# Bump inotify limits if we can so nspawn containers don't run out of inotify file descriptors. +sysctl fs.inotify.max_user_watches=65536 || true +sysctl fs.inotify.max_user_instances=1024 || true + +if [[ -n "${KOJI_TASK_ID:-}" ]]; then + koji download-task --noprogress --arch="src,noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID" +elif [[ -n "${CBS_TASK_ID:-}" ]]; then + cbs download-task --noprogress --arch="src,noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID" +elif [[ -n "${PACKIT_SRPM_URL:-}" ]]; then + COPR_BUILD_ID="$(basename "$(dirname "$PACKIT_SRPM_URL")")" + COPR_CHROOT="$(basename "$(dirname "$(dirname "$PACKIT_BUILD_LOG_URL")")")" + copr download-build --rpms --chroot "$COPR_CHROOT" "$COPR_BUILD_ID" + mv "$COPR_CHROOT"/* . +else + echo "Not running within packit and no CBS/koji task ID provided" + exit 1 +fi + +mkdir systemd +rpm2cpio ./systemd-*.src.rpm | cpio --to-stdout --extract './systemd-*.tar.gz' | tar xz --strip-components=1 -C systemd +pushd systemd + +# Now prepare mkosi at the same version required by the systemd repo. +git clone https://github.com/systemd/mkosi +mkosi_hash="$(grep systemd/mkosi@ .github/workflows/mkosi.yml | sed "s|.*systemd/mkosi@||g")" +git -C mkosi checkout "$mkosi_hash" + +export PATH="$PWD/mkosi/bin:$PATH" + +# shellcheck source=/dev/null +. /etc/os-release || . /usr/lib/os-release + +tee mkosi.local.conf < Date: Fri, 21 Mar 2025 14:38:40 +0100 Subject: [PATCH 04/79] Use old setup sysusers files on Fedora < 43 --- systemd.spec | 4 ++++ test_sysusers_defined.py | 10 ++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/systemd.spec b/systemd.spec index 74a2b08..e637cf8 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1062,7 +1062,11 @@ mv -v %{buildroot}/usr/sbin/* %{buildroot}%{_bindir}/ # and https://src.fedoraproject.org/rpms/setup/pull-request/10. # We skip this on upstream builds so that new users and groups # can be added without breaking the build. +%if 0%{?fedora} >= 43 %{python3} %{SOURCE4} /usr/lib/sysusers.d/setup.conf %{buildroot}/usr/lib/sysusers.d/basic.conf +%else +%{python3} %{SOURCE4} /usr/lib/sysusers.d/20-setup-{users,groups}.conf %{buildroot}/usr/lib/sysusers.d/basic.conf +%endif %endif rm %{buildroot}/usr/lib/sysusers.d/basic.conf %endif diff --git a/test_sysusers_defined.py b/test_sysusers_defined.py index 7ea2fea..f6358fb 100755 --- a/test_sysusers_defined.py +++ b/test_sysusers_defined.py @@ -21,8 +21,14 @@ def parse_sysusers_file(filename): assert False return users, groups -setup_users, setup_groups = parse_sysusers_file(sys.argv[1]) -basic_users, basic_groups = parse_sysusers_file(sys.argv[2]) +setup_users, setup_groups = set(), set() + +for arg in sys.argv[1:-1]: + users, groups = parse_sysusers_file(arg) + setup_users |= users + setup_groups |= groups + +basic_users, basic_groups = parse_sysusers_file(sys.argv[-1]) if d := basic_users - setup_users: exit(f'We have new users: {d}') From 2ecfbec1a444a2ec9e3dab91d04565330cf809ea Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Fri, 21 Mar 2025 15:59:32 +0100 Subject: [PATCH 05/79] Support specifying extra mkosi repositories to the test script --- plans/run-integration-tests.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh index a06b3a3..79bf71c 100755 --- a/plans/run-integration-tests.sh +++ b/plans/run-integration-tests.sh @@ -61,6 +61,16 @@ Environment=NO_BUILD=1 WithTests=yes EOF +if [[ -n "${MKOSI_REPOSITORIES:-}" ]]; then + tee --append mkosi.local.conf < Date: Fri, 21 Mar 2025 21:40:07 +0100 Subject: [PATCH 06/79] Make the source tarball glob in the test script more generic If we download the main branch from github by defining %branch, the source tarball will be named main.tar.gz, so let's make the tarball pattern more generic to match. --- plans/run-integration-tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh index 79bf71c..32751ab 100755 --- a/plans/run-integration-tests.sh +++ b/plans/run-integration-tests.sh @@ -31,7 +31,7 @@ else fi mkdir systemd -rpm2cpio ./systemd-*.src.rpm | cpio --to-stdout --extract './systemd-*.tar.gz' | tar xz --strip-components=1 -C systemd +rpm2cpio ./systemd-*.src.rpm | cpio --to-stdout --extract './*.tar.gz' | tar xz --strip-components=1 -C systemd pushd systemd # Now prepare mkosi at the same version required by the systemd repo. From 6f0d03443d2f5695e05146e3bd17f6dab84ab459 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 14 Mar 2025 17:40:59 +0100 Subject: [PATCH 07/79] Fix paths for /usr/sbin/nologin and related progs I noticed that systemd-sysusers creates accounts with /usr/bin/nologin. On merged systems is fine, but would not work for systems where /usr/sbin is still a separate directory and /usr/bin/nologin does not exist. This problem occurs because the meson configuration script discovers the location using $PATH, which on recent builds results in /usr/bin always. Just specify all the paths so that we don't depend on the presence and order of paths in $PATH. --- systemd.spec | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/systemd.spec b/systemd.spec index e637cf8..7767e1f 100644 --- a/systemd.spec +++ b/systemd.spec @@ -859,6 +859,19 @@ CONFIGURE_OPTS=( -Dsystemd-resolve-uid=193 # -Dsystemd-timesync-uid=, not set yet + # Make sure we use the original paths to maintain compatibility + # with unmerged systems + -Dquotaon-path=/usr/sbin/quotaon + -Dquotacheck-path=/usr/sbin/quotacheck + -Dkmod-path=/usr/bin/kmod + -Dkexec-path=/usr/sbin/kexec + -Dsulogin-path=/usr/sbin/sulogin + -Dmount-path=/usr/bin/mount + -Dumount-path=/usr/bin/umount + -Dloadkeys-path=/usr/bin/loadkeys + -Dsetfont-path=/usr/bin/setfont + -Dnologin-path=/usr/sbin/nologin + # For now, let's build the bootloader in the same places where we # built with gnu-efi. Later on, we might want to extend coverage, but # considering that that support is untested, let's not do this now. From d1380dc1146fd81a42dcf685ef4e69780db6fb2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 22 Mar 2025 20:08:53 +0100 Subject: [PATCH 08/79] Add more services to %post for udev and networkd Noticed in https://bugzilla.redhat.com/show_bug.cgi?id=2348669#c25. Most of those units listed don't have an [Install] section, and of those that have, almost all were disabled by default. This might be something to fix, e.g. we might want to enable systemd-udev-load-credentials.service, this is something to consider. But it's clearer if we list all the units that those packages ship. In priciple somebody might ship a preset to enable them. Anyway, the impact of this change is much smaller than might seem at first. But systemd-network-generator.service has an [Install] section and is preset to true, so not listing it in the scriptlets was a visible bug. There's the additional caveat that systemd-network-generator.service is coowned by two packages. The current system does not have a way of handling this properly, because unit enablement is tied to the package install state. Let's just call the scriptlet for this unit twice for now. I think that's not going to cause any real problem. --- systemd.spec | 115 +++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 111 insertions(+), 4 deletions(-) diff --git a/systemd.spec b/systemd.spec index 7767e1f..72afb14 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1187,7 +1187,106 @@ systemctl daemon-reexec || : # a different package version. systemctl --no-reload preset systemd-journald-audit.socket &>/dev/null || : -%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-homed.service %{?want_bootloader:systemd-boot-update.service} systemd-oomd.service systemd-portabled.service systemd-pstore.service systemd-timesyncd.service remote-cryptsetup.target +%global udev_services %{shrink: + cryptsetup-pre.target + cryptsetup.target + hibernate.target + hybrid-sleep.target + initrd-cleanup.service + initrd-fs.target + initrd-parse-etc.service + initrd-root-device.target + initrd-root-fs.target + initrd-switch-root.service + initrd-switch-root.target + initrd-udevadm-cleanup-db.service + initrd-usr-fs.target + initrd.target + integritysetup-pre.target + integritysetup.target + kmod-static-nodes.service + proc-sys-fs-binfmt_misc.automount + proc-sys-fs-binfmt_misc.mount + quotaon-root.service + quotaon@.service + remote-cryptsetup.target + remote-veritysetup.target + sleep.target + suspend-then-hibernate.target + suspend.target + system-systemd\x2dcryptsetup.slice + system-systemd\x2dveritysetup.slice + systemd-backlight@.service + systemd-binfmt.service + systemd-bless-boot.service + systemd-bsod.service + systemd-coredump.socket + systemd-coredump@.service + systemd-fsck-root.service + systemd-fsck@.service + systemd-growfs-root.service + systemd-growfs@.service + systemd-hibernate-clear.service + systemd-hibernate-resume.service + systemd-hibernate.service + systemd-homed-activate.service + systemd-homed-firstboot.service + systemd-homed.service + systemd-hwdb-update.service + systemd-hybrid-sleep.service + systemd-modules-load.service + systemd-network-generator.service + systemd-oomd.service + systemd-oomd.socket + systemd-pcrextend.socket + systemd-pcrextend@.service + systemd-pcrfs-root.service + systemd-pcrfs@.service + systemd-pcrlock-file-system.service + systemd-pcrlock-firmware-code.service + systemd-pcrlock-firmware-config.service + systemd-pcrlock-machine-id.service + systemd-pcrlock-make-policy.service + systemd-pcrlock-secureboot-authority.service + systemd-pcrlock-secureboot-policy.service + systemd-pcrlock.socket + systemd-pcrlock@.service + systemd-pcrmachine.service + systemd-pcrphase-initrd.service + systemd-pcrphase-sysinit.service + systemd-pcrphase.service + systemd-portabled.service + systemd-pstore.service + systemd-quotacheck-root.service + systemd-quotacheck@.service + systemd-random-seed.service + systemd-remount-fs.service + systemd-repart.service + systemd-rfkill.service + systemd-rfkill.socket + systemd-suspend-then-hibernate.service + systemd-suspend.service + systemd-sysctl.service + systemd-timesyncd.service + systemd-tmpfiles-setup-dev-early.service + systemd-tmpfiles-setup-dev.service + systemd-udev-load-credentials.service + systemd-udev-settle.service + systemd-udev-trigger.service + systemd-udevd-control.socket + systemd-udevd-kernel.socket + systemd-udevd.service + systemd-vconsole-setup.service + systemd-volatile-root.service + veritysetup-pre.target + veritysetup.target + %{?want_bootloader: + systemd-boot-random-seed.service + systemd-boot-update.service + systemd-bootctl.socket + systemd-bootctl@.service + } + } %post udev # Move old stuff around in /var/lib @@ -1221,7 +1320,7 @@ grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null && %posttrans udev # Restart some services. # Others are either oneshot services, or sockets, and restarting them causes issues (#1378974) -%systemd_posttrans_with_restart systemd-udevd.service systemd-timesyncd.service +%systemd_posttrans_with_restart systemd-udevd.service systemd-timesyncd.service systemd-homed.service systemd-oomd.service systemd-portabled.service %global journal_remote_units_restart systemd-journal-gatewayd.service systemd-journal-remote.service systemd-journal-upload.service %global journal_remote_units_norestart systemd-journal-gatewayd.socket systemd-journal-remote.socket @@ -1243,6 +1342,14 @@ fi %systemd_posttrans_with_restart %journal_remote_units_restart %firewalld_reload +%global networkd_services %{shrink: + systemd-networkd.service + systemd-networkd.socket + systemd-networkd-wait-online.service + systemd-network-generator.service + systemd-networkd-persistent-storage.service + } + %post networkd # systemd-networkd was split out in systemd-246.6-2. # Ideally, we would have a trigger scriptlet to record enablement @@ -1256,11 +1363,11 @@ fi if [ $1 -eq 1 ] && ls /usr/lib/systemd/libsystemd-shared-24[0-6].so &>/dev/null; then echo "Skipping presets for systemd-networkd.service, seems we are upgrading from old systemd." else - %systemd_post systemd-networkd.service systemd-networkd-wait-online.service + %systemd_post %networkd_services fi %preun networkd -%systemd_preun systemd-networkd.service systemd-networkd-wait-online.service +%systemd_preun %networkd_services %posttrans networkd %systemd_posttrans_with_restart systemd-networkd.service From 59378485beb32bb6da06040a45049b3d09355524 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Fri, 21 Mar 2025 11:24:54 +0100 Subject: [PATCH 09/79] Remove purge-nobody-user script The corresponding change proposal is from 2018. Enough time has passed since then that we don't need to carry this around anymore --- purge-nobody-user | 101 ---------------------------------------------- split-files.py | 1 - systemd.spec | 3 -- 3 files changed, 105 deletions(-) delete mode 100755 purge-nobody-user diff --git a/purge-nobody-user b/purge-nobody-user deleted file mode 100755 index 66404fe..0000000 --- a/purge-nobody-user +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/bash -eu - -if [ $UID -ne 0 ]; then - echo "WARNING: This script needs to run as root to be effective" - exit 1 -fi - -export SYSTEMD_NSS_BYPASS_SYNTHETIC=1 - -if [ "${1:-}" = "--ignore-journal" ]; then - shift - ignore_journal=1 -else - ignore_journal=0 -fi - -echo "Checking processes..." -if ps h -u 99 | grep .; then - echo "ERROR: ps reports processes with UID 99!" - exit 2 -fi -echo "... not found" - -echo "Checking UTMP..." -if w -h 199 | grep . ; then - echo "ERROR: w reports UID 99 as active!" - exit 2 -fi -if w -h nobody | grep . ; then - echo "ERROR: w reports user nobody as active!" - exit 2 -fi -echo "... not found" - -echo "Checking the journal..." -if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then - echo "ERROR: journalctl reports messages from UID 99 in current boot!" - exit 2 -fi -echo "... not found" - -echo "Looking for files in /etc, /run, /tmp, and /var..." -if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then - echo "ERROR: found files belonging to UID 99" - exit 2 -fi -echo "... not found" - -echo "Checking if nobody is defined correctly..." -if getent passwd nobody | - grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin'; -then - echo "OK, nothing to do." - exit 0 -else - echo "NOTICE: User nobody is not defined correctly" -fi - -echo "Checking if nfsnobody or something else is using the uid..." -if getent passwd 65534 | grep . ; then - echo "NOTICE: will have to remove this user" -else - echo "... not found" -fi - -if [ "${1:-}" = "-x" ]; then - if getent passwd nobody >/dev/null; then - # this will remove both the user and the group. - ( set -x - userdel nobody - ) - fi - - if getent passwd 65534 >/dev/null; then - # Make sure the uid is unused. This should free gid too. - name="$(getent passwd 65534 | cut -d: -f1)" - ( set -x - userdel "$name" - ) - fi - - if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then - echo "Sleeping, so sss can catch up" - sleep 3 - fi - - if getent group 65534; then - # Make sure the gid is unused, even if uid wasn't. - name="$(getent group 65534 | cut -d: -f1)" - ( set -x - groupdel "$name" - ) - fi - - # systemd-sysusers uses the same gid and uid - ( set -x - systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin' - ) -else - echo "Pass '-x' to perform changes" -fi diff --git a/split-files.py b/split-files.py index 9114c99..61c539e 100644 --- a/split-files.py +++ b/split-files.py @@ -7,7 +7,6 @@ known_files = ''' %ghost %config(noreplace) /etc/crypttab %ghost %attr(0444,root,root) /etc/udev/hwdb.bin /etc/inittab -/usr/lib/systemd/purge-nobody-user # This directory is owned by openssh-server, but we don't want to introduce # a dependency. So let's copy the config and co-own the directory. %dir %attr(0700,root,root) /etc/ssh/sshd_config.d diff --git a/systemd.spec b/systemd.spec index 72afb14..78bf380 100644 --- a/systemd.spec +++ b/systemd.spec @@ -79,7 +79,6 @@ Source0: https://github.com/systemd/systemd/archive/%{commit}/%{name}-%{s # It is generated during systemd build and can be found at build/src/rpm/triggers.systemd.sh. Source1: triggers.systemd Source2: split-files.py -Source3: purge-nobody-user Source4: test_sysusers_defined.py Source6: inittab @@ -940,8 +939,6 @@ touch %{buildroot}/etc/systemd/coredump.conf \ %{buildroot}/etc/udev/udev.conf \ %{buildroot}/etc/udev/iocost.conf -install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3} - # /etc/initab install -Dm0644 -t %{buildroot}/etc/ %{SOURCE6} From 13d523f84d5607b0e062101239cb853949fbffdb Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Mon, 24 Mar 2025 14:09:10 +0100 Subject: [PATCH 10/79] Relax dependencies from noarch packages on archful packages for OBS builds In OBS, noarch packages are shared between all architectures and independent architectures can be rebuilt automatically without all the other architectures getting rebuilt. This can result in the noarch packages being newer than the archful packages for some architectures, which means our current strict deps from the noarch packages on the archful packages can't be satisfied. To address this problem, let's relax the dependencies from the noarch packages on the archful packages for OBS builds. Let's only do this for OBS builds because this isn't an issue on Fedora as it's impossible to build a package for only some of the architectures. --- systemd.spec | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/systemd.spec b/systemd.spec index 78bf380..59c906d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -46,6 +46,23 @@ # autorelease correctly if the macro is conditionalized in the Release field. %{?release_override:%global autorelease %{release_override}%{?dist}} +# In OBS, noarch packages are shared between all architectures and +# independent architectures can be rebuilt automatically without all +# the other architectures getting rebuilt. This can result in the noarch +# packages being newer than the archful packages for some architectures, +# which means our current strict deps from the noarch packages on the +# archful packages can't be satisfied. +# +# To address this problem, let's relax the dependencies from the noarch +# packages on the archful packages for OBS builds. Let's only do this for +# OBS builds because this isn't an issue on Fedora as it's impossible to +# build a package for only some of the architectures. +%if %{with obs} +%define noarch_requires_version %{version} +%else +%define noarch_requires_version %{version}-%{release} +%endif + Name: systemd Url: https://systemd.io # Allow users to specify the version and release when building the rpm by @@ -496,7 +513,7 @@ machine, and to create or grow partitions and make file systems automatically. %package ukify Summary: Tool to build Unified Kernel Images -Requires: %{name} = %{version}-%{release} +Requires: %{name} = %{noarch_requires_version} Requires: (systemd-boot if %{shrink:( filesystem(x86-32) or @@ -620,7 +637,7 @@ devices. %package networkd-defaults Summary: Configure network interfaces with networkd by default -Requires: %{name}-networkd = %{version}-%{release} +Requires: %{name}-networkd = %{noarch_requires_version} License: MIT-0 BuildArch: noarch @@ -643,7 +660,7 @@ resolver, as well as an LLMNR and MulticastDNS resolver and responder. %package oomd-defaults Summary: Configuration files for systemd-oomd -Requires: %{name}-udev = %{version}-%{release} +Requires: %{name}-udev = %{noarch_requires_version} License: LGPL-2.1-or-later BuildArch: noarch From 617952132de4ed882b9b00ceeed077f843130f91 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 27 Mar 2025 21:48:29 +0100 Subject: [PATCH 11/79] Run integration testsuite standalone if available [skip changelog] --- plans/run-integration-tests.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh index 32751ab..9f8bd5f 100755 --- a/plans/run-integration-tests.sh +++ b/plans/run-integration-tests.sh @@ -104,7 +104,11 @@ export TEST_SKIP="TEST-21-DFUZZER" mkosi summary mkosi -f sandbox -- true -mkosi sandbox -- meson setup --buildtype=debugoptimized -Dintegration-tests=true build +if [[ -d test/integration-tests/standalone ]]; then + mkosi sandbox -- meson setup build test/integration-tests/standalone +else + mkosi sandbox -- meson setup -Dintegration-tests=true build +fi mkosi genkey mkosi -f mkosi sandbox -- \ From e2b2ea3776bda9d537cf01012c8b236cdfad4230 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 3 Apr 2025 09:36:37 +0200 Subject: [PATCH 12/79] fmf: Use mkosi/mkosi.local.conf if the mkosi/ directory exists https://github.com/systemd/systemd/pull/36954 will move all the mkosi configuration in the systemd repository into a mkosi/ subdirectory. This means we have to put mkosi.local.conf in that subdirectory as well, so check if the mkosi/ directory exists and put mkosi.local.conf in there if it exists. The mkosi/ directory will conflict with our checkout of mkosi so we move that checkout one level up. Additionally, we can't use .. anymore as the package directory as that only works when mkosi.local.conf is in the top level directory of the repository so we use an absolute path instead. --- plans/run-integration-tests.sh | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh index 9f8bd5f..1393b72 100755 --- a/plans/run-integration-tests.sh +++ b/plans/run-integration-tests.sh @@ -30,39 +30,48 @@ else exit 1 fi +PACKAGEDIR="$PWD" + mkdir systemd rpm2cpio ./systemd-*.src.rpm | cpio --to-stdout --extract './*.tar.gz' | tar xz --strip-components=1 -C systemd -pushd systemd # Now prepare mkosi at the same version required by the systemd repo. git clone https://github.com/systemd/mkosi -mkosi_hash="$(grep systemd/mkosi@ .github/workflows/mkosi.yml | sed "s|.*systemd/mkosi@||g")" +mkosi_hash="$(grep systemd/mkosi@ systemd/.github/workflows/mkosi.yml | sed "s|.*systemd/mkosi@||g")" git -C mkosi checkout "$mkosi_hash" export PATH="$PWD/mkosi/bin:$PATH" +pushd systemd + # shellcheck source=/dev/null . /etc/os-release || . /usr/lib/os-release -tee mkosi.local.conf < Date: Thu, 3 Apr 2025 09:58:17 +0200 Subject: [PATCH 13/79] Don't try to modify mkosi.repart config if mkosi conf is in subdir [skip changelog] --- plans/run-integration-tests.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh index 1393b72..976ceda 100755 --- a/plans/run-integration-tests.sh +++ b/plans/run-integration-tests.sh @@ -90,8 +90,13 @@ fi # Create missing mountpoint for mkosi sandbox. mkdir -p /etc/pacman.d/gnupg -# TODO: drop once BTRFS regression is fixed -sed -i "s/Format=btrfs/Format=ext4/" mkosi.repart/10-root.conf +# We don't bother with this change if the mkosi configuration is +# in mkosi/ as if that's the case then we know for sure that the +# upstream has this fix as well. +# TODO: drop once BTRFS regression is fixed. +if [[ -f mkosi.repart/10-root.conf ]]; then + sed -i "s/Format=btrfs/Format=ext4/" mkosi.repart/10-root.conf +fi # If we don't have KVM, skip running in qemu, as it's too slow. But try to load the module first. modprobe kvm || true From cc473d807fe58c6a1cd9ade1162517fed66f6090 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 3 Apr 2025 13:05:38 +0200 Subject: [PATCH 14/79] fmf: Check out mkosi to some directory in /var/tmp Using the source tree of the spec can still lead to conflicts if a mkosi/ directory exists there (which is the case in the hyperscale systemd spec repo), so let's check out mkosi in /var/tmp to ensure we don't conflict. --- plans/run-integration-tests.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh index 976ceda..b3651ba 100755 --- a/plans/run-integration-tests.sh +++ b/plans/run-integration-tests.sh @@ -36,11 +36,11 @@ mkdir systemd rpm2cpio ./systemd-*.src.rpm | cpio --to-stdout --extract './*.tar.gz' | tar xz --strip-components=1 -C systemd # Now prepare mkosi at the same version required by the systemd repo. -git clone https://github.com/systemd/mkosi +git clone https://github.com/systemd/mkosi /var/tmp/systemd-integration-tests-mkosi mkosi_hash="$(grep systemd/mkosi@ systemd/.github/workflows/mkosi.yml | sed "s|.*systemd/mkosi@||g")" -git -C mkosi checkout "$mkosi_hash" +git -C /var/tmp/systemd-integration-tests-mkosi checkout "$mkosi_hash" -export PATH="$PWD/mkosi/bin:$PATH" +export PATH="/var/tmp/systemd-integration-tests-mkosi/bin:$PATH" pushd systemd From 1126a7c6b80b9d89e7488e5409d4ef549416072a Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 3 Apr 2025 15:23:17 +0200 Subject: [PATCH 15/79] Download commit archives via full sha instead of short one Both work and if we do full sha we can retrieve the full sha from the source filename in the source rpm later on which is useful for various use cases. [skip changelog] --- systemd.spec | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/systemd.spec b/systemd.spec index 59c906d..ecef8f6 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,6 +1,3 @@ -#global commit 1781de18ab8ebc3e42a607851d8effb3b0355c87 -%{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})} - # We ship a .pc file but don't want to have a dep on pkg-config. We # strip the automatically generated dep here and instead co-own the # directory. @@ -90,7 +87,7 @@ Source0: https://github.com/systemd/systemd/archive/v%{version}/%{name}-% %elif %{defined branch} Source0: https://github.com/systemd/systemd/archive/refs/heads/%{branch}.tar.gz %elif %{defined commit} -Source0: https://github.com/systemd/systemd/archive/%{commit}/%{name}-%{shortcommit}.tar.gz +Source0: https://github.com/systemd/systemd/archive/%{commit}/%{name}-%{commit}.tar.gz %endif # This file must be available before %%prep. # It is generated during systemd build and can be found at build/src/rpm/triggers.systemd.sh. From 08ce156d74460867657fb9b201c8be93d31e07de Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 3 Apr 2025 16:32:38 +0200 Subject: [PATCH 16/79] fmf: Run mkosi genkey before mkosi summary Otherwise mkosi summary might fail because the key/cert don't exist yet. [skip changelog] --- plans/run-integration-tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh index b3651ba..9d2e852 100755 --- a/plans/run-integration-tests.sh +++ b/plans/run-integration-tests.sh @@ -116,6 +116,7 @@ fi # for now. export TEST_SKIP="TEST-21-DFUZZER" +mkosi genkey mkosi summary mkosi -f sandbox -- true if [[ -d test/integration-tests/standalone ]]; then @@ -123,7 +124,6 @@ if [[ -d test/integration-tests/standalone ]]; then else mkosi sandbox -- meson setup -Dintegration-tests=true build fi -mkosi genkey mkosi -f mkosi sandbox -- \ meson test \ From 6646d13acae64665f63354cd60ecf963ee563b96 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Tue, 8 Apr 2025 22:02:11 +0200 Subject: [PATCH 17/79] fmf: Run tests from systemd-tests rpm if possible Running from the source tarball implies running with unpatched tests, whereas the same files from the systemd-tests package (which now contains the mkosi and integration test files) will be patched. [skip changelog] --- plans/run-integration-tests.sh | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh index 9d2e852..9a90fa7 100755 --- a/plans/run-integration-tests.sh +++ b/plans/run-integration-tests.sh @@ -32,18 +32,28 @@ fi PACKAGEDIR="$PWD" -mkdir systemd -rpm2cpio ./systemd-*.src.rpm | cpio --to-stdout --extract './*.tar.gz' | tar xz --strip-components=1 -C systemd +# TODO: Remove fallback once v257.6 is released. Also stop downloading source rpms then. + +# This will match both the regular and the debuginfo rpm so make sure we select only the +# non-debuginfo rpm. +RPMS=(systemd-tests-*.rpm) +rpm2cpio "${RPMS[0]}" | cpio --make-directories --extract +if [[ -d usr/lib/systemd/tests/mkosi ]]; then + pushd usr/lib/systemd/tests + mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")" +else + mkdir systemd + rpm2cpio systemd-*.src.rpm | cpio --to-stdout --extract './*.tar.gz' | tar xz --strip-components=1 -C systemd + pushd systemd + mkosi_hash="$(grep systemd/mkosi@ .github/workflows/mkosi.yml | sed "s|.*systemd/mkosi@||g")" +fi # Now prepare mkosi at the same version required by the systemd repo. git clone https://github.com/systemd/mkosi /var/tmp/systemd-integration-tests-mkosi -mkosi_hash="$(grep systemd/mkosi@ systemd/.github/workflows/mkosi.yml | sed "s|.*systemd/mkosi@||g")" git -C /var/tmp/systemd-integration-tests-mkosi checkout "$mkosi_hash" export PATH="/var/tmp/systemd-integration-tests-mkosi/bin:$PATH" -pushd systemd - # shellcheck source=/dev/null . /etc/os-release || . /usr/lib/os-release @@ -119,7 +129,9 @@ export TEST_SKIP="TEST-21-DFUZZER" mkosi genkey mkosi summary mkosi -f sandbox -- true -if [[ -d test/integration-tests/standalone ]]; then +if [[ -d integration-tests/standalone ]]; then + mkosi sandbox -- meson setup build integration-tests/standalone +elif [[ -d test/integration-tests/standalone ]]; then mkosi sandbox -- meson setup build test/integration-tests/standalone else mkosi sandbox -- meson setup -Dintegration-tests=true build From d30447702396fee8fb4a94ce4e779eaac1aab5ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 9 Apr 2025 22:35:03 +0200 Subject: [PATCH 18/79] Version 257.5 - A lot of small fixes in various components --- sources | 2 +- systemd.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 828efd5..eb2dbfc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-257.4.tar.gz) = dfa0f6de38fa30daffabf6b02d6533ca4e7027188186d7e2e9648b99dad5c4afa30773138f18a34111e7bb2e6ddae8302284429b98b580e757dc67535846afbe +SHA512 (systemd-257.5.tar.gz) = 9e5352c20c9edac53f302a534532035185139998628ed0a85411f440df47f1dd7cce6651aec787484809bb1aa2825008d062714c37936cbfd08451fbe29a998f diff --git a/systemd.spec b/systemd.spec index ecef8f6..95ff25e 100644 --- a/systemd.spec +++ b/systemd.spec @@ -67,7 +67,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:257.4} +Version: %{?version_override}%{!?version_override:257.5} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif From f6b814cc0fad58ed1c2e8df7918489bf4217dfaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 10 Apr 2025 15:52:59 +0200 Subject: [PATCH 19/79] Backport CI fix --- ...imit-the-number-of-iterations-when-t.patch | 62 +++++++++++++++++++ systemd.spec | 3 + 2 files changed, 65 insertions(+) create mode 100644 0001-test-sd-device-limit-the-number-of-iterations-when-t.patch diff --git a/0001-test-sd-device-limit-the-number-of-iterations-when-t.patch b/0001-test-sd-device-limit-the-number-of-iterations-when-t.patch new file mode 100644 index 0000000..8b9dddc --- /dev/null +++ b/0001-test-sd-device-limit-the-number-of-iterations-when-t.patch @@ -0,0 +1,62 @@ +From e35435b0a11e6c61c8c43b0cf8dc65a563b4a670 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 10 Apr 2025 13:51:21 +0200 +Subject: [PATCH] test-sd-device: limit the number of iterations when testing + device parent/child functions + +The test "hangs" and times out on some arm64 machines. It actually works as +expected, but the machine has 2016 children under /sys/devices/system/memory/, +and the tests do a double loop over this, which is slow enough to hit the 120 s +limit. Add a limit on the number of iterations. + +Another option would be to exclude "memory" subsystem. But we may have other +subsystems which have the same problem in the future, so I think it'll be more +robust to not try to limit the fix to a specific subsystem. + +(cherry picked from commit 74cb65e45fbf3468cf6b522e4b4fa568d95f12c6) +--- + src/libsystemd/sd-device/test-sd-device.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/libsystemd/sd-device/test-sd-device.c b/src/libsystemd/sd-device/test-sd-device.c +index 620615b6bb..aa235cf8d0 100644 +--- a/src/libsystemd/sd-device/test-sd-device.c ++++ b/src/libsystemd/sd-device/test-sd-device.c +@@ -456,6 +456,8 @@ static void check_parent_match(sd_device_enumerator *e, sd_device *dev) { + + TEST(sd_device_enumerator_add_match_parent) { + _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; ++ /* Some devices have thousands of children. Avoid spending too much time in the double loop below. */ ++ unsigned iterations = 200; + int r; + + assert_se(sd_device_enumerator_new(&e) >= 0); +@@ -473,6 +475,9 @@ TEST(sd_device_enumerator_add_match_parent) { + const char *syspath; + sd_device *parent; + ++ if (iterations-- == 0) ++ break; ++ + assert_se(sd_device_get_syspath(dev, &syspath) >= 0); + + r = sd_device_get_parent(dev, &parent); +@@ -501,6 +506,8 @@ TEST(sd_device_enumerator_add_match_parent) { + + TEST(sd_device_get_child) { + _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; ++ /* Some devices have thousands of children. Avoid spending too much time in the double loop below. */ ++ unsigned iterations = 3000; + int r; + + assert_se(sd_device_enumerator_new(&e) >= 0); +@@ -534,6 +541,9 @@ TEST(sd_device_get_child) { + FOREACH_DEVICE_CHILD_WITH_SUFFIX(parent, child, suffix) { + const char *s; + ++ if (iterations-- == 0) ++ return; ++ + assert_se(child); + assert_se(suffix); + diff --git a/systemd.spec b/systemd.spec index 95ff25e..1cb135b 100644 --- a/systemd.spec +++ b/systemd.spec @@ -141,6 +141,9 @@ Patch: 0002-sysusers-emit-audit-events-for-user-and-group-creati.patch # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 Patch: https://github.com/systemd/systemd/pull/30846.patch + +# Backport of CI fix +Patch: 0001-test-sd-device-limit-the-number-of-iterations-when-t.patch %endif %ifarch %{ix86} x86_64 aarch64 riscv64 From f6af46db12a93d9bc8ab097f2fe2b4887543ff80 Mon Sep 17 00:00:00 2001 From: LuK1337 Date: Fri, 18 Apr 2025 00:18:57 +0200 Subject: [PATCH 20/79] Backport adb/fastboot udev rules (BZ#2356537) --- 36939.patch | 44 ++++++++++++++++++++++++++++++++++++++++++++ systemd.spec | 4 ++++ 2 files changed, 48 insertions(+) create mode 100644 36939.patch diff --git a/36939.patch b/36939.patch new file mode 100644 index 0000000..a90d8cc --- /dev/null +++ b/36939.patch @@ -0,0 +1,44 @@ +From 1bd33efc903923b551cfde93457d0c446f7ec253 Mon Sep 17 00:00:00 2001 +From: LuK1337 +Date: Tue, 1 Apr 2025 22:23:06 +0200 +Subject: [PATCH] rules: Make ADB and fastboot work out-of-the-box + +https://android.googlesource.com/platform/packages/modules/adb/+/d0db47dcdf941673f405e1095e6ffb5e565902e5/adb.h#199 +https://android.googlesource.com/platform/system/core/+/7199051aaf0ddfa2849650933119307327d8669c/fastboot/fastboot.cpp#244 +--- + rules.d/70-uaccess.rules.in | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/rules.d/70-uaccess.rules.in b/rules.d/70-uaccess.rules.in +index 046f169e447b9..96b61cec32b25 100644 +--- a/rules.d/70-uaccess.rules.in ++++ b/rules.d/70-uaccess.rules.in +@@ -77,6 +77,20 @@ ENV{DDC_DEVICE}=="?*", TAG+="uaccess" + # media player raw devices (for user-mode drivers, Android SDK, etc.) + SUBSYSTEM=="usb", ENV{ID_MEDIA_PLAYER}=="?*", TAG+="uaccess" + ++# Android devices (ADB DbC, ADB, Fastboot) ++# Used to interact with devices over Android Debug Bridge and Fastboot protocols, see: ++# * https://developer.android.com/tools/adb ++# * https://source.android.com/docs/setup/test/running ++# * https://source.android.com/docs/setup/test/flash ++# ++# The bInterfaceClass and bInterfaceSubClass used are documented in source code here: ++# * https://android.googlesource.com/platform/packages/modules/adb/+/d0db47dcdf941673f405e1095e6ffb5e565902e5/adb.h#199 ++# * https://android.googlesource.com/platform/system/core/+/7199051aaf0ddfa2849650933119307327d8669c/fastboot/fastboot.cpp#244 ++# ++# Since it's using a generic vendor specific interface class, this can potentially result ++# in a rare case where non-ADB/Fastboot device ends up with an ID_DEBUG_APPLIANCE="android". ++SUBSYSTEM=="usb", ENV{ID_USB_INTERFACES}=="*:dc0201:*|*:ff4201:*|*:ff4203:*", ENV{ID_DEBUG_APPLIANCE}="android" ++ + # software-defined radio communication devices + ENV{ID_SOFTWARE_RADIO}=="?*", TAG+="uaccess" + +@@ -111,4 +125,7 @@ SUBSYSTEM=="hidraw", ENV{ID_HARDWARE_WALLET}=="1", TAG+="uaccess" + # As defined in https://en.wikipedia.org/wiki/3Dconnexion + SUBSYSTEM=="hidraw", ENV{ID_INPUT_3D_MOUSE}=="1", TAG+="uaccess" + ++# Debug interfaces (e.g. Android Debug Bridge) ++ENV{ID_DEBUG_APPLIANCE}=="?*", TAG+="uaccess" ++ + LABEL="uaccess_end" diff --git a/systemd.spec b/systemd.spec index 1cb135b..fa5ad80 100644 --- a/systemd.spec +++ b/systemd.spec @@ -138,6 +138,10 @@ Patch: 0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers. Patch: 0002-sysusers-emit-audit-events-for-user-and-group-creati.patch +# Backport of adb/fastboot udev rules: +# https://bugzilla.redhat.com/show_bug.cgi?id=2356537 +Patch: https://github.com/systemd/systemd/pull/36939.patch + # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 Patch: https://github.com/systemd/systemd/pull/30846.patch From 451184cbea3d4dfc9310fd6abe47221d942ad0ab Mon Sep 17 00:00:00 2001 From: LuK1337 Date: Fri, 2 May 2025 09:54:13 +0200 Subject: [PATCH 21/79] Revert "Disable freezing of user sessions" This breaks suspend on my machine as of Linux 6.14, furthermore both linked issues in rhbz#2321268 are closed and fixed in Linux upstream. This reverts commit 6162965002f9e6052e0ce8d6810028da4679e55a. --- systemd.spec | 9 --------- 1 file changed, 9 deletions(-) diff --git a/systemd.spec b/systemd.spec index fa5ad80..4949a58 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1111,15 +1111,6 @@ mv %{buildroot}/usr/lib/tmpfiles.d/20-systemd-userdb.conf{,.example} install -m 0644 -t %{buildroot}%{_prefix}/lib/pam.d/ %{SOURCE26} -# Disable freezing of user sessions while we're working out the details. -mkdir -p %{buildroot}/usr/lib/systemd/system/service.d/ -cat >>%{buildroot}/usr/lib/systemd/system/service.d/50-keep-warm.conf < Date: Thu, 8 May 2025 14:14:40 +0200 Subject: [PATCH 22/79] Move mount.ddi symlinks to -container subpackage Those symlinks point to systemd-dissect, so with just the main subpackage installed, the symlink was dangling. --- split-files.py | 1 + 1 file changed, 1 insertion(+) diff --git a/split-files.py b/split-files.py index 61c539e..9afeaeb 100644 --- a/split-files.py +++ b/split-files.py @@ -148,6 +148,7 @@ for file in files(buildroot): elif re.search(r'''mymachines| machinectl| + mount.ddi| importctl| portablectl| systemd-nspawn| From 5a53eac13c5e0c1c1700957420fd19ecf4a6aab9 Mon Sep 17 00:00:00 2001 From: David Tardon Date: Tue, 20 May 2025 12:48:35 +0200 Subject: [PATCH 23/79] Package pcrlock files together with systemd-pcrlock ... (rhbz#2366948) --- split-files.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/split-files.py b/split-files.py index 9afeaeb..0cf0f6c 100644 --- a/split-files.py +++ b/split-files.py @@ -129,7 +129,7 @@ for file in files(buildroot): o = outputs['shared'] elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n): o = outputs['udev'] - elif re.search(r'/lib.*\.pc|/man3/|/usr/include|\.so$', n): + elif re.search(r'/lib.*\.pc$|/man3/|/usr/include|\.so$', n): o = outputs['devel'] elif re.search(r'''journal-(remote|gateway|upload)| systemd-remote\.conf| @@ -234,7 +234,8 @@ for file in files(buildroot): integritytab| remount-fs| /initrd| - systemd-pcr| + systemd[.-]pcr| + /pcrlock\.d| systemd-measure| /boot$| /kernel/| From ed6b885327a9a46dc692576220e2187b9b6ff0e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 29 May 2025 18:57:50 +0200 Subject: [PATCH 24/79] Version 257.6 - Fix for local information disclosure in systemd-coredump (CVE-2025-4598) - Fixes for systemd itself, run0, systemd-networkd, "secure" pager, man pages, shell completions, sd-boot, sd-varlink - Hardware database update --- ...imit-the-number-of-iterations-when-t.patch | 62 ------------------- 36939.patch | 44 ------------- sources | 2 +- systemd.spec | 12 +--- 4 files changed, 4 insertions(+), 116 deletions(-) delete mode 100644 0001-test-sd-device-limit-the-number-of-iterations-when-t.patch delete mode 100644 36939.patch diff --git a/0001-test-sd-device-limit-the-number-of-iterations-when-t.patch b/0001-test-sd-device-limit-the-number-of-iterations-when-t.patch deleted file mode 100644 index 8b9dddc..0000000 --- a/0001-test-sd-device-limit-the-number-of-iterations-when-t.patch +++ /dev/null @@ -1,62 +0,0 @@ -From e35435b0a11e6c61c8c43b0cf8dc65a563b4a670 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 10 Apr 2025 13:51:21 +0200 -Subject: [PATCH] test-sd-device: limit the number of iterations when testing - device parent/child functions - -The test "hangs" and times out on some arm64 machines. It actually works as -expected, but the machine has 2016 children under /sys/devices/system/memory/, -and the tests do a double loop over this, which is slow enough to hit the 120 s -limit. Add a limit on the number of iterations. - -Another option would be to exclude "memory" subsystem. But we may have other -subsystems which have the same problem in the future, so I think it'll be more -robust to not try to limit the fix to a specific subsystem. - -(cherry picked from commit 74cb65e45fbf3468cf6b522e4b4fa568d95f12c6) ---- - src/libsystemd/sd-device/test-sd-device.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/libsystemd/sd-device/test-sd-device.c b/src/libsystemd/sd-device/test-sd-device.c -index 620615b6bb..aa235cf8d0 100644 ---- a/src/libsystemd/sd-device/test-sd-device.c -+++ b/src/libsystemd/sd-device/test-sd-device.c -@@ -456,6 +456,8 @@ static void check_parent_match(sd_device_enumerator *e, sd_device *dev) { - - TEST(sd_device_enumerator_add_match_parent) { - _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; -+ /* Some devices have thousands of children. Avoid spending too much time in the double loop below. */ -+ unsigned iterations = 200; - int r; - - assert_se(sd_device_enumerator_new(&e) >= 0); -@@ -473,6 +475,9 @@ TEST(sd_device_enumerator_add_match_parent) { - const char *syspath; - sd_device *parent; - -+ if (iterations-- == 0) -+ break; -+ - assert_se(sd_device_get_syspath(dev, &syspath) >= 0); - - r = sd_device_get_parent(dev, &parent); -@@ -501,6 +506,8 @@ TEST(sd_device_enumerator_add_match_parent) { - - TEST(sd_device_get_child) { - _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; -+ /* Some devices have thousands of children. Avoid spending too much time in the double loop below. */ -+ unsigned iterations = 3000; - int r; - - assert_se(sd_device_enumerator_new(&e) >= 0); -@@ -534,6 +541,9 @@ TEST(sd_device_get_child) { - FOREACH_DEVICE_CHILD_WITH_SUFFIX(parent, child, suffix) { - const char *s; - -+ if (iterations-- == 0) -+ return; -+ - assert_se(child); - assert_se(suffix); - diff --git a/36939.patch b/36939.patch deleted file mode 100644 index a90d8cc..0000000 --- a/36939.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 1bd33efc903923b551cfde93457d0c446f7ec253 Mon Sep 17 00:00:00 2001 -From: LuK1337 -Date: Tue, 1 Apr 2025 22:23:06 +0200 -Subject: [PATCH] rules: Make ADB and fastboot work out-of-the-box - -https://android.googlesource.com/platform/packages/modules/adb/+/d0db47dcdf941673f405e1095e6ffb5e565902e5/adb.h#199 -https://android.googlesource.com/platform/system/core/+/7199051aaf0ddfa2849650933119307327d8669c/fastboot/fastboot.cpp#244 ---- - rules.d/70-uaccess.rules.in | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/rules.d/70-uaccess.rules.in b/rules.d/70-uaccess.rules.in -index 046f169e447b9..96b61cec32b25 100644 ---- a/rules.d/70-uaccess.rules.in -+++ b/rules.d/70-uaccess.rules.in -@@ -77,6 +77,20 @@ ENV{DDC_DEVICE}=="?*", TAG+="uaccess" - # media player raw devices (for user-mode drivers, Android SDK, etc.) - SUBSYSTEM=="usb", ENV{ID_MEDIA_PLAYER}=="?*", TAG+="uaccess" - -+# Android devices (ADB DbC, ADB, Fastboot) -+# Used to interact with devices over Android Debug Bridge and Fastboot protocols, see: -+# * https://developer.android.com/tools/adb -+# * https://source.android.com/docs/setup/test/running -+# * https://source.android.com/docs/setup/test/flash -+# -+# The bInterfaceClass and bInterfaceSubClass used are documented in source code here: -+# * https://android.googlesource.com/platform/packages/modules/adb/+/d0db47dcdf941673f405e1095e6ffb5e565902e5/adb.h#199 -+# * https://android.googlesource.com/platform/system/core/+/7199051aaf0ddfa2849650933119307327d8669c/fastboot/fastboot.cpp#244 -+# -+# Since it's using a generic vendor specific interface class, this can potentially result -+# in a rare case where non-ADB/Fastboot device ends up with an ID_DEBUG_APPLIANCE="android". -+SUBSYSTEM=="usb", ENV{ID_USB_INTERFACES}=="*:dc0201:*|*:ff4201:*|*:ff4203:*", ENV{ID_DEBUG_APPLIANCE}="android" -+ - # software-defined radio communication devices - ENV{ID_SOFTWARE_RADIO}=="?*", TAG+="uaccess" - -@@ -111,4 +125,7 @@ SUBSYSTEM=="hidraw", ENV{ID_HARDWARE_WALLET}=="1", TAG+="uaccess" - # As defined in https://en.wikipedia.org/wiki/3Dconnexion - SUBSYSTEM=="hidraw", ENV{ID_INPUT_3D_MOUSE}=="1", TAG+="uaccess" - -+# Debug interfaces (e.g. Android Debug Bridge) -+ENV{ID_DEBUG_APPLIANCE}=="?*", TAG+="uaccess" -+ - LABEL="uaccess_end" diff --git a/sources b/sources index eb2dbfc..3600679 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-257.5.tar.gz) = 9e5352c20c9edac53f302a534532035185139998628ed0a85411f440df47f1dd7cce6651aec787484809bb1aa2825008d062714c37936cbfd08451fbe29a998f +SHA512 (systemd-257.6.tar.gz) = ceed65196d4235f53db00f5970eadff79149629d8c34f79593d0b326ece536ea0b4f97192458989b5fccbd9438bb2dbb0abda2a5e6c3449a709c9a0889e29d3d diff --git a/systemd.spec b/systemd.spec index 4949a58..990e4b1 100644 --- a/systemd.spec +++ b/systemd.spec @@ -67,7 +67,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:257.5} +Version: %{?version_override}%{!?version_override:257.6} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif @@ -128,6 +128,8 @@ Patch: https://github.com/systemd/systemd/pull/26494.patch %endif %if %{without upstream} +# Those are downstream-only patches, but we don't want them in packit builds. + # Temporarily drop use of PrivateTmp=disconnected. This is causing failures # in various places: # https://bugzilla.redhat.com/show_bug.cgi?id=2334015 @@ -138,16 +140,8 @@ Patch: 0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers. Patch: 0002-sysusers-emit-audit-events-for-user-and-group-creati.patch -# Backport of adb/fastboot udev rules: -# https://bugzilla.redhat.com/show_bug.cgi?id=2356537 -Patch: https://github.com/systemd/systemd/pull/36939.patch - -# Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 Patch: https://github.com/systemd/systemd/pull/30846.patch - -# Backport of CI fix -Patch: 0001-test-sd-device-limit-the-number-of-iterations-when-t.patch %endif %ifarch %{ix86} x86_64 aarch64 riscv64 From 92c16c1daba4375f394b256d6dc2198232edbc87 Mon Sep 17 00:00:00 2001 From: Matteo Croce Date: Wed, 16 Apr 2025 15:39:33 +0200 Subject: [PATCH 25/79] Let systemd-{sysusers,shared} conflict with older systemd When downgrading to package versions before 257.3-6 we have this error: Error: Transaction test error: file /usr/bin/systemd-sysusers from install of systemd-257-9.el10.x86_64 conflicts with file from package systemd-sysusers-258~devel-20250416115850.el10.x86_64 Add Conflicts on systemd-sysusers subpackage to allow downgrades across version 257.3-6. --- systemd.spec | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/systemd.spec b/systemd.spec index 990e4b1..977a88f 100644 --- a/systemd.spec +++ b/systemd.spec @@ -389,6 +389,10 @@ Libraries for systemd and udev. %package shared Summary: Internal systemd shared library License: LGPL-2.1-or-later AND MIT +# in 257.3-6 /usr/lib64/systemd/libsystemd-shared-257.2-14.fc42.so +# was moved from package systemd to systemd-shared. +# Add a conflit to allow downgrades across this change. +Conflicts: %{name} < 257.3-6 %description shared Internal libraries used by various systemd binaries. @@ -415,6 +419,9 @@ for information how to use those macros. Summary: systemd-sysusers program Requires: %{name}-shared%{_isa} = %{version}-%{release} Conflicts: %{name}-standalone-sysusers +# in 257.3-6 /usr/bin/systemd-sysusers was moved from package systemd +# to systemd-sysusers. Add a conflit to allow downgrades across this change. +Conflicts: %{name} < 257.3-6 %description sysusers This package contains the systemd-sysusers program. From 7de88c66bdc26920db570e67ef74e579f8461d9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 5 Jun 2025 01:08:22 +0200 Subject: [PATCH 26/79] Do not mark symlinks as %ghost When testing build reproducibility, we got the following result: + rpmdiff cache/rpms/systemd-257.6-1.fc43/systemd-257.6-1.fc43.x86_64.rpm \ cache/build/systemd-257.6-1.fc43/rebuild/systemd-257.6-1.fc43.x86_64.rpm ......V..F. /etc/xdg/systemd/user This is because we'd apply %ghost to a symlink to a directory, if the directory stat reported 0 blocks. It seems that this depends on the filesystem type or something and didn't pop up in previous rebuilds. The first chunk is a noop to increase clarity. The resulting difference from this patch in the file list: $ diff -u systemd-257.6-build/systemd-257.6/.file-list-main{.0,} -%config(noreplace) %ghost /etc/xdg/systemd/user +%config(noreplace) /etc/xdg/systemd/user --- split-files.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/split-files.py b/split-files.py index 0cf0f6c..d533c51 100644 --- a/split-files.py +++ b/split-files.py @@ -270,13 +270,13 @@ for file in files(buildroot): if n in known_files: prefix = known_files[n].split()[:-1] - elif file.is_dir() and not file.is_symlink(): + elif file.is_dir(follow_symlinks=False): prefix = ['%dir'] elif 'README' in n: prefix = ['%doc'] elif n.startswith('/etc'): prefix = ['%config(noreplace)'] - if file.stat().st_size == 0: + if not file.is_symlink() and file.stat().st_size == 0: prefix += ['%ghost'] else: prefix = [] From 5d30fd3b269b979fb982df7439aac568ddf5e53c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 26 Jun 2025 14:17:05 +0200 Subject: [PATCH 27/79] Version 257.7 - Fixes for systemd itself, systemd-repart, systemd-resolved, systemd-vmspawn, systemd-networkd, resolvectl, bootctl, the shared library code, man pages, shell completions, and tests. - Hardware database is updated. --- sources | 2 +- systemd.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 3600679..5c43434 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-257.6.tar.gz) = ceed65196d4235f53db00f5970eadff79149629d8c34f79593d0b326ece536ea0b4f97192458989b5fccbd9438bb2dbb0abda2a5e6c3449a709c9a0889e29d3d +SHA512 (systemd-257.7.tar.gz) = fdc7c0153432b261ad8018c869dc714ce1d6d2a8428bdec46f7c5f120b196d3a553a375ae433f0c166c57b6e8b3c56549f585349b7b6ff83c2a86a32982d8411 diff --git a/systemd.spec b/systemd.spec index 977a88f..d57bd48 100644 --- a/systemd.spec +++ b/systemd.spec @@ -67,7 +67,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:257.6} +Version: %{?version_override}%{!?version_override:257.7} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif From 40b38a04d27fd2a8b6fc277df67e14a0abbb3cfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 2 Jul 2025 16:21:29 +0200 Subject: [PATCH 28/79] Build docs on 64-bit architectures only In the light of the recent discussion about dropping i686 packages, let's stop building our docs there. This reduces the amount of tools needed in the mock root. Unfortunately we need to move the man page out of the noarch ukify subpackage, because it needs to be the same on all architectures where it is built. --- split-files.py | 2 +- systemd.spec | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/split-files.py b/split-files.py index d533c51..5b20b85 100644 --- a/split-files.py +++ b/split-files.py @@ -121,7 +121,7 @@ for file in files(buildroot): o = outputs['rpm-macros'] elif '/usr/lib/systemd/tests' in n: o = outputs['tests'] - elif 'ukify' in n: + elif 'ukify' in n and '/man/' not in n: o = outputs['ukify'] elif re.search(r'/libsystemd-core-.*\.so$', n): o = outputs['main'] diff --git a/systemd.spec b/systemd.spec index d57bd48..056f7a6 100644 --- a/systemd.spec +++ b/systemd.spec @@ -24,7 +24,8 @@ %bcond bootstrap 0 %bcond tests 1 %bcond lto 1 -%bcond docs 1 +# Build docs on 64-bit architectures only +%bcond docs %[%{?__isa_bits} >= 64] # Build from git main %bcond upstream 0 From ed7d2f11320e3d185bb378abdf422541b845bad4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 8 Jul 2025 12:50:10 +0200 Subject: [PATCH 29/79] Add "test" that LTO effectively removes unused code from shared lib --- systemd.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/systemd.spec b/systemd.spec index 056f7a6..9f1c661 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1128,6 +1128,14 @@ BRP_PESIGN_FILES=/usr/lib/systemd/boot/efi/systemd-boot%{efi_arch}.efi BRP_PESIG meson test -C %{_vpath_builddir} -t 6 --print-errorlogs %endif +%if %{with lto} +# Make sure that LTO is effective at removing unused code. When compiled +# without LTO, we end up with all of libbasic_static.a in libsystemd.so. +# For example, all the configuration stuff is not needed for libsystemd.so. +# Make sure it is gone. +(! strings %{buildroot}%{_libdir}/libsystemd.so | grep Config) +%endif + ############################################################################################# %if %{without upstream} || (0%{?fedora} < 41 && 0%{?rhel} < 11) From 98cc5fd91a04856a5d5c6a4c41f3294327e14146 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 23 Jul 2025 22:50:45 +0200 Subject: [PATCH 30/79] Version 258~rc1 - See https://raw.githubusercontent.com/systemd/systemd/v258-rc1/NEWS. Too many changes to list or discuss here. --- ...dit-events-for-user-and-group-creati.patch | 287 ------------------ 30846.patch | 15 +- sources | 2 +- split-files.py | 2 +- systemd.spec | 15 +- 5 files changed, 17 insertions(+), 304 deletions(-) delete mode 100644 0002-sysusers-emit-audit-events-for-user-and-group-creati.patch diff --git a/0002-sysusers-emit-audit-events-for-user-and-group-creati.patch b/0002-sysusers-emit-audit-events-for-user-and-group-creati.patch deleted file mode 100644 index d442f5a..0000000 --- a/0002-sysusers-emit-audit-events-for-user-and-group-creati.patch +++ /dev/null @@ -1,287 +0,0 @@ -From 398049208b4aae5f2a9f0d4914dee6ab6e101118 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 10 Jan 2025 15:35:13 +0100 -Subject: [PATCH 2/2] sysusers: emit audit events for user and group creation - -Background: Fedora/RHEL are switching to sysusers.d metadata for creation of -users and groups for system users defined by packages -(https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers). -Packages carry sysusers files. During package installation, rpm calls an -program to execute on this config. This program may either be -/usr/lib/rpm/sysusers.sh which calls useradd/groupadd, or -/usr/bin/systemd-sysusers. To match the functionality provided by -useradd/groupadd from the shadow-utils project, systemd-sysusers must emit -audit events so that it provides a drop-in replacement. - -systemd-sysuers will emit audit events AUDIT_ADD_USER/AUDIT_ADD_GROUP when -adding users and groups. The operation "names" are copied from shadow-utils in -Fedora (which has a patch to change them from the upstream version), so the -format of the events that is generated on success should be identical. - -The helper code is shared between sysusers and utmp-wtmp. I changed the -audit_fd variable to be unconditional. This way we can avoid ugly iffdefery -every time the variable would be used. The cost is that 4 bytes of unused -storage might be present. This is negligible, and the compiler might even be -able to optimize that away if it inlines things. ---- - src/basic/audit-util.h | 33 +++++++++++++++++++++ - src/sysusers/meson.build | 2 ++ - src/sysusers/sysusers.c | 56 +++++++++++++++++++++++++++++++++++ - src/update-utmp/update-utmp.c | 23 ++------------ - 4 files changed, 94 insertions(+), 20 deletions(-) - -diff --git a/src/basic/audit-util.h b/src/basic/audit-util.h -index 9a74e4f102..d8ecf14f69 100644 ---- a/src/basic/audit-util.h -+++ b/src/basic/audit-util.h -@@ -1,10 +1,16 @@ - /* SPDX-License-Identifier: LGPL-2.1-or-later */ - #pragma once - -+#if HAVE_AUDIT -+# include -+#endif -+ - #include - #include - #include - -+#include "errno-util.h" -+#include "log.h" - #include "pidref.h" - - #define AUDIT_SESSION_INVALID UINT32_MAX -@@ -17,3 +23,30 @@ bool use_audit(void); - static inline bool audit_session_is_valid(uint32_t id) { - return id > 0 && id != AUDIT_SESSION_INVALID; - } -+ -+/* The wrappers for audit_open() and audit_close() are inline functions so that we don't get a spurious -+ * linkage to libaudit in libbasic, but we also don't need to create a separate source file for two very -+ * short functions. */ -+ -+static inline int close_audit_fd(int fd) { -+#if HAVE_AUDIT -+ if (fd >= 0) -+ audit_close(fd); -+#else -+ assert(fd < 0); -+#endif -+ return -EBADF; -+} -+ -+static inline int open_audit_fd_or_warn(void) { -+ int fd = -EBADF; -+ -+#if HAVE_AUDIT -+ /* If the kernel lacks netlink or audit support, don't worry about it. */ -+ fd = audit_open(); -+ if (fd < 0) -+ return log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, -+ errno, "Failed to connect to audit log, ignoring: %m"); -+#endif -+ return fd; -+} -diff --git a/src/sysusers/meson.build b/src/sysusers/meson.build -index 123ff41d3f..c968f55110 100644 ---- a/src/sysusers/meson.build -+++ b/src/sysusers/meson.build -@@ -9,6 +9,7 @@ executables += [ - 'name' : 'systemd-sysusers', - 'public' : true, - 'sources' : files('sysusers.c'), -+ 'dependencies' : libaudit, - }, - executable_template + { - 'name' : 'systemd-sysusers.standalone', -@@ -20,6 +21,7 @@ executables += [ - libshared_static, - libsystemd_static, - ], -+ 'dependencies' : libaudit, - 'build_by_default' : have_standalone_binaries, - 'install' : have_standalone_binaries, - }, -diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c -index 44253483db..84eb9fc0c3 100644 ---- a/src/sysusers/sysusers.c -+++ b/src/sysusers/sysusers.c -@@ -3,6 +3,7 @@ - #include - - #include "alloc-util.h" -+#include "audit-util.h" - #include "build.h" - #include "chase.h" - #include "conf-files.h" -@@ -106,6 +107,8 @@ STATIC_DESTRUCTOR_REGISTER(arg_image, freep); - STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep); - - typedef struct Context { -+ int audit_fd; -+ - OrderedHashmap *users, *groups; - OrderedHashmap *todo_uids, *todo_gids; - OrderedHashmap *members; -@@ -126,6 +129,8 @@ typedef struct Context { - static void context_done(Context *c) { - assert(c); - -+ c->audit_fd = close_audit_fd(c->audit_fd); -+ - ordered_hashmap_free(c->groups); - ordered_hashmap_free(c->users); - ordered_hashmap_free(c->members); -@@ -163,6 +168,48 @@ static void maybe_emit_login_defs_warning(Context *c) { - c->login_defs_need_warning = false; - } - -+static void log_audit_accounts(Context *c, ItemType what) { -+#if HAVE_AUDIT -+ assert(c); -+ assert(IN_SET(what, ADD_USER, ADD_GROUP)); -+ -+ if (arg_dry_run || c->audit_fd < 0) -+ return; -+ -+ Item *i; -+ int type = what == ADD_USER ? AUDIT_ADD_USER : AUDIT_ADD_GROUP; -+ const char *op = what == ADD_USER ? "adding-user" : "adding-group"; -+ -+ /* Notes: -+ * -+ * The op must not contain whitespace. The format with a dash matches what Fedora shadow-utils uses. -+ * -+ * We send id == -1, even though we know the number, in particular on success. This is because if we -+ * send the id, the generated audit message will not contain the name. The name seems more useful -+ * than the number, hence send just the name: -+ * -+ * type=ADD_USER msg=audit(01/10/2025 16:02:00.639:3854) : -+ * pid=3846380 uid=root auid=zbyszek ses=2 msg='op=adding-user id=unknown(952) exe=systemd-sysusers ... res=success' -+ * vs. -+ * type=ADD_USER msg=audit(01/10/2025 16:03:15.457:3908) : -+ * pid=3846607 uid=root auid=zbyszek ses=2 msg='op=adding-user acct=foo5 exe=systemd-sysusers ... res=success' -+ */ -+ -+ ORDERED_HASHMAP_FOREACH(i, what == ADD_USER ? c->todo_uids : c->todo_gids) -+ audit_log_acct_message( -+ c->audit_fd, -+ type, -+ program_invocation_short_name, -+ op, -+ i->name, -+ /* id= */ (unsigned) -1, -+ /* host= */ NULL, -+ /* addr= */ NULL, -+ /* tty= */ NULL, -+ /* success= */ 1); -+#endif -+} -+ - static int load_user_database(Context *c) { - _cleanup_fclose_ FILE *f = NULL; - const char *passwd_path; -@@ -971,6 +1018,8 @@ static int write_files(Context *c) { - group_tmp, group_path); - group_tmp = mfree(group_tmp); - } -+ /* OK, we have written the group entries successfully */ -+ log_audit_accounts(c, ADD_GROUP); - if (gshadow) { - r = rename_and_apply_smack_floor_label(gshadow_tmp, gshadow_path); - if (r < 0) -@@ -988,6 +1037,8 @@ static int write_files(Context *c) { - - passwd_tmp = mfree(passwd_tmp); - } -+ /* OK, we have written the user entries successfully */ -+ log_audit_accounts(c, ADD_USER); - if (shadow) { - r = rename_and_apply_smack_floor_label(shadow_tmp, shadow_path); - if (r < 0) -@@ -2232,6 +2283,7 @@ static int run(int argc, char *argv[]) { - #endif - _cleanup_close_ int lock = -EBADF; - _cleanup_(context_done) Context c = { -+ .audit_fd = -EBADF, - .search_uid = UID_INVALID, - }; - -@@ -2281,6 +2333,10 @@ static int run(int argc, char *argv[]) { - assert(!arg_image); - #endif - -+ /* Prepare to emit audit events, but only if we're operating on the host system. */ -+ if (!arg_root) -+ c.audit_fd = open_audit_fd_or_warn(); -+ - /* If command line arguments are specified along with --replace, read all configuration files and - * insert the positional arguments at the specified place. Otherwise, if command line arguments are - * specified, execute just them, and finally, without --replace= or any positional arguments, just -diff --git a/src/update-utmp/update-utmp.c b/src/update-utmp/update-utmp.c -index a10e6d478a..6df9414063 100644 ---- a/src/update-utmp/update-utmp.c -+++ b/src/update-utmp/update-utmp.c -@@ -5,12 +5,9 @@ - #include - #include - --#if HAVE_AUDIT --#include --#endif -- - #include "sd-bus.h" - -+#include "audit-util.h" - #include "alloc-util.h" - #include "bus-error.h" - #include "bus-locator.h" -@@ -30,20 +27,14 @@ - - typedef struct Context { - sd_bus *bus; --#if HAVE_AUDIT - int audit_fd; --#endif - } Context; - - static void context_clear(Context *c) { - assert(c); - - c->bus = sd_bus_flush_close_unref(c->bus); --#if HAVE_AUDIT -- if (c->audit_fd >= 0) -- audit_close(c->audit_fd); -- c->audit_fd = -EBADF; --#endif -+ c->audit_fd = close_audit_fd(c->audit_fd); - } - - static int get_startup_monotonic_time(Context *c, usec_t *ret) { -@@ -256,22 +247,14 @@ static int run(int argc, char *argv[]) { - }; - - _cleanup_(context_clear) Context c = { --#if HAVE_AUDIT - .audit_fd = -EBADF, --#endif - }; - - log_setup(); - - umask(0022); - --#if HAVE_AUDIT -- /* If the kernel lacks netlink or audit support, don't worry about it. */ -- c.audit_fd = audit_open(); -- if (c.audit_fd < 0) -- log_full_errno(IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT) ? LOG_DEBUG : LOG_WARNING, -- errno, "Failed to connect to audit log, ignoring: %m"); --#endif -+ c.audit_fd = open_audit_fd_or_warn(); - - return dispatch_verb(argc, argv, verbs, &c); - } --- -2.47.1 - diff --git a/30846.patch b/30846.patch index ca9cffb..77da69f 100644 --- a/30846.patch +++ b/30846.patch @@ -1,4 +1,4 @@ -From 9e3d6b193d79ce447cd329617ada941f331570a9 Mon Sep 17 00:00:00 2001 +From 07bedc8f93277f705622625f440a1f56ccff1cd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 9 Jan 2024 11:28:04 +0100 Subject: [PATCH] journal: again create user journals for users with high uids @@ -39,17 +39,18 @@ revert the change to fix user systems. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843. --- - src/basic/uid-classification.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + src/basic/uid-classification.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c -index e2d2cebc6de27..2c8b06c0d3088 100644 +index 203ce2c68a..2eb384395d 100644 --- a/src/basic/uid-classification.c +++ b/src/basic/uid-classification.c -@@ -127,5 +127,5 @@ bool uid_for_system_journal(uid_t uid) { +@@ -129,5 +129,6 @@ bool uid_for_system_journal(uid_t uid) { /* Returns true if the specified UID shall get its data stored in the system journal. */ -- return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY || uid_is_container(uid); -+ return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY; +- return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_container(uid) || uid_is_foreign(uid); ++ return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_foreign(uid); ++ } diff --git a/sources b/sources index 5c43434..f685aed 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-257.7.tar.gz) = fdc7c0153432b261ad8018c869dc714ce1d6d2a8428bdec46f7c5f120b196d3a553a375ae433f0c166c57b6e8b3c56549f585349b7b6ff83c2a86a32982d8411 +SHA512 (systemd-258-rc1.tar.gz) = 4dff1d4de6deb085cfa6827208692fe84a3adfe04f048d7a88e6f980ce11afee3cc53f2e7f1bc878480f24a085c0acff84b64c150032dde235a279c742dbff08 diff --git a/split-files.py b/split-files.py index 5b20b85..8405956 100644 --- a/split-files.py +++ b/split-files.py @@ -155,7 +155,7 @@ for file in files(buildroot): systemd\.nspawn| systemd-vmspawn| systemd-dissect| - import-pubring.gpg| + import-pubring| systemd-machined| systemd-import| systemd-export| diff --git a/systemd.spec b/systemd.spec index 9f1c661..cbbce96 100644 --- a/systemd.spec +++ b/systemd.spec @@ -68,7 +68,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:257.7} +Version: %{?version_override}%{!?version_override:258~rc1} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif @@ -84,7 +84,7 @@ Summary: System and Service Manager # packit will always rewrite the first Source0 it finds, ignoring any conditionals so list # the fallback source that's used if neither %%branch nor %%commit are defined first. %if %{undefined branch} && %{undefined commit} -Source0: https://github.com/systemd/systemd/archive/v%{version}/%{name}-%{version}.tar.gz +Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz %elif %{defined branch} Source0: https://github.com/systemd/systemd/archive/refs/heads/%{branch}.tar.gz %elif %{defined commit} @@ -137,10 +137,6 @@ Patch: https://github.com/systemd/systemd/pull/26494.patch # https://github.com/coreos/fedora-coreos-tracker/issues/1857 Patch: 0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch -# Backport of sysusers audit support for -# https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers. -Patch: 0002-sysusers-emit-audit-events-for-user-and-group-creati.patch - # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 Patch: https://github.com/systemd/systemd/pull/30846.patch %endif @@ -500,6 +496,10 @@ Obsoletes: u2f-hidraw-policy < 1.0.2-40 Conflicts: %{name}-standalone-repart Provides: %{name}-repart = %{version}-%{release} +# Newer versions of those are required to support X11 keycode remapping +Conflicts: xorg-x11-drv-evdev < 2.11.0 +Conflicts: xorg-x11-drv-libinput < 1.5.0 + %if "%{_sbindir}" == "%{_bindir}" # Compat symlinks for Requires in other packages. # We rely on filesystem to create the symlinks for us. @@ -741,7 +741,7 @@ main systemd package and is meant for use in exitrds. %elif %{defined commit} %autosetup -n %{name}-%{commit} -p1 %else -%autosetup -n %{name}-%{version} -p1 +%autosetup -n %{name}-%{version_no_tilde} -p1 %endif # Disable user lockdown until rpm implements it natively. @@ -804,7 +804,6 @@ CONFIGURE_OPTS=( -Dacl=enabled -Dsmack=true -Dopenssl=enabled - -Dcryptolib=openssl -Dp11kit=enabled -Dgcrypt=disabled -Daudit=enabled From 8d1645af7549815a89b8262621be4c95afa4201f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 25 Jul 2025 14:08:10 +0200 Subject: [PATCH 31/79] Use again %{version} when building in OBS %{version_no_tilde} no work. [skip changelog] --- systemd.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd.spec b/systemd.spec index cbbce96..5911992 100644 --- a/systemd.spec +++ b/systemd.spec @@ -740,6 +740,8 @@ main systemd package and is meant for use in exitrds. %autosetup -n %{name}-%{branch} -p1 %elif %{defined commit} %autosetup -n %{name}-%{commit} -p1 +%elif %{with obs} +%autosetup -n %{name}-%{version} -p1 %else %autosetup -n %{name}-%{version_no_tilde} -p1 %endif From 2ace9416e85dd4759f7c0db4bb79d2bc9302dd77 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Fri, 25 Jul 2025 18:05:35 +0200 Subject: [PATCH 32/79] obs: also use version with tilde for Source0 [skip changelog] --- systemd.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index 5911992..e15b511 100644 --- a/systemd.spec +++ b/systemd.spec @@ -83,7 +83,9 @@ Summary: System and Service Manager # download tarballs with "spectool -g systemd.spec" # packit will always rewrite the first Source0 it finds, ignoring any conditionals so list # the fallback source that's used if neither %%branch nor %%commit are defined first. -%if %{undefined branch} && %{undefined commit} +%if %{with obs} +Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version}.tar.gz +%elif %{undefined branch} && %{undefined commit} Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz %elif %{defined branch} Source0: https://github.com/systemd/systemd/archive/refs/heads/%{branch}.tar.gz From be7a4d0863f5747ca49396db08fec55397d390c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 6 Aug 2025 08:56:51 +0200 Subject: [PATCH 33/79] Version 258~rc2 --- sources | 2 +- systemd.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index f685aed..2cde49e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-258-rc1.tar.gz) = 4dff1d4de6deb085cfa6827208692fe84a3adfe04f048d7a88e6f980ce11afee3cc53f2e7f1bc878480f24a085c0acff84b64c150032dde235a279c742dbff08 +SHA512 (systemd-258-rc2.tar.gz) = d864f756fe3288f09b917498fc1a075abe0708f894ff9e5a8fd9d5204f76437e1539a168f55ef2542af33b6e3e9aba8567d0eadb11b936f57be40d209b678c92 diff --git a/systemd.spec b/systemd.spec index e15b511..2363513 100644 --- a/systemd.spec +++ b/systemd.spec @@ -68,7 +68,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:258~rc1} +Version: %{?version_override}%{!?version_override:258~rc2} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif From 1bdb4efe409c912031dba2e44ba5e2b92875cdb7 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Fri, 8 Aug 2025 01:59:13 +0100 Subject: [PATCH 34/79] obs: switch to xz for compression [skip changelog] --- systemd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index 2363513..740cdd8 100644 --- a/systemd.spec +++ b/systemd.spec @@ -84,7 +84,7 @@ Summary: System and Service Manager # packit will always rewrite the first Source0 it finds, ignoring any conditionals so list # the fallback source that's used if neither %%branch nor %%commit are defined first. %if %{with obs} -Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version}.tar.gz +Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version}.tar.xz %elif %{undefined branch} && %{undefined commit} Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz %elif %{defined branch} From 50936458a75224fab9b33c5abbae480d14f9bf16 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Fri, 8 Aug 2025 01:59:49 +0100 Subject: [PATCH 35/79] obs: move recipe files in place The RPM recipe files for SUSE and Fedora conflict and cannot be both unpacked at the same time (e.g.: triggers.systemd, systemd.spec, etc). The tarballs creation are unconditional. This means the same project build cannot build for both Fedora and SUSE. All other distros can co-habitate in the same project, so that a single repository checkout, single trigger, single everything is used. By storing the RPM recipe files in a separate directory it means they don't conflict anymore, and they are moved in place in the right recipe at the right time. This allows building fedora/suse/centos/debian/ubuntu/arch from a single project. [skip changelog] --- systemd.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd.spec b/systemd.spec index 740cdd8..50eff92 100644 --- a/systemd.spec +++ b/systemd.spec @@ -743,6 +743,8 @@ main systemd package and is meant for use in exitrds. %elif %{defined commit} %autosetup -n %{name}-%{commit} -p1 %elif %{with obs} +# Recipe files in the OBS build are in a distro-specific dir, as they conflict (e.g. with SUSE ones) +mv %{_sourcedir}/%{name}.fedora/* %{_sourcedir} %autosetup -n %{name}-%{version} -p1 %else %autosetup -n %{name}-%{version_no_tilde} -p1 From 1f5ed0da1f0b235e13a06a23fda53eae0d43a9d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 20 Aug 2025 17:01:17 +0200 Subject: [PATCH 36/79] Version 258~rc3 - A large number of fixes in various components - Hardware database and syscall numbers are updated --- sources | 2 +- systemd.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 2cde49e..cc03c85 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-258-rc2.tar.gz) = d864f756fe3288f09b917498fc1a075abe0708f894ff9e5a8fd9d5204f76437e1539a168f55ef2542af33b6e3e9aba8567d0eadb11b936f57be40d209b678c92 +SHA512 (systemd-258-rc3.tar.gz) = 166ea5c16dbacdaff6ab205417a2d43a2df7aad4a69c933453beea3cc9a2ac584b147d4bb4bda00e56d8b7bc3db723a29a1818a53c475b494947a60f8608fbbc diff --git a/systemd.spec b/systemd.spec index 50eff92..4e18207 100644 --- a/systemd.spec +++ b/systemd.spec @@ -68,7 +68,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:258~rc2} +Version: %{?version_override}%{!?version_override:258~rc3} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif From 5acde9f1fd649ae82e9ee38e0be18947197dabec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 26 Aug 2025 15:15:17 +0200 Subject: [PATCH 37/79] Add workaround patch to hopefully pass podman CI tests --- 38724.patch | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ systemd.spec | 2 ++ 2 files changed, 66 insertions(+) create mode 100644 38724.patch diff --git a/38724.patch b/38724.patch new file mode 100644 index 0000000..c639cd0 --- /dev/null +++ b/38724.patch @@ -0,0 +1,64 @@ +From 5bc3a82e81355a0aa1fd25bb6232145f868fac12 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 26 Aug 2025 15:00:02 +0200 +Subject: [PATCH] debug: disable ioctl(PIDFD_GET_INFO) + +In https://bodhi.fedoraproject.org/updates/FEDORA-2025-a0ce059969 it was +reported that the tests fail: + +> Rootless podman tests all show something like this eventually +> +> OCI runtime error: crun: join keyctl `7509a871d2ab7df6549f5cb5bd2d4daf990cc45c0022f116bd0882966ae53f30`: Disk quota exceeded +> +> Each container creates its own keyring but I assume they get leaked so at one +> point we run our of available keyrings and all following tests fail like +> that. Given I only see this on this update and from looking at the podman +> tests logs it only starts happening after we run a bunch of our own systemd +> services I wonder if systemd maybe leaks keyrings and thus it fails? + +After some very tediuos bisecting, I got the answer that +dcf0ef3f42b0ea12e199540a4088bd582875ddfa is the first bad commit. This doesn't +make much sense. I thought that maybe the answer is wrong somehow, or the fd we +pass in has problems, but everything seems to work correctly. Both +pidfd_get_pid_ioctl and pidfd_get_pid_fdinfo work fine and return the same +answer. Nevertheless, skipping the call to pidfd_get_pid_ioctl makes the +problem go away. + +bisection recipe: +1. compile systemd, systemd-executor, pam_systemd: + $ ninja -C build systemd systemd-executor pam_systemd.so + (Not all intermediate commits compile :) ) +2. use the compiled manager for the user running the tests: + # /etc/systemd/system/user@1000.service.d/override.conf + [Service] + ExecStart= + ExecStart=/home/fedora/src/systemd/build/systemd --user +3. install the new code: + # cp ~fedora/src/systemd/build/pam_systemd.so /usr/lib64/security/ && systemctl restart user@1000 +3. log out and log in again (via ssh) +4. run the test: + $ grep -Ec '[a-f0-9]{64}: empty' /proc/keys && podman run -it fedora date && grep -Ec '[a-f0-9]{64}: empty' /proc/keys + 17 + Tue Aug 26 12:47:44 UTC 2025 + 18 + +It seems that both the pam module and the user manager somehow matter. + +This smells like a kernel bug or some strange race condition. +--- + src/basic/pidfd-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/pidfd-util.c b/src/basic/pidfd-util.c +index 9910819aa79d9..b317be267f445 100644 +--- a/src/basic/pidfd-util.c ++++ b/src/basic/pidfd-util.c +@@ -74,7 +74,7 @@ int pidfd_get_namespace(int fd, unsigned long ns_type_cmd) { + } + + static int pidfd_get_info(int fd, struct pidfd_info *info) { +- static bool cached_supported = true; ++ static bool cached_supported = false; + + assert(fd >= 0); + assert(info); diff --git a/systemd.spec b/systemd.spec index 4e18207..a739a69 100644 --- a/systemd.spec +++ b/systemd.spec @@ -141,6 +141,8 @@ Patch: 0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 Patch: https://github.com/systemd/systemd/pull/30846.patch + +Patch: https://github.com/systemd/systemd/pull/38724.patch %endif %ifarch %{ix86} x86_64 aarch64 riscv64 From 2289d65726d86bf523b1d565e274b15d8c978a3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 3 Sep 2025 08:02:02 +0200 Subject: [PATCH 38/79] Fix unit name in scriptlet [80/89] Installing systemd-udev-0:258~rc3-1.fc44.x86_64 >>> Running %post scriptlet: systemd-udev-0:258~rc3-1.fc44.x86_64 >>> Finished %post scriptlet: systemd-udev-0:258~rc3-1.fc44.x86_64 >>> Scriptlet output: >>> Failed to preset unit: Unit system-systemdx2dcryptsetup.slice does not exist --- systemd.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd.spec b/systemd.spec index a739a69..8ec0b31 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1240,8 +1240,8 @@ systemctl --no-reload preset systemd-journald-audit.socket &>/dev/null || : sleep.target suspend-then-hibernate.target suspend.target - system-systemd\x2dcryptsetup.slice - system-systemd\x2dveritysetup.slice + system-systemd\\x2dcryptsetup.slice + system-systemd\\x2dveritysetup.slice systemd-backlight@.service systemd-binfmt.service systemd-bless-boot.service From 327e54e42196c4ed3d0655b40aabed492c75e2bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 4 Sep 2025 13:56:28 +0200 Subject: [PATCH 39/79] Add to patch to create userdb root directory with correct label The upstream PR was closed with the intent to force the SELinux policy to be updated instead. While we're waiting for that to happen, include the patch here. --- 38769.patch | 42 ++++++++++++++++++++++++++++++++++++++++++ systemd.spec | 4 ++++ 2 files changed, 46 insertions(+) create mode 100644 38769.patch diff --git a/38769.patch b/38769.patch new file mode 100644 index 0000000..35b50e4 --- /dev/null +++ b/38769.patch @@ -0,0 +1,42 @@ +From e4e1e425394dcef01317c42b34c133768c26b765 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Sat, 30 Aug 2025 13:55:56 +0200 +Subject: [PATCH] core: create userdb root directory with correct label + +Set up the /run/systemd/userdb directory with the default SELinux context +on creation. + +With version 257.7-1 on Debian the directory was automatically created with the +correct label. Starting with version 258 (only tested with 258~rc3-1) it no +longer is. Regression introduced in 736349958efe34089131ca88950e2e5bb391d36a. + +[zjs: edited the patch to apply comments from review and update the description.] +--- + src/core/varlink.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/core/varlink.c b/src/core/varlink.c +index 8c6b95e31d1d5..110b281842373 100644 +--- a/src/core/varlink.c ++++ b/src/core/varlink.c +@@ -6,6 +6,7 @@ + #include "errno-util.h" + #include "json-util.h" + #include "manager.h" ++#include "mkdir-label.h" + #include "path-util.h" + #include "pidref.h" + #include "string-util.h" +@@ -424,7 +425,11 @@ static int manager_varlink_init_system(Manager *m) { + if (!fresh && varlink_server_contains_socket(m->varlink_server, address)) + continue; + +- r = sd_varlink_server_listen_address(m->varlink_server, address, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); ++ r = mkdir_parents_label(address, 0755); ++ if (r < 0) ++ log_warning_errno(r, "Failed to create parent directory of '%s', ignoring: %m", address); ++ ++ r = sd_varlink_server_listen_address(m->varlink_server, address, 0666); + if (r < 0) + return log_error_errno(r, "Failed to bind to varlink socket '%s': %m", address); + } diff --git a/systemd.spec b/systemd.spec index 8ec0b31..cf580d0 100644 --- a/systemd.spec +++ b/systemd.spec @@ -143,6 +143,10 @@ Patch: 0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch Patch: https://github.com/systemd/systemd/pull/30846.patch Patch: https://github.com/systemd/systemd/pull/38724.patch + +# userdb: create userdb root directory with correct label +# We can drop this after SELinux policy is updated to handle the transition. +Patch: https://github.com/systemd/systemd/pull/38769.patch %endif %ifarch %{ix86} x86_64 aarch64 riscv64 From b442086d5fc7c7a478be064ab380a50fed9b9c86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 5 Sep 2025 15:14:21 +0200 Subject: [PATCH 40/79] Version 258~rc4 --- sources | 2 +- systemd.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index cc03c85..b6fda1a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-258-rc3.tar.gz) = 166ea5c16dbacdaff6ab205417a2d43a2df7aad4a69c933453beea3cc9a2ac584b147d4bb4bda00e56d8b7bc3db723a29a1818a53c475b494947a60f8608fbbc +SHA512 (systemd-258-rc4.tar.gz) = 2fa7e0b9e7deb449ecd4fd6e8a22b5cf896ac5662f3ac3ca04db34254d6fb6409582f996ad7fa065939241377268f9742e3ff3b75e9f55f98e3a6c48058d323a diff --git a/systemd.spec b/systemd.spec index cf580d0..edc747f 100644 --- a/systemd.spec +++ b/systemd.spec @@ -68,7 +68,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:258~rc3} +Version: %{?version_override}%{!?version_override:258~rc4} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif From cceac934914337911c799174ac9dd96c881d5f66 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 12 Sep 2025 10:36:06 +0200 Subject: [PATCH 41/79] Pre-create /etc/userdb directory An admin can create users in this directory instead of /etc/passwd. As the .user file can contain hashed password, only root should be able to read the files. --- systemd.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/systemd.spec b/systemd.spec index edc747f..0ecedf4 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1005,6 +1005,7 @@ touch %{buildroot}%{_sysconfdir}/machine-info touch %{buildroot}%{_sysconfdir}/localtime mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d touch %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/00-keyboard.conf +install -d -m 0700 %{buildroot}%{_sysconfdir}/userdb # Make sure the shutdown/sleep drop-in dirs exist mkdir -p %{buildroot}%{pkgdir}/system-shutdown/ From 8a446daec74122d234c39b7571dc50d3935ef6f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 17 Sep 2025 15:29:03 +0200 Subject: [PATCH 42/79] =?UTF-8?q?Version=20258=20=F0=9F=92=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - See https://raw.githubusercontent.com/systemd/systemd/v258/NEWS for the final list of changes. --- sources | 2 +- systemd.spec | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/sources b/sources index b6fda1a..68b70a3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-258-rc4.tar.gz) = 2fa7e0b9e7deb449ecd4fd6e8a22b5cf896ac5662f3ac3ca04db34254d6fb6409582f996ad7fa065939241377268f9742e3ff3b75e9f55f98e3a6c48058d323a +SHA512 (systemd-258.tar.gz) = c488354da1c170ad02e10926f561d1985c3c3393fec878562f295ef764fdf3a1b2877c3b2549253f19bf23e357be6e443a50b937f60f4677f286d3402d611b85 diff --git a/systemd.spec b/systemd.spec index 0ecedf4..04fcf73 100644 --- a/systemd.spec +++ b/systemd.spec @@ -68,7 +68,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:258~rc4} +Version: %{?version_override}%{!?version_override:258} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif @@ -142,6 +142,7 @@ Patch: 0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 Patch: https://github.com/systemd/systemd/pull/30846.patch +# Workaround for a kernel issue. Fixed in kernel-core-6.17.0-0.rc3.31.fc44.x86_64. Patch: https://github.com/systemd/systemd/pull/38724.patch # userdb: create userdb root directory with correct label From 88877a418450c16c1c85c680687da05f403af7bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 27 Sep 2025 14:37:48 +0300 Subject: [PATCH 43/79] Require systemd-networkd and systemd-udev to be in the same version ... (rhbz#2397579) In https://bugzilla.redhat.com/show_bug.cgi?id=2397579 users are doing a partial upgrade (seemingly) and that fails because of a file conflict. Add Conflicts to prevent such partial upgrades. --- systemd.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd.spec b/systemd.spec index 04fcf73..c1a8f7e 100644 --- a/systemd.spec +++ b/systemd.spec @@ -469,6 +469,7 @@ Conflicts: systemd-timesyncd < %{version}-%{release} Obsoletes: systemd-timesyncd < %{version}-%{release} Provides: systemd-timesyncd = %{version}-%{release} %endif +Conflicts: systemd-networkd < %{version}-%{release} # Libkmod is used to load modules. Assume that if we need udevd, we certainly # want to load modules, so make this into a hard dependency here. @@ -643,6 +644,7 @@ systemd-journal-upload. Summary: System daemon that manages network configurations Requires: %{name}%{_isa} = %{version}-%{release} %{?fedora:Recommends: %{name}-udev = %{version}-%{release}} +Conflicts: systemd-udev < %{version}-%{release} License: LGPL-2.1-or-later %description networkd From a3e9e2798227f4811f4953204ae5e631ea1d9442 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 27 Sep 2025 14:40:28 +0300 Subject: [PATCH 44/79] Change '%{systemd}' to systemd in Conflicts/Provides/Requires/Recommends MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We were using both styles… Having a macro creates some mental overhead for little gain. Switch to the fixed string everywhere. [skip changelog] --- systemd.spec | 78 ++++++++++++++++++++++++++-------------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/systemd.spec b/systemd.spec index c1a8f7e..56933ed 100644 --- a/systemd.spec +++ b/systemd.spec @@ -274,16 +274,16 @@ Requires(post): grep # systemd-machine-id-setup requires libssl Requires(post): openssl-libs Requires: dbus >= 1.9.18 -Requires: %{name}-pam%{_isa} = %{version}-%{release} -Requires(meta): (%{name}-rpm-macros = %{version}-%{release} if rpm-build) -Requires: %{name}-libs%{_isa} = %{version}-%{release} -%{?fedora:Recommends: %{name}-networkd = %{version}-%{release}} -%{?fedora:Recommends: %{name}-resolved = %{version}-%{release}} -Requires: %{name}-shared%{_isa} = %{version}-%{release} +Requires: systemd-pam%{_isa} = %{version}-%{release} +Requires(meta): (systemd-rpm-macros = %{version}-%{release} if rpm-build) +Requires: systemd-libs%{_isa} = %{version}-%{release} +%{?fedora:Recommends: systemd-networkd = %{version}-%{release}} +%{?fedora:Recommends: systemd-resolved = %{version}-%{release}} +Requires: systemd-shared%{_isa} = %{version}-%{release} Requires: /usr/bin/systemd-sysusers # The standalone version doesn't Provide the _isa suffix, # so this biases towards the common version. -Recommends: %{name}-sysusers%{_isa} = %{version}-%{release} +Recommends: systemd-sysusers%{_isa} = %{version}-%{release} Recommends: diffutils Requires: (util-linux-core or util-linux) Requires: (libbpf >= 2:1.4.7 if libbpf) @@ -316,10 +316,10 @@ Conflicts: dracut < 060-2 Conflicts: dracut < 059-16 %endif -Conflicts: %{name}-standalone-tmpfiles -Provides: %{name}-tmpfiles = %{version}-%{release} -Conflicts: %{name}-standalone-shutdown -Provides: %{name}-shutdown = %{version}-%{release} +Conflicts: systemd-standalone-tmpfiles +Provides: systemd-tmpfiles = %{version}-%{release} +Conflicts: systemd-standalone-shutdown +Provides: systemd-shutdown = %{version}-%{release} %if "%{_sbindir}" == "%{_bindir}" # Compat symlinks for Requires in other packages. @@ -398,14 +398,14 @@ License: LGPL-2.1-or-later AND MIT # in 257.3-6 /usr/lib64/systemd/libsystemd-shared-257.2-14.fc42.so # was moved from package systemd to systemd-shared. # Add a conflit to allow downgrades across this change. -Conflicts: %{name} < 257.3-6 +Conflicts: systemd < 257.3-6 %description shared Internal libraries used by various systemd binaries. %package pam Summary: systemd PAM module -Requires: %{name} = %{version}-%{release} +Requires: systemd = %{version}-%{release} %description pam Systemd PAM module registers the session with systemd-logind. @@ -423,11 +423,11 @@ for information how to use those macros. %package sysusers Summary: systemd-sysusers program -Requires: %{name}-shared%{_isa} = %{version}-%{release} -Conflicts: %{name}-standalone-sysusers +Requires: systemd-shared%{_isa} = %{version}-%{release} +Conflicts: systemd-standalone-sysusers # in 257.3-6 /usr/bin/systemd-sysusers was moved from package systemd # to systemd-sysusers. Add a conflit to allow downgrades across this change. -Conflicts: %{name} < 257.3-6 +Conflicts: systemd < 257.3-6 %description sysusers This package contains the systemd-sysusers program. @@ -435,8 +435,8 @@ This package contains the systemd-sysusers program. %package devel Summary: Development headers for systemd License: LGPL-2.1-or-later AND MIT -Requires: %{name}-libs%{_isa} = %{version}-%{release} -Requires(meta): (%{name}-rpm-macros = %{version}-%{release} if rpm-build) +Requires: systemd-libs%{_isa} = %{version}-%{release} +Requires(meta): (systemd-rpm-macros = %{version}-%{release} if rpm-build) Provides: libudev-devel = %{version} Provides: libudev-devel%{_isa} = %{version} @@ -503,8 +503,8 @@ Requires: kbd Provides: u2f-hidraw-policy = 1.0.2-40 Obsoletes: u2f-hidraw-policy < 1.0.2-40 -Conflicts: %{name}-standalone-repart -Provides: %{name}-repart = %{version}-%{release} +Conflicts: systemd-standalone-repart +Provides: systemd-repart = %{version}-%{release} # Newer versions of those are required to support X11 keycode remapping Conflicts: xorg-x11-drv-evdev < 2.11.0 @@ -529,7 +529,7 @@ machine, and to create or grow partitions and make file systems automatically. %package ukify Summary: Tool to build Unified Kernel Images -Requires: %{name} = %{noarch_requires_version} +Requires: systemd = %{noarch_requires_version} Requires: (systemd-boot if %{shrink:( filesystem(x86-32) or @@ -602,7 +602,7 @@ This package contains the signed version. %package container # Name is the same as in Debian Summary: Tools for containers and VMs -Requires: %{name}%{_isa} = %{version}-%{release} +Requires: systemd%{_isa} = %{version}-%{release} Requires(post): systemd%{_isa} = %{version}-%{release} Requires(preun): systemd%{_isa} = %{version}-%{release} Requires(postun): systemd%{_isa} = %{version}-%{release} @@ -625,11 +625,11 @@ systemd-machined, and systemd-importd. %package journal-remote # Name is the same as in Debian Summary: Tools to send journal events over the network -Requires: %{name}%{_isa} = %{version}-%{release} +Requires: systemd%{_isa} = %{version}-%{release} License: LGPL-2.1-or-later Requires: firewalld-filesystem -Provides: %{name}-journal-gateway = %{version}-%{release} -Provides: %{name}-journal-gateway%{_isa} = %{version}-%{release} +Provides: systemd-journal-gateway = %{version}-%{release} +Provides: systemd-journal-gateway%{_isa} = %{version}-%{release} # Bias the system towards libcurl-minimal if nothing pulls in full libcurl (#1997040) Suggests: libcurl-minimal @@ -642,8 +642,8 @@ systemd-journal-upload. %package networkd Summary: System daemon that manages network configurations -Requires: %{name}%{_isa} = %{version}-%{release} -%{?fedora:Recommends: %{name}-udev = %{version}-%{release}} +Requires: systemd%{_isa} = %{version}-%{release} +%{?fedora:Recommends: systemd-udev = %{version}-%{release}} Conflicts: systemd-udev < %{version}-%{release} License: LGPL-2.1-or-later @@ -654,7 +654,7 @@ devices. %package networkd-defaults Summary: Configure network interfaces with networkd by default -Requires: %{name}-networkd = %{noarch_requires_version} +Requires: systemd-networkd = %{noarch_requires_version} License: MIT-0 BuildArch: noarch @@ -665,7 +665,7 @@ enabled for this to have any effect. %package resolved Summary: Network Name Resolution manager -Requires: %{name}%{_isa} = %{version}-%{release} +Requires: systemd%{_isa} = %{version}-%{release} Requires: libidn2.so.0%{?elf_suffix} Requires: libidn2.so.0(IDN2_0.0.0)%{?elf_bits} Requires(posttrans): grep @@ -677,7 +677,7 @@ resolver, as well as an LLMNR and MulticastDNS resolver and responder. %package oomd-defaults Summary: Configuration files for systemd-oomd -Requires: %{name}-udev = %{noarch_requires_version} +Requires: systemd-udev = %{noarch_requires_version} License: LGPL-2.1-or-later BuildArch: noarch @@ -687,10 +687,10 @@ a userspace out-of-memory (OOM) killer. %package tests Summary: Internal unit tests for systemd -Requires: %{name}%{_isa} = %{version}-%{release} +Requires: systemd%{_isa} = %{version}-%{release} # This dependency is provided transitively. Also add it explicitly to # appease rpminspect, https://github.com/rpminspect/rpminspect/issues/1231: -Requires: %{name}-libs%{_isa} = %{version}-%{release} +Requires: systemd-libs%{_isa} = %{version}-%{release} Requires: python3dist(psutil) License: LGPL-2.1-or-later @@ -701,8 +701,8 @@ Different binaries test different parts of the codebase. %package standalone-repart Summary: Standalone systemd-repart binary for use on systems without systemd -Provides: %{name}-repart = %{version}-%{release} -Conflicts: %{name}-udev +Provides: systemd-repart = %{version}-%{release} +Conflicts: systemd-udev Suggests: coreutils-single RemovePathPostfixes: .standalone @@ -713,8 +713,8 @@ main systemd package and is meant for use on systems without systemd. %package standalone-tmpfiles Summary: Standalone systemd-tmpfiles binary for use on systems without systemd -Provides: %{name}-tmpfiles = %{version}-%{release} -Conflicts: %{name} +Provides: systemd-tmpfiles = %{version}-%{release} +Conflicts: systemd Suggests: coreutils-single RemovePathPostfixes: .standalone @@ -725,7 +725,7 @@ main systemd package and is meant for use on systems without systemd. %package standalone-sysusers Summary: Standalone systemd-sysusers binary for use on systems without systemd -Provides: %{name}-sysusers = %{version}-%{release} +Provides: systemd-sysusers = %{version}-%{release} Suggests: coreutils-single RemovePathPostfixes: .standalone @@ -736,8 +736,8 @@ main systemd package and is meant for use on systems without systemd. %package standalone-shutdown Summary: Standalone systemd-shutdown binary for use in exitrds -Provides: %{name}-shutdown = %{version}-%{release} -Conflicts: %{name} +Provides: systemd-shutdown = %{version}-%{release} +Conflicts: systemd Suggests: coreutils-single RemovePathPostfixes: .standalone From 593a204189b195d530f5cc643465c7711dac7acf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 13 Oct 2025 17:09:52 +0200 Subject: [PATCH 45/79] Version 258.1 - This is the first (large) batch of fixes after v258: - fixes for boot loader and early boot code - fixes for systemd itself, systemd-udevd, systemd-logind, systemd-machined, and library code - unprivileged operation in systemd-machined is disabled for now - lots of documentation and shell-completion fixes - includes an hwdb update --- sources | 2 +- systemd.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 68b70a3..6b4fe22 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-258.tar.gz) = c488354da1c170ad02e10926f561d1985c3c3393fec878562f295ef764fdf3a1b2877c3b2549253f19bf23e357be6e443a50b937f60f4677f286d3402d611b85 +SHA512 (systemd-258.1.tar.gz) = 0fd62724d4b9cc0789445f3072a7052f52533e2a928cb4a6c3d7375169d087f9cc3941f37c9f208c870042f4e32d90a17cfbb96930a31ac875b41aa7efac8f53 diff --git a/systemd.spec b/systemd.spec index 56933ed..1387788 100644 --- a/systemd.spec +++ b/systemd.spec @@ -68,7 +68,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:258} +Version: %{?version_override}%{!?version_override:258.1} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif From db38445a7ec7e885b070727cc489586e2e67ef21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 13 Oct 2025 17:15:42 +0200 Subject: [PATCH 46/79] Drop two patches with workaround (selinux, kernel) --- ...-PrivateTmp-disconnected-instead-of-.patch | 69 ------------------- 38724.patch | 64 ----------------- systemd.spec | 10 +-- 3 files changed, 1 insertion(+), 142 deletions(-) delete mode 100644 0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch delete mode 100644 38724.patch diff --git a/0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch b/0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch deleted file mode 100644 index eca67f0..0000000 --- a/0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 0792bb7a9d25a1ab8a5f208f2f5cea8a362dc1c6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 10 Jan 2025 17:00:08 +0100 -Subject: [PATCH] Revert "units: use PrivateTmp=disconnected instead of 'yes' - if DefaultDependencies=no" - -This reverts commit 1f6e1928488d461d19fd1e4b4d645b0ea5ea8bf5. ---- - units/systemd-coredump@.service.in | 2 +- - units/systemd-oomd.service.in | 2 +- - units/systemd-resolved.service.in | 2 +- - units/systemd-timesyncd.service.in | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in -index c74dc7a5a1..fa3206d07b 100644 ---- a/units/systemd-coredump@.service.in -+++ b/units/systemd-coredump@.service.in -@@ -26,7 +26,7 @@ NoNewPrivileges=yes - OOMScoreAdjust=500 - PrivateDevices=yes - PrivateNetwork=yes --PrivateTmp=disconnected -+PrivateTmp=yes - ProtectControlGroups=yes - ProtectHome=read-only - ProtectHostname=yes -diff --git a/units/systemd-oomd.service.in b/units/systemd-oomd.service.in -index 670d5e6140..82bd6245f8 100644 ---- a/units/systemd-oomd.service.in -+++ b/units/systemd-oomd.service.in -@@ -37,7 +37,7 @@ MemoryLow=64M - NoNewPrivileges=yes - OOMScoreAdjust=-900 - PrivateDevices=yes --PrivateTmp=disconnected -+PrivateTmp=yes - ProtectClock=yes - ProtectHome=yes - ProtectHostname=yes -diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in -index e181b2528a..4aa0788ac4 100644 ---- a/units/systemd-resolved.service.in -+++ b/units/systemd-resolved.service.in -@@ -29,7 +29,7 @@ LockPersonality=yes - MemoryDenyWriteExecute=yes - NoNewPrivileges=yes - PrivateDevices=yes --PrivateTmp=disconnected -+PrivateTmp=yes - ProtectClock=yes - ProtectControlGroups=yes - ProtectHome=yes -diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in -index 835d6327e7..cf233fbffd 100644 ---- a/units/systemd-timesyncd.service.in -+++ b/units/systemd-timesyncd.service.in -@@ -31,7 +31,7 @@ LockPersonality=yes - MemoryDenyWriteExecute=yes - NoNewPrivileges=yes - PrivateDevices=yes --PrivateTmp=disconnected -+PrivateTmp=yes - ProtectProc=invisible - ProtectControlGroups=yes - ProtectHome=yes --- -2.47.1 - diff --git a/38724.patch b/38724.patch deleted file mode 100644 index c639cd0..0000000 --- a/38724.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 5bc3a82e81355a0aa1fd25bb6232145f868fac12 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 26 Aug 2025 15:00:02 +0200 -Subject: [PATCH] debug: disable ioctl(PIDFD_GET_INFO) - -In https://bodhi.fedoraproject.org/updates/FEDORA-2025-a0ce059969 it was -reported that the tests fail: - -> Rootless podman tests all show something like this eventually -> -> OCI runtime error: crun: join keyctl `7509a871d2ab7df6549f5cb5bd2d4daf990cc45c0022f116bd0882966ae53f30`: Disk quota exceeded -> -> Each container creates its own keyring but I assume they get leaked so at one -> point we run our of available keyrings and all following tests fail like -> that. Given I only see this on this update and from looking at the podman -> tests logs it only starts happening after we run a bunch of our own systemd -> services I wonder if systemd maybe leaks keyrings and thus it fails? - -After some very tediuos bisecting, I got the answer that -dcf0ef3f42b0ea12e199540a4088bd582875ddfa is the first bad commit. This doesn't -make much sense. I thought that maybe the answer is wrong somehow, or the fd we -pass in has problems, but everything seems to work correctly. Both -pidfd_get_pid_ioctl and pidfd_get_pid_fdinfo work fine and return the same -answer. Nevertheless, skipping the call to pidfd_get_pid_ioctl makes the -problem go away. - -bisection recipe: -1. compile systemd, systemd-executor, pam_systemd: - $ ninja -C build systemd systemd-executor pam_systemd.so - (Not all intermediate commits compile :) ) -2. use the compiled manager for the user running the tests: - # /etc/systemd/system/user@1000.service.d/override.conf - [Service] - ExecStart= - ExecStart=/home/fedora/src/systemd/build/systemd --user -3. install the new code: - # cp ~fedora/src/systemd/build/pam_systemd.so /usr/lib64/security/ && systemctl restart user@1000 -3. log out and log in again (via ssh) -4. run the test: - $ grep -Ec '[a-f0-9]{64}: empty' /proc/keys && podman run -it fedora date && grep -Ec '[a-f0-9]{64}: empty' /proc/keys - 17 - Tue Aug 26 12:47:44 UTC 2025 - 18 - -It seems that both the pam module and the user manager somehow matter. - -This smells like a kernel bug or some strange race condition. ---- - src/basic/pidfd-util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/basic/pidfd-util.c b/src/basic/pidfd-util.c -index 9910819aa79d9..b317be267f445 100644 ---- a/src/basic/pidfd-util.c -+++ b/src/basic/pidfd-util.c -@@ -74,7 +74,7 @@ int pidfd_get_namespace(int fd, unsigned long ns_type_cmd) { - } - - static int pidfd_get_info(int fd, struct pidfd_info *info) { -- static bool cached_supported = true; -+ static bool cached_supported = false; - - assert(fd >= 0); - assert(info); diff --git a/systemd.spec b/systemd.spec index 1387788..5bbc38d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -133,18 +133,10 @@ Patch: https://github.com/systemd/systemd/pull/26494.patch %if %{without upstream} # Those are downstream-only patches, but we don't want them in packit builds. -# Temporarily drop use of PrivateTmp=disconnected. This is causing failures -# in various places: -# https://bugzilla.redhat.com/show_bug.cgi?id=2334015 -# https://github.com/coreos/fedora-coreos-tracker/issues/1857 -Patch: 0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch - +# Create user journals for users with high UIDs # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 Patch: https://github.com/systemd/systemd/pull/30846.patch -# Workaround for a kernel issue. Fixed in kernel-core-6.17.0-0.rc3.31.fc44.x86_64. -Patch: https://github.com/systemd/systemd/pull/38724.patch - # userdb: create userdb root directory with correct label # We can drop this after SELinux policy is updated to handle the transition. Patch: https://github.com/systemd/systemd/pull/38769.patch From 79c9db1bc8f2f0c95cc8af38c5b495c815778b2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 15 Oct 2025 13:54:29 +0200 Subject: [PATCH 47/79] Require systemd-libs and systemd-shared to be in the same version ... (rhbz#2404143) --- systemd.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd.spec b/systemd.spec index 5bbc38d..166d95b 100644 --- a/systemd.spec +++ b/systemd.spec @@ -380,6 +380,7 @@ Summary: systemd libraries License: LGPL-2.1-or-later AND MIT Provides: nss-myhostname = 0.4 Provides: nss-myhostname%{_isa} = 0.4 +Conflicts: systemd-shared < %{version}-%{release} %description libs Libraries for systemd and udev. @@ -391,6 +392,7 @@ License: LGPL-2.1-or-later AND MIT # was moved from package systemd to systemd-shared. # Add a conflit to allow downgrades across this change. Conflicts: systemd < 257.3-6 +Conflicts: systemd-libs < %{version}-%{release} %description shared Internal libraries used by various systemd binaries. From 2e1a6c7474502ca63c677cd7070b6e13e6329057 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Mon, 20 Oct 2025 16:00:31 +0200 Subject: [PATCH 48/79] Require python3-zstandard in ELN Related: https://issues.redhat.com/browse/RHEL-103523 --- systemd.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/systemd.spec b/systemd.spec index 166d95b..be35a41 100644 --- a/systemd.spec +++ b/systemd.spec @@ -532,9 +532,7 @@ Requires: (systemd-boot if %{shrink:( filesystem(riscv64) )}) Requires: python3dist(pefile) -%if 0%{?fedora} Requires: python3dist(zstandard) -%endif Requires: python3dist(cryptography) %if 0%{?fedora} Recommends: python3dist(pillow) From f8932309d95f37b0f81c54a8d38010ced60ae99b Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Tue, 21 Oct 2025 13:06:49 +0200 Subject: [PATCH 49/79] Drop backwards compat logic from integration tests script --- plans/run-integration-tests.sh | 60 ++++++++-------------------------- 1 file changed, 14 insertions(+), 46 deletions(-) diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh index 9a90fa7..46ea433 100755 --- a/plans/run-integration-tests.sh +++ b/plans/run-integration-tests.sh @@ -17,9 +17,9 @@ sysctl fs.inotify.max_user_watches=65536 || true sysctl fs.inotify.max_user_instances=1024 || true if [[ -n "${KOJI_TASK_ID:-}" ]]; then - koji download-task --noprogress --arch="src,noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID" + koji download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID" elif [[ -n "${CBS_TASK_ID:-}" ]]; then - cbs download-task --noprogress --arch="src,noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID" + cbs download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID" elif [[ -n "${PACKIT_SRPM_URL:-}" ]]; then COPR_BUILD_ID="$(basename "$(dirname "$PACKIT_SRPM_URL")")" COPR_CHROOT="$(basename "$(dirname "$(dirname "$PACKIT_BUILD_LOG_URL")")")" @@ -32,21 +32,12 @@ fi PACKAGEDIR="$PWD" -# TODO: Remove fallback once v257.6 is released. Also stop downloading source rpms then. - # This will match both the regular and the debuginfo rpm so make sure we select only the # non-debuginfo rpm. RPMS=(systemd-tests-*.rpm) rpm2cpio "${RPMS[0]}" | cpio --make-directories --extract -if [[ -d usr/lib/systemd/tests/mkosi ]]; then - pushd usr/lib/systemd/tests - mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")" -else - mkdir systemd - rpm2cpio systemd-*.src.rpm | cpio --to-stdout --extract './*.tar.gz' | tar xz --strip-components=1 -C systemd - pushd systemd - mkosi_hash="$(grep systemd/mkosi@ .github/workflows/mkosi.yml | sed "s|.*systemd/mkosi@||g")" -fi +pushd usr/lib/systemd/tests +mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")" # Now prepare mkosi at the same version required by the systemd repo. git clone https://github.com/systemd/mkosi /var/tmp/systemd-integration-tests-mkosi @@ -57,13 +48,7 @@ export PATH="/var/tmp/systemd-integration-tests-mkosi/bin:$PATH" # shellcheck source=/dev/null . /etc/os-release || . /usr/lib/os-release -if [[ -d mkosi ]]; then - LOCAL_CONF=mkosi/mkosi.local.conf -else - LOCAL_CONF=mkosi.local.conf -fi - -tee "$LOCAL_CONF" < Date: Thu, 23 Oct 2025 20:40:58 +0200 Subject: [PATCH 50/79] Require systemd-rpm-macros for build We use our own macros. They get pulled into the buildroot in Fedora builds, but we shouldn't rely on this. In OBS builds, they are not pulled in and the build fails. --- systemd.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/systemd.spec b/systemd.spec index be35a41..f1a8d6c 100644 --- a/systemd.spec +++ b/systemd.spec @@ -161,6 +161,9 @@ BuildRequires: libselinux-devel BuildRequires: audit-libs-devel %if %{without bootstrap} BuildRequires: cryptsetup-devel +# Require (previous version) of our macros package. +# We use the %%systemd_{post,preun,…} macros for various services. +BuildRequires: systemd-rpm-macros %endif BuildRequires: dbus-devel BuildRequires: util-linux From ea1d871ecd6c2fe063523840c1e4cf9bcf200e32 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Wed, 29 Oct 2025 10:32:12 +0100 Subject: [PATCH 51/79] Add missing networkd socket units systemd-networkd-resolve-hook.socket will be introduced by https://github.com/systemd/systemd/pull/39293 but we need the spec to handle the socket for the upgrade/downgrade test to pass so adding it early behind the upstream bcond. --- systemd.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd.spec b/systemd.spec index f1a8d6c..b433af5 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1374,6 +1374,8 @@ fi %global networkd_services %{shrink: systemd-networkd.service systemd-networkd.socket + systemd-networkd-varlink.socket + %[%{with upstream}?"systemd-networkd-resolve-hook.socket":""] systemd-networkd-wait-online.service systemd-network-generator.service systemd-networkd-persistent-storage.service From 1d3b89210552dcc25f89519045fb54439176ac25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 23 Oct 2025 23:36:16 +0200 Subject: [PATCH 52/79] Enable sysupdate and sysupdated The files will land in the -udev subpackage. --- split-files.py | 1 + systemd.spec | 2 ++ 2 files changed, 3 insertions(+) diff --git a/split-files.py b/split-files.py index 8405956..38bde60 100644 --- a/split-files.py +++ b/split-files.py @@ -245,6 +245,7 @@ for file in files(buildroot): sysctl| coredump| homed|home1| + sysupdate|updatctl| oomd| portabled|portable1 ''', n, re.X): # coredumpctl, homectl, portablectl are included in the main package because diff --git a/systemd.spec b/systemd.spec index b433af5..9e756a3 100644 --- a/systemd.spec +++ b/systemd.spec @@ -832,6 +832,8 @@ CONFIGURE_OPTS=( -Dlibfido2=enabled -Dxenctrl=%[0%{?have_xen}?"enabled":"disabled"] -Defi=true + -Dsysupdate=enabled + -Dsysupdated=enabled -Dtpm=true -Dtpm2=enabled -Dhwdb=true From dffbf2beba916ad79eeb2ccff9768ab48855a2eb Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Mon, 3 Nov 2025 11:17:40 +0100 Subject: [PATCH 53/79] Make sure fallback source is listed first 2ace9416e85dd4759f7c0db4bb79d2bc9302dd77 broke packit as the fallback url wasn't listed first anymore. Make sure the fallback URL is listed first again as clearly documented just above the conditionals. --- systemd.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/systemd.spec b/systemd.spec index 9e756a3..ce57011 100644 --- a/systemd.spec +++ b/systemd.spec @@ -82,15 +82,15 @@ Summary: System and Service Manager # download tarballs with "spectool -g systemd.spec" # packit will always rewrite the first Source0 it finds, ignoring any conditionals so list -# the fallback source that's used if neither %%branch nor %%commit are defined first. -%if %{with obs} -Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version}.tar.xz -%elif %{undefined branch} && %{undefined commit} +# the fallback source that's used if neither %%branch, %%commit or %%obs are defined first. +%if %{undefined branch} && %{undefined commit} && %{without obs} Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz %elif %{defined branch} Source0: https://github.com/systemd/systemd/archive/refs/heads/%{branch}.tar.gz %elif %{defined commit} Source0: https://github.com/systemd/systemd/archive/%{commit}/%{name}-%{commit}.tar.gz +%elif %{with obs} +Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version}.tar.xz %endif # This file must be available before %%prep. # It is generated during systemd build and can be found at build/src/rpm/triggers.systemd.sh. From 8e2833a5b64f7e2ce62ea0a2d0ec9e393e718dfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 3 Nov 2025 12:08:50 +0100 Subject: [PATCH 54/79] Automatically figure out the name of the top-level tar dir --- systemd.spec | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/systemd.spec b/systemd.spec index ce57011..fcb9a44 100644 --- a/systemd.spec +++ b/systemd.spec @@ -742,18 +742,15 @@ library or other libraries from systemd-libs. This package conflicts with the main systemd package and is meant for use in exitrds. %prep -%if %{defined branch} -%autosetup -n %{name}-%{branch} -p1 -%elif %{defined commit} -%autosetup -n %{name}-%{commit} -p1 -%elif %{with obs} +%if %{with obs} # Recipe files in the OBS build are in a distro-specific dir, as they conflict (e.g. with SUSE ones) mv %{_sourcedir}/%{name}.fedora/* %{_sourcedir} -%autosetup -n %{name}-%{version} -p1 -%else -%autosetup -n %{name}-%{version_no_tilde} -p1 %endif +# Automatically figure out the name of the top-level directory. +# rpm really should do this automatically. +%autosetup -n %(tar -tf %{SOURCE0} | head -n1) -p1 + # Disable user lockdown until rpm implements it natively. # https://github.com/rpm-software-management/rpm/issues/3450 sed -r -i 's/^u!/u/' sysusers.d/*.conf* From fe18084a0583d134e424d70acb341860e69e8540 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Mon, 3 Nov 2025 14:33:02 +0100 Subject: [PATCH 55/79] Remove hack to stop systemd-networkd-resolve-hook.socket This didn't end up working, so drop the hack as we have a better fix coming up in https://github.com/systemd/systemd/pull/39415. --- systemd.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index fcb9a44..24abac1 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1374,7 +1374,6 @@ fi systemd-networkd.service systemd-networkd.socket systemd-networkd-varlink.socket - %[%{with upstream}?"systemd-networkd-resolve-hook.socket":""] systemd-networkd-wait-online.service systemd-network-generator.service systemd-networkd-persistent-storage.service From b17d9c3474f6cd4c07e01ffdfedf6a93c157d859 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 4 Nov 2025 16:18:12 +0100 Subject: [PATCH 56/79] Use %autosetup -C This is supported since rpm 4.20 but not advertised much. --- systemd.spec | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/systemd.spec b/systemd.spec index 24abac1..3356f27 100644 --- a/systemd.spec +++ b/systemd.spec @@ -747,9 +747,7 @@ main systemd package and is meant for use in exitrds. mv %{_sourcedir}/%{name}.fedora/* %{_sourcedir} %endif -# Automatically figure out the name of the top-level directory. -# rpm really should do this automatically. -%autosetup -n %(tar -tf %{SOURCE0} | head -n1) -p1 +%autosetup -C -p1 # Disable user lockdown until rpm implements it natively. # https://github.com/rpm-software-management/rpm/issues/3450 From 256463d69051665ea25d584a35ea817f94e18a41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 5 Nov 2025 17:55:32 +0100 Subject: [PATCH 57/79] Restore runlevelX.target units ... (rhbz#2411195) --- ...vert-units-drop-runlevel-0-6-.target.patch | 87 +++++++++++++++++++ systemd.spec | 4 + 2 files changed, 91 insertions(+) create mode 100644 0001-Revert-units-drop-runlevel-0-6-.target.patch diff --git a/0001-Revert-units-drop-runlevel-0-6-.target.patch b/0001-Revert-units-drop-runlevel-0-6-.target.patch new file mode 100644 index 0000000..4180211 --- /dev/null +++ b/0001-Revert-units-drop-runlevel-0-6-.target.patch @@ -0,0 +1,87 @@ +From 27f4f96c4e56744ecbffec0595236e1441278804 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 5 Nov 2025 17:52:16 +0100 +Subject: [PATCH] Revert "units: drop runlevel[0-6].target" + +This partially reverts commit e58ba80a40fb6e96543d56774a5bc5aa9cdadbf3. +The unit are still needed for compat. +--- + units/meson.build | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/units/meson.build b/units/meson.build +index 4f47a3b2bd..34b3222f11 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -1,5 +1,7 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + ++with_runlevels = conf.get('HAVE_SYSV_COMPAT') == 1 ++ + units = [ + { 'file' : 'basic.target' }, + { 'file' : 'blockdev@.target' }, +@@ -49,7 +51,7 @@ units = [ + }, + { + 'file' : 'graphical.target', +- 'symlinks' : ['default.target'], ++ 'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []), + }, + { 'file' : 'halt.target' }, + { +@@ -142,14 +144,20 @@ units = [ + 'conditions' : ['ENABLE_MACHINED'], + }, + { 'file' : 'modprobe@.service' }, +- { 'file' : 'multi-user.target' }, ++ { ++ 'file' : 'multi-user.target', ++ 'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [], ++ }, + { 'file' : 'network-online.target' }, + { 'file' : 'network-pre.target' }, + { 'file' : 'network.target' }, + { 'file' : 'nss-lookup.target' }, + { 'file' : 'nss-user-lookup.target' }, + { 'file' : 'paths.target' }, +- { 'file' : 'poweroff.target' }, ++ { ++ 'file' : 'poweroff.target', ++ 'symlinks' : with_runlevels ? ['runlevel0.target'] : [], ++ }, + { 'file' : 'printer.target' }, + { + 'file' : 'proc-sys-fs-binfmt_misc.automount', +@@ -174,7 +182,7 @@ units = [ + }, + { + 'file' : 'reboot.target', +- 'symlinks' : ['ctrl-alt-del.target'], ++ 'symlinks' : ['ctrl-alt-del.target'] + (with_runlevels ? ['runlevel6.target'] : []), + }, + { + 'file' : 'remote-cryptsetup.target', +@@ -194,7 +202,10 @@ units = [ + 'symlinks' : ['initrd-root-device.target.wants/'], + }, + { 'file' : 'rescue.service.in' }, +- { 'file' : 'rescue.target' }, ++ { ++ 'file' : 'rescue.target', ++ 'symlinks' : with_runlevels ? ['runlevel1.target'] : [], ++ }, + { 'file' : 'rpcbind.target' }, + { 'file' : 'serial-getty@.service.in' }, + { 'file' : 'shutdown.target' }, +@@ -972,4 +983,10 @@ else + dbussessionservicedir / 'org.freedesktop.systemd1.service')) + endif + ++if conf.get('HAVE_SYSV_COMPAT') == 1 ++ foreach i : [1, 2, 3, 4, 5] ++ install_emptydir(systemunitdir / 'runlevel@0@.target.wants'.format(i)) ++ endforeach ++endif ++ + subdir('user') diff --git a/systemd.spec b/systemd.spec index 3356f27..c8fcbfb 100644 --- a/systemd.spec +++ b/systemd.spec @@ -137,6 +137,10 @@ Patch: https://github.com/systemd/systemd/pull/26494.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 Patch: https://github.com/systemd/systemd/pull/30846.patch +# Again create runlevelX.target. Dropping those files breaks upgrades. +# https://bugzilla.redhat.com/show_bug.cgi?id=2411195 +Patch: 0001-Revert-units-drop-runlevel-0-6-.target.patch + # userdb: create userdb root directory with correct label # We can drop this after SELinux policy is updated to handle the transition. Patch: https://github.com/systemd/systemd/pull/38769.patch From 1a7506a1051c8361714463825b83febcb04b5639 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 7 Nov 2025 14:02:48 +0100 Subject: [PATCH 58/79] Version 258.2 - A bunch of fixes in many components. - Stop creating user namespace for system services (rhbz#2391343) - Systemd trigger scriptlets are updated --- sources | 2 +- systemd.spec | 2 +- triggers.systemd | 30 ++++++++++++++---------------- 3 files changed, 16 insertions(+), 18 deletions(-) diff --git a/sources b/sources index 6b4fe22..a9f4297 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-258.1.tar.gz) = 0fd62724d4b9cc0789445f3072a7052f52533e2a928cb4a6c3d7375169d087f9cc3941f37c9f208c870042f4e32d90a17cfbb96930a31ac875b41aa7efac8f53 +SHA512 (systemd-258.2.tar.gz) = 1dc016a5a037aec2682e08d2add0dcf8d03db15b45ce8c6b677898f734aefd4694ce18e588d579e42514071fc4c167b2bf53808478b2bd3856b257c9fbcde45d diff --git a/systemd.spec b/systemd.spec index c8fcbfb..f5fbd50 100644 --- a/systemd.spec +++ b/systemd.spec @@ -68,7 +68,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:258.1} +Version: %{?version_override}%{!?version_override:258.2} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif diff --git a/triggers.systemd b/triggers.systemd index f8bb078..28ddc1f 100644 --- a/triggers.systemd +++ b/triggers.systemd @@ -9,17 +9,17 @@ # # Minimum rpm version supported: 4.14.0 -%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system +%transfiletriggerin -P 900900 -- /usr/lib/systemd/system/ /etc/systemd/system/ # This script will run after any package is initially installed or # upgraded. We care about the case where a package is initially # installed, because other cases are covered by the *un scriptlets, # so sometimes we will reload needlessly. /usr/lib/systemd/systemd-update-helper system-reload-restart || : -%transfiletriggerin -P 900899 -- /usr/lib/systemd/user /etc/systemd/user +%transfiletriggerin -P 900899 -- /usr/lib/systemd/user/ /etc/systemd/user/ /usr/lib/systemd/systemd-update-helper user-reload-restart || : -%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system +%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system/ /etc/systemd/system/ # On removal, we need to run daemon-reload after any units have been # removed. # On upgrade, we need to run daemon-reload after any new unit files @@ -27,35 +27,35 @@ # executed. /usr/lib/systemd/systemd-update-helper system-reload || : -%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user /etc/systemd/user +%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user/ /etc/systemd/user/ # Execute daemon-reload in user managers. /usr/lib/systemd/systemd-update-helper user-reload || : -%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system /etc/systemd/system +%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system/ /etc/systemd/system/ # We restart remaining system services that should be restarted here. /usr/lib/systemd/systemd-update-helper system-restart || : -%transfiletriggerpostun -P 9999 -- /usr/lib/systemd/user /etc/systemd/user +%transfiletriggerpostun -P 9999 -- /usr/lib/systemd/user/ /etc/systemd/user/ # We restart remaining user services that should be restarted here. /usr/lib/systemd/systemd-update-helper user-restart || : -%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d +%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d/ # This script will process files installed in /usr/lib/sysusers.d to create # specified users automatically. The priority is set such that it # will run before the tmpfiles file trigger. systemd-sysusers || : -%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d +%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d/ # This script will automatically invoke hwdb update if files have been # installed or updated in /usr/lib/udev/hwdb.d. systemd-hwdb update || : -%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog +%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog/ # This script will automatically invoke journal catalog update if files # have been installed or updated in /usr/lib/systemd/catalog. journalctl --update-catalog || : -%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d +%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d/ # This script will automatically apply binfmt rules if files have been # installed or updated in /usr/lib/binfmt.d. if test -d "/run/systemd/system"; then @@ -64,7 +64,7 @@ if test -d "/run/systemd/system"; then /usr/lib/systemd/systemd-binfmt || : fi -%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d +%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d/ # This script will process files installed in /usr/lib/tmpfiles.d to create # tmpfiles automatically. The priority is set such that it will run # after the sysusers file trigger, but before any other triggers. @@ -72,14 +72,12 @@ if test -d "/run/systemd/system"; then systemd-tmpfiles --create || : fi -%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d +%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d/ # This script will automatically update udev with new rules if files # have been installed or updated in /usr/lib/udev/rules.d. -if test -e /run/udev/control; then - udevadm control --reload || : -fi +/usr/lib/systemd/systemd-update-helper mark-reload-system-units systemd-udevd.service || : -%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d +%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d/ # This script will automatically apply sysctl rules if files have been # installed or updated in /usr/lib/sysctl.d. if test -d "/run/systemd/system"; then From e455d82fd898e87fbd4cc848437a6582fdcab7f6 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 25 Sep 2025 10:34:15 +0200 Subject: [PATCH 59/79] Add various extra explicit Requires Upstream is moving towards making a lot more libraries dlopen() style dependencies. Let's make sure to add these as Requires to corresponding packages so they still get pulled in. --- systemd.spec | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/systemd.spec b/systemd.spec index f5fbd50..03acb85 100644 --- a/systemd.spec +++ b/systemd.spec @@ -333,6 +333,12 @@ Provides: /usr/sbin/shutdown Provides: /usr/sbin/telinit %endif +# libmount is always required, even in containers, so make it a hard dependency. +Requires: libmount.so.1%{?elf_suffix} +Requires: libmount.so.1(MOUNT_2.26)%{?elf_bits} +# Various systemd services have syscall filters so make libseccomp a hard dependency. +Requires: libseccomp.so.2%{?elf_suffix} + # Recommends to replace normal Requires deps for stuff that is dlopen()ed Recommends: libxkbcommon.so.0%{?elf_suffix} Recommends: libidn2.so.0%{?elf_suffix} @@ -476,6 +482,9 @@ Conflicts: systemd-networkd < %{version}-%{release} # want to load modules, so make this into a hard dependency here. Requires: libkmod.so.2%{?elf_suffix} Requires: libkmod.so.2(LIBKMOD_5)%{?elf_bits} +# udev uses libblkid in various builtins so make it a hard dependency. +Requires: libblkid.so.1%{?elf_suffix} +Requires: libblkid.so.1(BLKID_2.30)%{?elf_bits} # Recommends to replace normal Requires deps for stuff that is dlopen()ed # used by dissect, integritysetup, veritysetyp, growfs, repart, cryptenroll, home From a0acca210d8f62039d6a419431f9b198fddc4302 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 17 Nov 2025 20:39:22 +0100 Subject: [PATCH 60/79] Version 259~rc1 - See https://raw.githubusercontent.com/systemd/systemd/v259-rc1/NEWS. Too many changes to list or discuss here. --- ...vert-units-drop-runlevel-0-6-.target.patch | 19 ++++++++++--------- 38769.patch | 10 +++++----- sources | 2 +- systemd.spec | 2 +- 4 files changed, 17 insertions(+), 16 deletions(-) diff --git a/0001-Revert-units-drop-runlevel-0-6-.target.patch b/0001-Revert-units-drop-runlevel-0-6-.target.patch index 4180211..5a4dacd 100644 --- a/0001-Revert-units-drop-runlevel-0-6-.target.patch +++ b/0001-Revert-units-drop-runlevel-0-6-.target.patch @@ -1,4 +1,4 @@ -From 27f4f96c4e56744ecbffec0595236e1441278804 Mon Sep 17 00:00:00 2001 +From 5b18cc5d62e6225c373aa36f6ff9a8f3539387e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 5 Nov 2025 17:52:16 +0100 Subject: [PATCH] Revert "units: drop runlevel[0-6].target" @@ -10,7 +10,7 @@ The unit are still needed for compat. 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/units/meson.build b/units/meson.build -index 4f47a3b2bd..34b3222f11 100644 +index 2e04c4aa2b..46eaac4073 100644 --- a/units/meson.build +++ b/units/meson.build @@ -1,5 +1,7 @@ @@ -30,7 +30,7 @@ index 4f47a3b2bd..34b3222f11 100644 }, { 'file' : 'halt.target' }, { -@@ -142,14 +144,20 @@ units = [ +@@ -142,7 +144,10 @@ units = [ 'conditions' : ['ENABLE_MACHINED'], }, { 'file' : 'modprobe@.service' }, @@ -39,9 +39,10 @@ index 4f47a3b2bd..34b3222f11 100644 + 'file' : 'multi-user.target', + 'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [], + }, - { 'file' : 'network-online.target' }, - { 'file' : 'network-pre.target' }, - { 'file' : 'network.target' }, + { + 'file' : 'systemd-mute-console.socket', + 'symlinks' : ['sockets.target.wants/'] +@@ -155,7 +160,10 @@ units = [ { 'file' : 'nss-lookup.target' }, { 'file' : 'nss-user-lookup.target' }, { 'file' : 'paths.target' }, @@ -53,7 +54,7 @@ index 4f47a3b2bd..34b3222f11 100644 { 'file' : 'printer.target' }, { 'file' : 'proc-sys-fs-binfmt_misc.automount', -@@ -174,7 +182,7 @@ units = [ +@@ -180,7 +188,7 @@ units = [ }, { 'file' : 'reboot.target', @@ -62,7 +63,7 @@ index 4f47a3b2bd..34b3222f11 100644 }, { 'file' : 'remote-cryptsetup.target', -@@ -194,7 +202,10 @@ units = [ +@@ -200,7 +208,10 @@ units = [ 'symlinks' : ['initrd-root-device.target.wants/'], }, { 'file' : 'rescue.service.in' }, @@ -74,7 +75,7 @@ index 4f47a3b2bd..34b3222f11 100644 { 'file' : 'rpcbind.target' }, { 'file' : 'serial-getty@.service.in' }, { 'file' : 'shutdown.target' }, -@@ -972,4 +983,10 @@ else +@@ -1001,4 +1012,10 @@ else dbussessionservicedir / 'org.freedesktop.systemd1.service')) endif diff --git a/38769.patch b/38769.patch index 35b50e4..09a7423 100644 --- a/38769.patch +++ b/38769.patch @@ -1,4 +1,4 @@ -From e4e1e425394dcef01317c42b34c133768c26b765 Mon Sep 17 00:00:00 2001 +From 00d70f36a0866660693347009446b7f872a05bf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Sat, 30 Aug 2025 13:55:56 +0200 Subject: [PATCH] core: create userdb root directory with correct label @@ -16,18 +16,18 @@ longer is. Regression introduced in 736349958efe34089131ca88950e2e5bb391d36a. 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/core/varlink.c b/src/core/varlink.c -index 8c6b95e31d1d5..110b281842373 100644 +index 99f12c59e5..71a8ffd0e5 100644 --- a/src/core/varlink.c +++ b/src/core/varlink.c -@@ -6,6 +6,7 @@ +@@ -5,6 +5,7 @@ + #include "constants.h" #include "errno-util.h" - #include "json-util.h" #include "manager.h" +#include "mkdir-label.h" #include "path-util.h" #include "pidref.h" #include "string-util.h" -@@ -424,7 +425,11 @@ static int manager_varlink_init_system(Manager *m) { +@@ -441,7 +442,11 @@ static int manager_varlink_init_system(Manager *m) { if (!fresh && varlink_server_contains_socket(m->varlink_server, address)) continue; diff --git a/sources b/sources index a9f4297..752c9ae 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-258.2.tar.gz) = 1dc016a5a037aec2682e08d2add0dcf8d03db15b45ce8c6b677898f734aefd4694ce18e588d579e42514071fc4c167b2bf53808478b2bd3856b257c9fbcde45d +SHA512 (systemd-259-rc1.tar.gz) = 18a4305e0577647993dacf2369f374af5af67268c62aa49eb93680b6bb7986bd6d48f00328d20913c8eaa8204f4cbe47296e5087688290ae46910b909b307042 diff --git a/systemd.spec b/systemd.spec index 03acb85..4645686 100644 --- a/systemd.spec +++ b/systemd.spec @@ -68,7 +68,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:258.2} +Version: %{?version_override}%{!?version_override:259~rc1} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif From 044cff4700898340708ff684614f48e3b3faec9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 17 Nov 2025 21:20:23 +0100 Subject: [PATCH 61/79] Allow empower group This will need to be patched into setup. --- systemd.spec | 5 +++-- test_sysusers_defined.py | 7 +++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/systemd.spec b/systemd.spec index 4645686..f49d0cc 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1116,12 +1116,13 @@ mv -v %{buildroot}/usr/sbin/* %{buildroot}%{_bindir}/ # We skip this on upstream builds so that new users and groups # can be added without breaking the build. %if 0%{?fedora} >= 43 -%{python3} %{SOURCE4} /usr/lib/sysusers.d/setup.conf %{buildroot}/usr/lib/sysusers.d/basic.conf +IGNORED=empower \ + %{python3} %{SOURCE4} /usr/lib/sysusers.d/setup.conf %{buildroot}/usr/lib/sysusers.d/basic.conf %else %{python3} %{SOURCE4} /usr/lib/sysusers.d/20-setup-{users,groups}.conf %{buildroot}/usr/lib/sysusers.d/basic.conf %endif %endif -rm %{buildroot}/usr/lib/sysusers.d/basic.conf +sed -n -r -i '1,7p; /can .do.|empower/p' %{buildroot}/usr/lib/sysusers.d/basic.conf %endif # Disable sshd_config.d/20-systemd-userdb.conf for now. diff --git a/test_sysusers_defined.py b/test_sysusers_defined.py index f6358fb..3c1e04f 100755 --- a/test_sysusers_defined.py +++ b/test_sysusers_defined.py @@ -1,5 +1,6 @@ #!/usr/bin/python +import os import sys def parse_sysusers_file(filename): @@ -30,7 +31,9 @@ for arg in sys.argv[1:-1]: basic_users, basic_groups = parse_sysusers_file(sys.argv[-1]) -if d := basic_users - setup_users: +ignored = set(os.getenv('IGNORED', '').split()) + +if d := basic_users - setup_users - ignored: exit(f'We have new users: {d}') -if d := basic_groups - setup_groups: +if d := basic_groups - setup_groups - ignored: exit(f'We have new groups: {d}') From f9916b6fd1399261371c7fb1255a2be4dc8c4a25 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 20 Nov 2025 13:37:45 +0100 Subject: [PATCH 62/79] Revert "Use %autosetup -C" This effectively reverts commit b17d9c3474f6cd4c07e01ffdfedf6a93c157d859. --- systemd.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index f49d0cc..f4c1b30 100644 --- a/systemd.spec +++ b/systemd.spec @@ -760,7 +760,9 @@ main systemd package and is meant for use in exitrds. mv %{_sourcedir}/%{name}.fedora/* %{_sourcedir} %endif -%autosetup -C -p1 +# Automatically figure out the name of the top-level directory. +# TODO: Use %%autosetup -C once we can depend on rpm >= 4.20. +%autosetup -n %(tar -tf %{SOURCE0} | head -n1) -p1 # Disable user lockdown until rpm implements it natively. # https://github.com/rpm-software-management/rpm/issues/3450 From 12f95f807fef5075a8842dd107f83b4c41d5ac26 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 20 Nov 2025 14:11:10 +0100 Subject: [PATCH 63/79] Wrap %autosetup in %_build_in_place check The shell expansion we use to determine the top-level directory will get expanded even if we don't execute %prep, so add a %_build_in_place check to make sure we don't try to search for the top-level directory if --build-in-place is set. --- systemd.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd.spec b/systemd.spec index f4c1b30..868b09b 100644 --- a/systemd.spec +++ b/systemd.spec @@ -762,7 +762,9 @@ mv %{_sourcedir}/%{name}.fedora/* %{_sourcedir} # Automatically figure out the name of the top-level directory. # TODO: Use %%autosetup -C once we can depend on rpm >= 4.20. +%if %{undefined _build_in_place} %autosetup -n %(tar -tf %{SOURCE0} | head -n1) -p1 +%endif # Disable user lockdown until rpm implements it natively. # https://github.com/rpm-software-management/rpm/issues/3450 From 9ac8c363070586c41877b782d1c7f1b408a1f0ec Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Wed, 19 Nov 2025 23:13:54 +0100 Subject: [PATCH 64/79] Set meson auto features to auto when building for upstream We don't want new options to be forcefully enabled if we don't have the dependencies available. --- systemd.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/systemd.spec b/systemd.spec index 868b09b..eda018e 100644 --- a/systemd.spec +++ b/systemd.spec @@ -38,6 +38,11 @@ # that depend on libcryptsetup (e.g. libcryptsetup-plugins, homed) %if %{with bootstrap} %global __meson_auto_features disabled +# If we're building for upstream, don't unconditionally enable all +# new features as new features might be introduced for which we're +# missing build dependencies. +%elif %{with upstream} +%global __meson_auto_features auto %endif # Override %%autorelease. This is ugly, but rpmautospec doesn't implement From ddb6474e949910c9c6972f96862551f41902fc58 Mon Sep 17 00:00:00 2001 From: David Tardon Date: Fri, 21 Nov 2025 15:07:07 +0100 Subject: [PATCH 65/79] Drop provides for removed sysvinit tools ... (rhbz#2413557) --- systemd.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/systemd.spec b/systemd.spec index eda018e..3afd8bc 100644 --- a/systemd.spec +++ b/systemd.spec @@ -333,9 +333,7 @@ Provides: /usr/sbin/halt Provides: /usr/sbin/init Provides: /usr/sbin/poweroff Provides: /usr/sbin/reboot -Provides: /usr/sbin/runlevel Provides: /usr/sbin/shutdown -Provides: /usr/sbin/telinit %endif # libmount is always required, even in containers, so make it a hard dependency. From 33b38cdbc74dadf280448a0693677595cb78f4c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 26 Nov 2025 15:29:29 +0100 Subject: [PATCH 66/79] Suppress errors from tar MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without this, 'spectool -g …' will print to the console. [skip changelog] --- systemd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index 3afd8bc..50f58c0 100644 --- a/systemd.spec +++ b/systemd.spec @@ -766,7 +766,7 @@ mv %{_sourcedir}/%{name}.fedora/* %{_sourcedir} # Automatically figure out the name of the top-level directory. # TODO: Use %%autosetup -C once we can depend on rpm >= 4.20. %if %{undefined _build_in_place} -%autosetup -n %(tar -tf %{SOURCE0} | head -n1) -p1 +%autosetup -n %(tar -tf %{SOURCE0} 2>/dev/null | head -n1) -p1 %endif # Disable user lockdown until rpm implements it natively. From 7e409130ee736cfe54b8d03a94b7d53b2e0d9f89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 26 Nov 2025 15:47:05 +0100 Subject: [PATCH 67/79] Version 259~rc2 This has a bunch of fixes for various issues reported with -rc1, in particular varlink socket communication. --- sources | 2 +- systemd.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 752c9ae..d50c204 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-259-rc1.tar.gz) = 18a4305e0577647993dacf2369f374af5af67268c62aa49eb93680b6bb7986bd6d48f00328d20913c8eaa8204f4cbe47296e5087688290ae46910b909b307042 +SHA512 (systemd-259-rc2.tar.gz) = 667fe1deff5020f751f3721472f2b3a1dfc32e3d10a78b5efd1673b7a42b3d445ab504687e6cd2f42dc5cbfc5c42ba3a435939ec5957c9e73833486112f9bd91 diff --git a/systemd.spec b/systemd.spec index 50f58c0..38eccf6 100644 --- a/systemd.spec +++ b/systemd.spec @@ -73,7 +73,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:259~rc1} +Version: %{?version_override}%{!?version_override:259~rc2} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif From 0289127dae861518d708cf1a3b83e0745a303630 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 26 Nov 2025 22:35:50 +0100 Subject: [PATCH 68/79] Patch machined to continue after selinux denial --- ...cription-to-varlink-server-unify-err.patch | 53 +++++++++++++++++++ ...continue-without-resolve.hook-socket.patch | 30 +++++++++++ systemd.spec | 4 ++ 3 files changed, 87 insertions(+) create mode 100644 0001-machined-add-description-to-varlink-server-unify-err.patch create mode 100644 0002-machined-continue-without-resolve.hook-socket.patch diff --git a/0001-machined-add-description-to-varlink-server-unify-err.patch b/0001-machined-add-description-to-varlink-server-unify-err.patch new file mode 100644 index 0000000..27f0e38 --- /dev/null +++ b/0001-machined-add-description-to-varlink-server-unify-err.patch @@ -0,0 +1,53 @@ +From b984311d5c993d4d90c67b225b68b115301b565a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 26 Nov 2025 22:11:24 +0100 +Subject: [PATCH 1/2] machined: add description to varlink server, unify error + messages + +manager_varlink_init_resolve_hook and +manager_varlink_init_userdb are very similar, but one +didn't set a description and the other one had an error message +which didn't print the offending path. +--- + src/machine/machined-varlink.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c +index f4714c545d..cf87065443 100644 +--- a/src/machine/machined-varlink.c ++++ b/src/machine/machined-varlink.c +@@ -745,6 +745,8 @@ static int manager_varlink_init_userdb(Manager *m) { + if (r < 0) + return log_error_errno(r, "Failed to allocate varlink server object: %m"); + ++ (void) sd_varlink_server_set_description(s, "varlink-userdb"); ++ + r = sd_varlink_server_add_interface(s, &vl_interface_io_systemd_UserDatabase); + if (r < 0) + return log_error_errno(r, "Failed to add UserDatabase interface to varlink server: %m"); +@@ -757,9 +759,10 @@ static int manager_varlink_init_userdb(Manager *m) { + if (r < 0) + return log_error_errno(r, "Failed to register varlink methods: %m"); + +- r = sd_varlink_server_listen_address(s, "/run/systemd/userdb/io.systemd.Machine", 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); ++ const char *path = "/run/systemd/userdb/io.systemd.Machine"; ++ r = sd_varlink_server_listen_address(s, path, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); + if (r < 0) +- return log_error_errno(r, "Failed to bind to varlink socket '/run/systemd/userdb/io.systemd.Machine': %m"); ++ return log_error_errno(r, "Failed to bind to varlink socket %s: %m", path); + + r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL); + if (r < 0) +@@ -889,9 +892,10 @@ static int manager_varlink_init_resolve_hook(Manager *m) { + if (r < 0) + return log_error_errno(r, "Failed to bind on resolve hook disconnection events: %m"); + +- r = sd_varlink_server_listen_address(s, "/run/systemd/resolve.hook/io.systemd.Machine", 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); ++ const char *path = "/run/systemd/resolve.hook/io.systemd.Machine"; ++ r = sd_varlink_server_listen_address(s, path, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); + if (r < 0) +- return log_error_errno(r, "Failed to bind to varlink socket: %m"); ++ return log_error_errno(r, "Failed to bind to varlink socket %s: %m", path); + + r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL); + if (r < 0) diff --git a/0002-machined-continue-without-resolve.hook-socket.patch b/0002-machined-continue-without-resolve.hook-socket.patch new file mode 100644 index 0000000..f1c12e0 --- /dev/null +++ b/0002-machined-continue-without-resolve.hook-socket.patch @@ -0,0 +1,30 @@ +From 74f2ac66b118a7f5d0fb0d9b4444f951466cd30d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 26 Nov 2025 22:29:53 +0100 +Subject: [PATCH 2/2] machined: continue without resolve.hook socket + +--- + src/machine/machined-varlink.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c +index cf87065443..bae0577122 100644 +--- a/src/machine/machined-varlink.c ++++ b/src/machine/machined-varlink.c +@@ -894,8 +894,14 @@ static int manager_varlink_init_resolve_hook(Manager *m) { + + const char *path = "/run/systemd/resolve.hook/io.systemd.Machine"; + r = sd_varlink_server_listen_address(s, path, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); +- if (r < 0) +- return log_error_errno(r, "Failed to bind to varlink socket %s: %m", path); ++ if (r < 0) { ++ bool ignore = ERRNO_IS_NEG_PRIVILEGE(r); ++ log_full_errno(ignore ? LOG_WARNING : LOG_ERR, ++ r, ++ "Failed to bind to varlink socket %s%s: %m", ++ path, ignore ? ", ignoring" : ""); ++ return ignore ? 0 : r; ++ } + + r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL); + if (r < 0) diff --git a/systemd.spec b/systemd.spec index 38eccf6..0949cb1 100644 --- a/systemd.spec +++ b/systemd.spec @@ -149,6 +149,10 @@ Patch: 0001-Revert-units-drop-runlevel-0-6-.target.patch # userdb: create userdb root directory with correct label # We can drop this after SELinux policy is updated to handle the transition. Patch: https://github.com/systemd/systemd/pull/38769.patch + +# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2415701 +Patch: 0001-machined-add-description-to-varlink-server-unify-err.patch +Patch: 0002-machined-continue-without-resolve.hook-socket.patch %endif %ifarch %{ix86} x86_64 aarch64 riscv64 From b562e38e22a8e558de31947d2ba08b17458f5385 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Fri, 28 Nov 2025 12:50:05 +0100 Subject: [PATCH 69/79] Fix use of removed $LOCAL_CONF variable Follow up for f8932309d95f37b0f81c54a8d38010ced60ae99b [skip changelog] --- plans/run-integration-tests.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh index 46ea433..e3f0059 100755 --- a/plans/run-integration-tests.sh +++ b/plans/run-integration-tests.sh @@ -66,7 +66,7 @@ WithTests=yes EOF if [[ -n "${MKOSI_REPOSITORIES:-}" ]]; then - tee --append "$LOCAL_CONF" < Date: Fri, 28 Nov 2025 14:52:38 +0100 Subject: [PATCH 70/79] Check if --max-lines is supported by meson --- plans/run-integration-tests.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh index e3f0059..9e7f83e 100755 --- a/plans/run-integration-tests.sh +++ b/plans/run-integration-tests.sh @@ -105,14 +105,19 @@ mkosi summary mkosi -f box -- true mkosi box -- meson setup build integration-tests/standalone mkosi -f +if [[ "$(mkosi box -- meson test --help)" == *"--max-lines"* ]]; then + MAX_LINES=(--max-lines 300) +else + MAX_LINES=() +fi mkosi box -- \ meson test \ -C build \ --setup=integration \ --print-errorlogs \ --no-stdsplit \ - --max-lines 300 \ - --num-processes "$NPROC" && EC=0 || EC=$? + --num-processes "$NPROC" \ + "${MAX_LINES[@]}" && EC=0 || EC=$? [[ -d build/meson-logs ]] && find build/meson-logs -type f -exec mv {} "$TMT_TEST_DATA" \; [[ -d build/test/journal ]] && find build/test/journal -type f -exec mv {} "$TMT_TEST_DATA" \; From bf8019c840e86edf4371b7b1d0ce9968bb99515f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 10 Dec 2025 22:55:22 +0100 Subject: [PATCH 71/79] Version 259~rc3 Various fixes for various issues reported with -rc2. --- ...vert-units-drop-runlevel-0-6-.target.patch | 4 +- ...cription-to-varlink-server-unify-err.patch | 53 ------------------- ...continue-without-resolve.hook-socket.patch | 22 ++++---- sources | 2 +- systemd.spec | 3 +- 5 files changed, 16 insertions(+), 68 deletions(-) delete mode 100644 0001-machined-add-description-to-varlink-server-unify-err.patch diff --git a/0001-Revert-units-drop-runlevel-0-6-.target.patch b/0001-Revert-units-drop-runlevel-0-6-.target.patch index 5a4dacd..faf8341 100644 --- a/0001-Revert-units-drop-runlevel-0-6-.target.patch +++ b/0001-Revert-units-drop-runlevel-0-6-.target.patch @@ -1,7 +1,7 @@ -From 5b18cc5d62e6225c373aa36f6ff9a8f3539387e0 Mon Sep 17 00:00:00 2001 +From 61750e265ce3f7783a8dba831e91140f84ad89f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 5 Nov 2025 17:52:16 +0100 -Subject: [PATCH] Revert "units: drop runlevel[0-6].target" +Subject: [PATCH 1/3] Revert "units: drop runlevel[0-6].target" This partially reverts commit e58ba80a40fb6e96543d56774a5bc5aa9cdadbf3. The unit are still needed for compat. diff --git a/0001-machined-add-description-to-varlink-server-unify-err.patch b/0001-machined-add-description-to-varlink-server-unify-err.patch deleted file mode 100644 index 27f0e38..0000000 --- a/0001-machined-add-description-to-varlink-server-unify-err.patch +++ /dev/null @@ -1,53 +0,0 @@ -From b984311d5c993d4d90c67b225b68b115301b565a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 26 Nov 2025 22:11:24 +0100 -Subject: [PATCH 1/2] machined: add description to varlink server, unify error - messages - -manager_varlink_init_resolve_hook and -manager_varlink_init_userdb are very similar, but one -didn't set a description and the other one had an error message -which didn't print the offending path. ---- - src/machine/machined-varlink.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c -index f4714c545d..cf87065443 100644 ---- a/src/machine/machined-varlink.c -+++ b/src/machine/machined-varlink.c -@@ -745,6 +745,8 @@ static int manager_varlink_init_userdb(Manager *m) { - if (r < 0) - return log_error_errno(r, "Failed to allocate varlink server object: %m"); - -+ (void) sd_varlink_server_set_description(s, "varlink-userdb"); -+ - r = sd_varlink_server_add_interface(s, &vl_interface_io_systemd_UserDatabase); - if (r < 0) - return log_error_errno(r, "Failed to add UserDatabase interface to varlink server: %m"); -@@ -757,9 +759,10 @@ static int manager_varlink_init_userdb(Manager *m) { - if (r < 0) - return log_error_errno(r, "Failed to register varlink methods: %m"); - -- r = sd_varlink_server_listen_address(s, "/run/systemd/userdb/io.systemd.Machine", 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); -+ const char *path = "/run/systemd/userdb/io.systemd.Machine"; -+ r = sd_varlink_server_listen_address(s, path, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); - if (r < 0) -- return log_error_errno(r, "Failed to bind to varlink socket '/run/systemd/userdb/io.systemd.Machine': %m"); -+ return log_error_errno(r, "Failed to bind to varlink socket %s: %m", path); - - r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL); - if (r < 0) -@@ -889,9 +892,10 @@ static int manager_varlink_init_resolve_hook(Manager *m) { - if (r < 0) - return log_error_errno(r, "Failed to bind on resolve hook disconnection events: %m"); - -- r = sd_varlink_server_listen_address(s, "/run/systemd/resolve.hook/io.systemd.Machine", 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); -+ const char *path = "/run/systemd/resolve.hook/io.systemd.Machine"; -+ r = sd_varlink_server_listen_address(s, path, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); - if (r < 0) -- return log_error_errno(r, "Failed to bind to varlink socket: %m"); -+ return log_error_errno(r, "Failed to bind to varlink socket %s: %m", path); - - r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL); - if (r < 0) diff --git a/0002-machined-continue-without-resolve.hook-socket.patch b/0002-machined-continue-without-resolve.hook-socket.patch index f1c12e0..2903c5e 100644 --- a/0002-machined-continue-without-resolve.hook-socket.patch +++ b/0002-machined-continue-without-resolve.hook-socket.patch @@ -1,28 +1,30 @@ -From 74f2ac66b118a7f5d0fb0d9b4444f951466cd30d Mon Sep 17 00:00:00 2001 +From 8d6d86d1d7e45eeae921e88adde55d6524027c96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 26 Nov 2025 22:29:53 +0100 -Subject: [PATCH 2/2] machined: continue without resolve.hook socket +Subject: [PATCH 3/3] machined: continue without resolve.hook socket --- - src/machine/machined-varlink.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) + src/machine/machined-varlink.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c -index cf87065443..bae0577122 100644 +index f83cbb8562..0b30cd0531 100644 --- a/src/machine/machined-varlink.c +++ b/src/machine/machined-varlink.c -@@ -894,8 +894,14 @@ static int manager_varlink_init_resolve_hook(Manager *m) { +@@ -894,9 +894,15 @@ static int manager_varlink_init_resolve_hook(Manager *m) { - const char *path = "/run/systemd/resolve.hook/io.systemd.Machine"; - r = sd_varlink_server_listen_address(s, path, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); + r = sd_varlink_server_listen_address(s, VARLINK_PATH_MACHINED_RESOLVE_HOOK, + 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); - if (r < 0) -- return log_error_errno(r, "Failed to bind to varlink socket %s: %m", path); +- return log_error_errno(r, "Failed to bind to varlink socket %s: %m", +- VARLINK_PATH_MACHINED_RESOLVE_HOOK); + if (r < 0) { + bool ignore = ERRNO_IS_NEG_PRIVILEGE(r); + log_full_errno(ignore ? LOG_WARNING : LOG_ERR, + r, + "Failed to bind to varlink socket %s%s: %m", -+ path, ignore ? ", ignoring" : ""); ++ VARLINK_PATH_MACHINED_RESOLVE_HOOK, ++ ignore ? ", ignoring" : ""); + return ignore ? 0 : r; + } diff --git a/sources b/sources index d50c204..6c92dff 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-259-rc2.tar.gz) = 667fe1deff5020f751f3721472f2b3a1dfc32e3d10a78b5efd1673b7a42b3d445ab504687e6cd2f42dc5cbfc5c42ba3a435939ec5957c9e73833486112f9bd91 +SHA512 (systemd-259-rc3.tar.gz) = 31f979204e0db13233b766bf0956fb02f8f1165c00eb6721d833a28e59eaa3929c624542a61313cd254bcaefc206cbf562f252f8c94a78c332333852fbbbbb2b diff --git a/systemd.spec b/systemd.spec index 0949cb1..ab31da9 100644 --- a/systemd.spec +++ b/systemd.spec @@ -73,7 +73,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:259~rc2} +Version: %{?version_override}%{!?version_override:259~rc3} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif @@ -151,7 +151,6 @@ Patch: 0001-Revert-units-drop-runlevel-0-6-.target.patch Patch: https://github.com/systemd/systemd/pull/38769.patch # Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2415701 -Patch: 0001-machined-add-description-to-varlink-server-unify-err.patch Patch: 0002-machined-continue-without-resolve.hook-socket.patch %endif From 4f5b5a961543cc907a48f24cc6647fa100679139 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 18 Dec 2025 10:34:39 +0100 Subject: [PATCH 72/79] Version 259 - Some bugfixes since -rc3, in particular in the area of image creation and loading of libraries --- sources | 2 +- systemd.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 6c92dff..af6ddf0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-259-rc3.tar.gz) = 31f979204e0db13233b766bf0956fb02f8f1165c00eb6721d833a28e59eaa3929c624542a61313cd254bcaefc206cbf562f252f8c94a78c332333852fbbbbb2b +SHA512 (systemd-259.tar.gz) = ef46b13661df43e3cfbeee1bc22f0b1eb902e8ebe39c19868c465efd08b35a199c2a2cd9d8021a6bc4d692fa0c6e0eab3f13eecd6ce24dde81d3945464a25b50 diff --git a/systemd.spec b/systemd.spec index ab31da9..0cc5357 100644 --- a/systemd.spec +++ b/systemd.spec @@ -73,7 +73,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:259~rc3} +Version: %{?version_override}%{!?version_override:259} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif From 0c8ea706f96b053bcf38856d3c517e78805f1519 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Mon, 1 Dec 2025 13:26:24 +0100 Subject: [PATCH 73/79] Fix links to patches These patches were modified downstream yet the links were never updated [skip changelog] --- systemd.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd.spec b/systemd.spec index 0cc5357..f20339f 100644 --- a/systemd.spec +++ b/systemd.spec @@ -140,7 +140,7 @@ Patch: https://github.com/systemd/systemd/pull/26494.patch # Create user journals for users with high UIDs # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 -Patch: https://github.com/systemd/systemd/pull/30846.patch +Patch: 30846.patch # Again create runlevelX.target. Dropping those files breaks upgrades. # https://bugzilla.redhat.com/show_bug.cgi?id=2411195 @@ -148,7 +148,7 @@ Patch: 0001-Revert-units-drop-runlevel-0-6-.target.patch # userdb: create userdb root directory with correct label # We can drop this after SELinux policy is updated to handle the transition. -Patch: https://github.com/systemd/systemd/pull/38769.patch +Patch: 38769.patch # Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2415701 Patch: 0002-machined-continue-without-resolve.hook-socket.patch From 56377438ba63df532f6e77874b942dc641544ed0 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Fri, 19 Dec 2025 00:10:52 +0000 Subject: [PATCH 74/79] Disable sysinit-path for upstream builds [skip changelog] --- systemd.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd.spec b/systemd.spec index f20339f..d3117a1 100644 --- a/systemd.spec +++ b/systemd.spec @@ -805,7 +805,9 @@ VMLINUX_H_PATH=$(%python3 -c '%find_vmlinux_h') CONFIGURE_OPTS=( -Dmode=release -Dslow-tests=true +%if %{without upstream} -Dsysvinit-path=/etc/rc.d/init.d +%endif -Drc-local=/etc/rc.d/rc.local -Dntp-servers='0.%{ntpvendor}.pool.ntp.org 1.%{ntpvendor}.pool.ntp.org 2.%{ntpvendor}.pool.ntp.org 3.%{ntpvendor}.pool.ntp.org' -Ddns-servers= From cac8dde28a1298bbc2bee40e9ab3b9308392f691 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Fri, 19 Dec 2025 11:40:52 +0100 Subject: [PATCH 75/79] test: Allow passing in extra tests to skip via TEST_SKIP [skip changelog] --- plans/run-integration-tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh index 9e7f83e..6d2ee37 100755 --- a/plans/run-integration-tests.sh +++ b/plans/run-integration-tests.sh @@ -98,7 +98,7 @@ fi # This test is only really useful if we're building with sanitizers and takes a long time, so let's skip it # for now. -export TEST_SKIP="TEST-21-DFUZZER" +export TEST_SKIP="TEST-21-DFUZZER ${TEST_SKIP:-}" mkosi genkey mkosi summary From c0520291971673fd0c64ff3cbaf2ac344db2a3c8 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Fri, 19 Dec 2025 16:17:01 +0100 Subject: [PATCH 76/79] Drop libcap-devel BuildRequires Not required anymore since v259. --- systemd.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index d3117a1..d4088d9 100644 --- a/systemd.spec +++ b/systemd.spec @@ -163,7 +163,6 @@ BuildRequires: gcc-c++ BuildRequires: clang BuildRequires: coreutils BuildRequires: rpmdevtools -BuildRequires: libcap-devel BuildRequires: libmount-devel BuildRequires: libfdisk-devel BuildRequires: libpwquality-devel From 67538c79f250eecbd904aa87e72a44cb3b5ef6f4 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Fri, 19 Dec 2025 16:17:26 +0100 Subject: [PATCH 77/79] Make dbus and systemd-pam recommended dependencies Neither dbus nor pam are required in the initrd so let's make both recommended dependencies instead of required dependencies so that we can build initrds without either of them getting pulled in. --- systemd.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd.spec b/systemd.spec index d4088d9..9122e0f 100644 --- a/systemd.spec +++ b/systemd.spec @@ -279,8 +279,8 @@ Requires(post): coreutils Requires(post): grep # systemd-machine-id-setup requires libssl Requires(post): openssl-libs -Requires: dbus >= 1.9.18 -Requires: systemd-pam%{_isa} = %{version}-%{release} +Recommends: dbus >= 1.9.18 +Recommends: systemd-pam%{_isa} = %{version}-%{release} Requires(meta): (systemd-rpm-macros = %{version}-%{release} if rpm-build) Requires: systemd-libs%{_isa} = %{version}-%{release} %{?fedora:Recommends: systemd-networkd = %{version}-%{release}} From 399885597ce9f7cc63673c3369086021f0b01176 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 20 Dec 2025 18:35:48 +0100 Subject: [PATCH 78/79] Revert "Disable sysinit-path for upstream builds" This reverts commit 56377438ba63df532f6e77874b942dc641544ed0. Dropping of the option currently doesn't disable anything, it just moves the file. I don't think we gain anything by moving the file and actually this causes problems [1], so let's just return to status quo ante. [1] file /etc/init.d conflicts between attempted installs of systemd-259.999+69+g6ceb76bfc-2548.1.x86_64 and chkconfig-1.33-3.fc44.x86_64 [skip changelog] --- systemd.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/systemd.spec b/systemd.spec index 9122e0f..af79bf0 100644 --- a/systemd.spec +++ b/systemd.spec @@ -804,9 +804,7 @@ VMLINUX_H_PATH=$(%python3 -c '%find_vmlinux_h') CONFIGURE_OPTS=( -Dmode=release -Dslow-tests=true -%if %{without upstream} -Dsysvinit-path=/etc/rc.d/init.d -%endif -Drc-local=/etc/rc.d/rc.local -Dntp-servers='0.%{ntpvendor}.pool.ntp.org 1.%{ntpvendor}.pool.ntp.org 2.%{ntpvendor}.pool.ntp.org 3.%{ntpvendor}.pool.ntp.org' -Ddns-servers= From f353d244fd5a7bb972ab1bb0884a5e8ccc8b4faf Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Mon, 12 Jan 2026 16:22:10 +0100 Subject: [PATCH 79/79] Add 2 patches for automatic aarch64 DTB selection change --- ...rel-section-when-os-release-is-empty.patch | 112 ++++++++++++++++++ ...inter-deref-when-there-are-no-initrd.patch | 51 ++++++++ systemd.spec | 6 + 3 files changed, 169 insertions(+) create mode 100644 0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch create mode 100644 0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch diff --git a/0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch b/0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch new file mode 100644 index 0000000..5f4a1dd --- /dev/null +++ b/0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch @@ -0,0 +1,112 @@ +From 75890d949f92c412c0936b8536b2e0dc8f7dfb40 Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Fri, 19 Dec 2025 11:01:49 -0500 +Subject: [PATCH] ukify: omit .osrel section when --os-release= is empty + +The primary motivation for this is to allow users of ukify to build +UKI-like objects, without having them later be detected as a UKI by +tools like kernel-install and bootctl. + +The common code used by these tools to determine if a PE binary is a UKI +checks that both .osrel and .linux sections are present. Hence, adding +a mechansim to skip .osrel provides a way to avoid being labeled a UKI. +--- + man/ukify.xml | 5 ++++- + src/ukify/test/test_ukify.py | 15 +++++++++++---- + src/ukify/ukify.py | 10 +++++++++- + 3 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/man/ukify.xml b/man/ukify.xml +index 829761642d..7462c5c92f 100644 +--- a/man/ukify.xml ++++ b/man/ukify.xml +@@ -365,7 +365,10 @@ + The os-release description (the .osrel section). The argument + may be a literal string, or @ followed by a path name. If not specified, the + os-release5 file +- will be picked up from the host system. ++ will be picked up from the host system. If explicitly set to an empty string, the ".osrel" section ++ is omitted from the UKI (this is not recommended in most cases, and causes the resulting artifact ++ to not be recognized as a UKI by other tools like kernel-install ++ and bootctl). + + + +diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py +index f75ef0c891..224a38569f 100755 +--- a/src/ukify/test/test_ukify.py ++++ b/src/ukify/test/test_ukify.py +@@ -641,7 +641,7 @@ def test_efi_signing_pesign(kernel_initrd, tmp_path): + + shutil.rmtree(tmp_path) + +-def test_inspect(kernel_initrd, tmp_path, capsys): ++def test_inspect(kernel_initrd, tmp_path, capsys, osrel=True): + if kernel_initrd is None: + pytest.skip('linux+initrd not found') + if not shutil.which('sbsign'): +@@ -653,7 +653,7 @@ def test_inspect(kernel_initrd, tmp_path, capsys): + + output = f'{tmp_path}/signed2.efi' + uname_arg='1.2.3' +- osrel_arg='Linux' ++ osrel_arg='Linux' if osrel else '' + cmdline_arg='ARG1 ARG2 ARG3' + + args = [ +@@ -680,8 +680,12 @@ def test_inspect(kernel_initrd, tmp_path, capsys): + + text = capsys.readouterr().out + +- expected_osrel = f'.osrel:\n size: {len(osrel_arg)}' +- assert expected_osrel in text ++ if osrel: ++ expected_osrel = f'.osrel:\n size: {len(osrel_arg)}' ++ assert expected_osrel in text ++ else: ++ assert '.osrel:' not in text ++ + expected_cmdline = f'.cmdline:\n size: {len(cmdline_arg)}' + assert expected_cmdline in text + expected_uname = f'.uname:\n size: {len(uname_arg)}' +@@ -694,6 +698,9 @@ def test_inspect(kernel_initrd, tmp_path, capsys): + + shutil.rmtree(tmp_path) + ++def test_inspect_no_osrel(kernel_initrd, tmp_path, capsys): ++ test_inspect(kernel_initrd, tmp_path, capsys, osrel=False) ++ + @pytest.mark.skipif(not slow_tests, reason='slow') + def test_pcr_signing(kernel_initrd, tmp_path): + if kernel_initrd is None: +diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py +index c98f8e2a5d..b7542c7eca 100755 +--- a/src/ukify/ukify.py ++++ b/src/ukify/ukify.py +@@ -1477,6 +1477,9 @@ def make_uki(opts: UkifyConfig) -> None: + '.profile', + } + ++ if not opts.os_release: ++ to_import.remove('.osrel') ++ + for profile in opts.join_profiles: + pe = pefile.PE(profile, fast_load=True) + prev_len = len(uki.sections) +@@ -2412,7 +2415,12 @@ def finalize_options(opts: argparse.Namespace) -> None: + + opts.os_release = resolve_at_path(opts.os_release) + +- if not opts.os_release and opts.linux: ++ if opts.os_release == '': ++ # If --os-release= with an empty string was passed, treat that as ++ # explicitly disabling the .osrel section, and do not fallback to the ++ # system's os-release files. ++ pass ++ elif opts.os_release is None and opts.linux: + p = Path('/etc/os-release') + if not p.exists(): + p = Path('/usr/lib/os-release') +-- +2.52.0 + diff --git a/0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch b/0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch new file mode 100644 index 0000000..d6f362f --- /dev/null +++ b/0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch @@ -0,0 +1,51 @@ +From e57e599e6b11039ab6484e5622b3deae20bfd678 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 12 Jan 2026 14:56:36 +0100 +Subject: [PATCH] stub: Fix NULL pointer deref when there are no initrds + +When n_all_initrds == 0, then all_initrds is unmodified from its initial +value of: + + _cleanup_free_ struct iovec *all_initrds = NULL; + +and in the else block of the "if (n_all_initrds > 1)" the NULL is +dereferenced: + + final_initrd = all_initrds[0]; + +Leading to the stub crashing due to a NULL pointer deref. + +Fix this by initializing final_initrd to all 0s and only +running the else block if (n_all_initrds == 1). +--- + src/boot/stub.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/boot/stub.c b/src/boot/stub.c +index 06ecbc7d18..65950262c6 100644 +--- a/src/boot/stub.c ++++ b/src/boot/stub.c +@@ -1302,9 +1302,9 @@ static EFI_STATUS run(EFI_HANDLE image) { + + /* Combine the initrds into one */ + _cleanup_pages_ Pages initrd_pages = {}; +- struct iovec final_initrd; ++ struct iovec final_initrd = {}; + if (n_all_initrds > 1) { +- /* There will always be a base initrd, if this counter is higher, we need to combine them */ ++ /* If there is more then 1 initrd we need to combine them */ + err = combine_initrds(all_initrds, n_all_initrds, &initrd_pages, &final_initrd.iov_len); + if (err != EFI_SUCCESS) + return err; +@@ -1313,7 +1313,7 @@ static EFI_STATUS run(EFI_HANDLE image) { + + /* Given these might be large let's free them explicitly before we pass control to Linux */ + initrds_free(&initrds); +- } else ++ } else if (n_all_initrds == 1) + final_initrd = all_initrds[0]; + + struct iovec kernel = IOVEC_MAKE( +-- +2.52.0 + diff --git a/systemd.spec b/systemd.spec index af79bf0..afd6432 100644 --- a/systemd.spec +++ b/systemd.spec @@ -152,6 +152,12 @@ Patch: 38769.patch # Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2415701 Patch: 0002-machined-continue-without-resolve.hook-socket.patch + +# 2 patches for https://fedoraproject.org/wiki/Changes/Automatic_DTB_selection_for_aarch64_EFI_systems +# Upstream commit: https://github.com/systemd/systemd/commit/75890d949f92c412c0936b8536b2e0dc8f7dfb40 +Patch: 0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch +# Upstream PR: https://github.com/systemd/systemd/pull/40329 +Patch: 0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch %endif %ifarch %{ix86} x86_64 aarch64 riscv64