Commit 6554fdd9 authored by Dimitri John Ledkov's avatar Dimitri John Ledkov Committed by Simon McVittie
Browse files

Import Debian changes 237-3ubuntu1

systemd (237-3ubuntu1) bionic; urgency=medium

  [ Gunnar Hjalmarsson ]
  * Fix PO template creation.
    Cherry-pick upstream patches to build a correct systemd.pot including
    the polkit policy files even without policykit-1 being installed.
    (LP: #1707898)

  [ Dimitri John Ledkov ]
  * Blacklist TEST-16-EXTEND-TIMEOUT
  * test/test-functions: use vmlinux for ppc64 tests.
parent ea460c23
This diff is collapsed.
Source: systemd
Section: admin
Priority: optional
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
XSBC-Original-Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Uploaders: Michael Biebl <biebl@debian.org>,
Marco d'Itri <md@linux.it>,
Sjoerd Simons <sjoerd@debian.org>,
......
#
# Script fragment to make dhclient supply nameserver information to resolvconf
#
# Tips:
# * Be careful about changing the environment since this is sourced
# * This script fragment uses bash features
# * As of isc-dhcp-client 4.2 the "reason" (for running the script) can be one of the following.
# (Listed on man page:) MEDIUM(0) PREINIT(0) BOUND(M) RENEW(M) REBIND(M) REBOOT(M) EXPIRE(D) FAIL(D) RELEASE(D) STOP(D) NBI(-) TIMEOUT(M)
# (Also used in master script:) ARPCHECK(0), ARPSEND(0)
# (Also used in master script:) PREINIT6(0) BOUND6(M) RENEW6(M) REBIND6(M) DEPREF6(0) EXPIRE6(D) RELEASE6(D) STOP6(D)
# (0) = master script does not run make_resolv_conf
# (M) = master script runs make_resolv_conf
# (D) = master script downs interface
# (-) = master script does nothing with this
if [ -x /lib/systemd/systemd-resolved ] ; then
# For safety, first undefine the nasty default make_resolv_conf()
make_resolv_conf() { : ; }
case "$reason" in
BOUND|RENEW|REBIND|REBOOT|TIMEOUT|BOUND6|RENEW6|REBIND6)
# Define a resolvconf-compatible m_r_c() function
# It gets run later (or, in the TIMEOUT case, MAY get run later)
make_resolv_conf() {
local statedir
if [ ! "$interface" ] ; then
return
fi
statedir="/run/systemd/resolved.conf.d"
mkdir -p $statedir
if [ -n "$new_domain_name_servers" ] ; then
cat <<EOF >$statedir/isc-dhcp-v4-$interface.conf
[Resolve]
DNS=$new_domain_name_servers
EOF
if [ -n "$new_domain_name" ] || [ -n "$new_domain_search" ] ; then
cat <<EOF >>$statedir/isc-dhcp-v4-$interface.conf
Domains=$new_domain_search $new_domain_name
EOF
fi
fi
if [ -n "$new_dhcp6_name_servers" ] ; then
cat <<EOF >$statedir/isc-dhcp-v6-$interface.conf
[Resolve]
DNS=$new_dhcp6_name_servers
EOF
if [ -n "$new_dhcp6_domain_search" ] ; then
cat <<EOF >>$statedir/isc-dhcp-v6-$interface.conf
Domains=$new_dhcp6_domain_search
EOF
fi
fi
systemctl try-reload-or-restart systemd-resolved.service
}
;;
EXPIRE|FAIL|RELEASE|STOP)
if [ ! "$interface" ] ; then
return
fi
rm -f /run/systemd/resolved.conf.d/isc-dhcp-v4-$interface.conf
systemctl try-reload-or-restart systemd-resolved.service
;;
EXPIRE6|RELEASE6|STOP6)
if [ ! "$interface" ] ; then
return
fi
rm -f /run/systemd/resolved.conf.d/isc-dhcp-v6-$interface.conf
systemctl try-reload-or-restart systemd-resolved.service
;;
esac
fi
# tell resolvconf about resolved's builtin DNS server, so that DNS servers
# picked up via networkd are respected when using resolvconf, and that software
# like Chrome that does not do NSS (libnss-resolve) still gets proper DNS
# resolution; do not remove the entry after stop though, as that leads to
# timeouts on shutdown via the resolvconf hooks (see LP: #1648068)
[Service]
ExecStartPost=+/bin/sh -c '[ ! -e /run/resolvconf/enable-updates ] || echo "nameserver 127.0.0.53" | /sbin/resolvconf -a systemd-resolved'
ReadWritePaths=-/run/resolvconf
#!/bin/sh
set -e
#
# udevd since 232-20 learned to generate stable interface names for network
# interfaces in kvm/qemu. However, existing machines upgrading will be using
# the ethX names instead. The most risk-averse action is to encode
# "persistent-net-rules" like rules to keep the ethX names on upgrades, since
# the interface names (ethX) may be in use not only in /etc/network/interfaces
# but in other configurations too (daemons, firewalls, etc).
#
# This is a one time action, and can be removed after the next stable & LTS
# releases. (~ May 2018)
#
rulesfile=/etc/udev/rules.d/70-persistent-net.rules
if [ `uname -m` != 's390x' ]
then
exit 0
fi
if [ `systemd-detect-virt` != 'kvm' ]
then
exit 0
fi
if [ -f $rulesfile ]
then
exit 0
fi
for interface in /sys/class/net/eth*
do
[ -d $interface ] || continue
name=$(basename $interface)
address=$(cat $interface/address)
cat <<EOF >>$rulesfile
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="$address", KERNEL=="eth*", NAME="$name"
EOF
done
[DEFAULT]
pristine-tar = True
patch-numbers = False
debian-branch = master
debian-branch = ubuntu-bionic
[dch]
full = True
......
......@@ -23,10 +23,6 @@ remove_nss_entry() {
if [ "$1" = remove ]; then
remove_nss_entry /etc/nsswitch.conf libnss-resolve resolve
systemctl disable systemd-resolved.service
if [ -d /run/systemd/system ]; then
deb-systemd-invoke stop systemd-resolved.service || true
fi
fi
#DEBHELPER#
This diff is collapsed.
From: Martin Pitt <martin.pitt@ubuntu.com>
Date: Mon, 27 Apr 2015 15:29:13 +0200
Subject: Revert "core: one step back again,
for nspawn we actually can't wait for cgroups running empty since systemd
will get exactly zero notifications about it"
for nspawn we actually can't wait for cgroups running empty since
systemd will get exactly zero notifications about it"
This reverts commit 743970d2ea6d08aa7c7bff8220f6b7702f2b1db7.
......
......@@ -26,7 +26,7 @@ index d0befba..c3ed2da 100644
strscpy(name, IFNAMSIZ, event->name);
+ r = rtnl_set_link_name(&event->rtnl, udev_device_get_ifindex(dev), name);
r = rtnl_set_link_name(&event->rtnl, udev_device_get_ifindex(dev), name);
+ if (r >= 0) {
+ log_debug("renamed network interface %s to %s\n", oldname, name);
+ goto out;
......@@ -38,7 +38,7 @@ index d0befba..c3ed2da 100644
+
+ /* free our own name, another process may wait for us */
+ snprintf(name, IFNAMSIZ, "rename%u", udev_device_get_ifindex(dev));
r = rtnl_set_link_name(&event->rtnl, udev_device_get_ifindex(dev), name);
+ r = rtnl_set_link_name(&event->rtnl, udev_device_get_ifindex(dev), name);
if (r < 0)
- return log_error_errno(r, "Error changing net interface name '%s' to '%s': %m", oldname, name);
+ goto out;
......
From: Balint Reczey <rbalint@ubuntu.com>
Date: Mon, 8 May 2017 17:02:03 +0200
Subject: Skip starting systemd-remount-fs.service in containers
even when /etc/fstab is present.
This allows entering fully running state even when /etc/fstab
lists / to be mounted from a device which is not present in the
container.
LP: #1576341
---
units/systemd-remount-fs.service.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/units/systemd-remount-fs.service.in b/units/systemd-remount-fs.service.in
index 29d0674..7bb5477 100644
--- a/units/systemd-remount-fs.service.in
+++ b/units/systemd-remount-fs.service.in
@@ -15,6 +15,7 @@ After=systemd-fsck-root.service
Before=local-fs-pre.target local-fs.target shutdown.target
Wants=local-fs-pre.target
ConditionPathExists=/etc/fstab
+ConditionVirtualization=!container
[Service]
Type=oneshot
From: Michael Vogt <michael.vogt@ubuntu.com>
Date: Wed, 14 Feb 2018 16:38:13 +0000
Subject: Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file
A change in apparmor mediates auto-activation attempts now through
AppArmor: https://cgit.freedesktop.org/dbus/dbus/commit/?id=dc25979eb
This breaks the snapd time{zone,server}-control interfaces which limt
sending dbus message to a (label=unconfined) org.freedesktop.timedate1
peers.
By adding the AssumedApparmorLabel=unconfined label the snapd interfaces
work again.
LP: #1749000
---
src/timedate/org.freedesktop.timedate1.service | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/timedate/org.freedesktop.timedate1.service b/src/timedate/org.freedesktop.timedate1.service
index 1a15dcd..62802a5 100644
--- a/src/timedate/org.freedesktop.timedate1.service
+++ b/src/timedate/org.freedesktop.timedate1.service
@@ -12,3 +12,4 @@ Name=org.freedesktop.timedate1
Exec=/lib/systemd/systemd-timedated
User=root
SystemdService=dbus-org.freedesktop.timedate1.service
+AssumedAppArmorLabel=unconfined
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Tue, 26 Sep 2017 10:23:09 -0400
Subject: core: unlink the invocation id key, if cannot change keyring owner
KEYCTL_CHOWN fails under unpriviledged usernamespace containers that drop
CAP_SYS_ADMIN (eg. LXD, OpenVZ, etc). Because kernel checks the capability in
the initial namespace, rather than in the user namespace. Thus if KEYCTL_CHOWN
operation is required, but will be impossible to perform, unlink the key and
thus skip the keyring setup.
Fixes #6281
(cherry picked from commit e4945f3a577ac9233c0e71349b6c139899e742fc)
---
src/basic/missing.h | 8 ++++++++
src/core/execute.c | 14 ++++++++++----
2 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/src/basic/missing.h b/src/basic/missing.h
index 352d2b0..8e1d45e 100644
--- a/src/basic/missing.h
+++ b/src/basic/missing.h
@@ -1132,6 +1132,14 @@ typedef int32_t key_serial_t;
#define KEYCTL_LINK 8
#endif
+#ifndef KEYCTL_LINK
+#define KEYCTL_LINK 8
+#endif
+
+#ifndef KEYCTL_UNLINK
+#define KEYCTL_UNLINK 9
+#endif
+
#ifndef KEYCTL_READ
#define KEYCTL_READ 11
#endif
diff --git a/src/core/execute.c b/src/core/execute.c
index 749ed32..e1b31b9 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2399,12 +2399,15 @@ static int setup_keyring(
uid_t uid, gid_t gid) {
key_serial_t keyring;
+ key_serial_t key;
int r;
assert(u);
assert(context);
assert(p);
+ key = -1;
+
/* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
* each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
* that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
@@ -2434,8 +2437,6 @@ static int setup_keyring(
/* Populate they keyring with the invocation ID by default. */
if (!sd_id128_is_null(u->invocation_id)) {
- key_serial_t key;
-
key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
if (key == -1)
log_unit_debug_errno(u, errno, "Failed to add invocation ID to keyring, ignoring: %m");
@@ -2449,8 +2450,13 @@ static int setup_keyring(
/* And now, make the keyring owned by the service's user */
if (uid_is_valid(uid) || gid_is_valid(gid))
- if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0)
- return log_unit_error_errno(u, errno, "Failed to change ownership of session keyring: %m");
+ if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0) {
+ log_unit_error_errno(u, errno, "Failed to change ownership of session keyring: %m");
+ /* well, the kernel didn't - cause the kernel is borked */
+ if (keyctl(KEYCTL_UNLINK, key, keyring, 0, 0) < 0)
+ log_unit_debug_errno(u, errno, "Failed to unlink (clean-up) key, after failing to change ownership: %m");
+ return 0;
+ }
/* When requested link the user keyring into the session keyring. */
if (context->keyring_mode == EXEC_KEYRING_SHARED) {
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Wed, 11 Oct 2017 12:17:03 +0100
Subject: UBUNTU: drop unrelated settings from sysctl defaults shipped by
systemd.
---
sysctl.d/50-default.conf | 22 ----------------------
1 file changed, 22 deletions(-)
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -11,28 +11,8 @@
# (e.g. /etc/sysctl.d/90-override.conf), and put any assignments
# there.
-# System Request functionality of the kernel (SYNC)
-#
-# Use kernel.sysrq = 1 to allow all keys.
-# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html for a list
-# of values and keys.
-kernel.sysrq = 16
-
-# Append the PID to the core filename
-kernel.core_uses_pid = 1
-
-# Source route verification
-net.ipv4.conf.all.rp_filter = 1
-
-# Do not accept source routing
-net.ipv4.conf.all.accept_source_route = 0
-
# Promote secondary addresses when the primary address is removed
net.ipv4.conf.all.promote_secondaries = 1
# Fair Queue CoDel packet scheduler to fight bufferbloat
net.core.default_qdisc = fq_codel
-
-# Enable hard and soft link protection
-fs.protected_hardlinks = 1
-fs.protected_symlinks = 1
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Tue, 21 Nov 2017 09:06:31 +0000
Subject: UBUNTU: drop using kvm for qemu tests,
as this currently results in unreliable nested kvm.
---
test/test-functions | 4 ----
1 file changed, 4 deletions(-)
diff --git a/test/test-functions b/test/test-functions
index 92388dc..095c6d7 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -136,10 +136,6 @@ $KERNEL_APPEND \
QEMU_OPTIONS="$QEMU_OPTIONS -initrd $INITRD"
fi
- if [ -c /dev/kvm ]; then
- QEMU_OPTIONS="$QEMU_OPTIONS -machine accel=kvm -enable-kvm -cpu host"
- fi
-
if [[ "$QEMU_TIMEOUT" != "infinity" ]]; then
QEMU_BIN="timeout --foreground $QEMU_TIMEOUT $QEMU_BIN"
fi
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Fri, 9 Feb 2018 15:57:54 +0000
Subject: UBUNTU: resolved: disable global LLMNR and MulticastDNS by default.
LP: #1739672
---
src/resolve/resolved-manager.c | 4 ++--
src/resolve/resolved.conf.in | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c
index 2ee0277..37cef3f 100644
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@@ -596,8 +596,8 @@ int manager_new(Manager **ret) {
m->dns_stub_udp_fd = m->dns_stub_tcp_fd = -1;
m->hostname_fd = -1;
- m->llmnr_support = RESOLVE_SUPPORT_YES;
- m->mdns_support = RESOLVE_SUPPORT_YES;
+ m->llmnr_support = RESOLVE_SUPPORT_NO;
+ m->mdns_support = RESOLVE_SUPPORT_NO;
m->dnssec_mode = DEFAULT_DNSSEC_MODE;
m->enable_cache = true;
m->dns_stub_listener_mode = DNS_STUB_LISTENER_UDP;
diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in
index e6b2062..bcd7a92 100644
--- a/src/resolve/resolved.conf.in
+++ b/src/resolve/resolved.conf.in
@@ -15,8 +15,8 @@
#DNS=
#FallbackDNS=@DNS_SERVERS@
#Domains=
-#LLMNR=yes
-#MulticastDNS=yes
+#LLMNR=no
+#MulticastDNS=no
#DNSSEC=@DEFAULT_DNSSEC_MODE@
#Cache=yes
#DNSStubListener=udp
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Fri, 16 Feb 2018 13:22:49 +0000
Subject: test/test-fs-util: detect container, in addition to root.
On armhf, during autopkgtests, whilst root is avilable, full capabilities in
parent namespace are not, since the tests are run in an LXD container.
This should resolve armhf test failure.
---
src/test/test-fs-util.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c
index 2525c47..10ecc60 100644
--- a/src/test/test-fs-util.c
+++ b/src/test/test-fs-util.c
@@ -35,6 +35,7 @@
#include "strv.h"
#include "user-util.h"
#include "util.h"
+#include "virt.h"
static void test_chase_symlinks(void) {
_cleanup_free_ char *result = NULL;
@@ -495,7 +496,7 @@ static void test_touch_file(void) {
assert_se((st.st_mode & 0777) == 0640);
assert_se(timespec_load(&st.st_mtim) == test_mtime);
- if (geteuid() == 0) {
+ if (geteuid() == 0 && !detect_container()) {
a = strjoina(p, "/cdev");
assert_se(mknod(a, 0775 | S_IFCHR, makedev(0, 0)) >= 0);
assert_se(touch_file(a, false, test_mtime, test_uid, test_gid, 0640) >= 0);
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Wed, 8 Nov 2017 16:25:45 +0000
Subject: UBUNTU: test-process-util: fails to verify cmdline changes in unpriv
user-namespace.
Thus skip these asserts when running $ sudo ./test-process-util in an
unpriviledged user namespaced containers.
(cherry picked from commit 86a4129d308602a1d2ba80b47863b32bec2059df)
---
src/test/test-process-util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/test/test-process-util.c
+++ b/src/test/test-process-util.c
@@ -381,7 +381,7 @@
assert_se(get_process_cmdline(0, 0, false, &cmdline) >= 0);
/* we cannot expect cmdline to be renamed properly without privileges */
- if (geteuid() == 0) {
+ if (geteuid() == 0 && !running_in_userns()) {
log_info("cmdline = <%s>", cmdline);
assert_se(strneq(p, cmdline, STRLEN("test-process-util")));
assert_se(startswith(p, cmdline));
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Mon, 6 Nov 2017 16:00:13 +0000
Subject: UBUNTU: test/test-functions: drop all prefixes
When parsing and installing binaries mentioned in Exec*= lines the
5ed0dcf4d552271115d96d8d22b1a25494b85277 commit added parsing logic to drop
prefixes, including handling duplicate exclamation marks. But this did not
handle arbitrary combination of multiple prefixes, ie. StartExec=+-/bin/sh was
parsed as -/bin/sh which then would fail to install.
Instead of using egrep and shell replacements, replace both with sed command
that does it all. This sed script extract a group of characters starting with a
/ up to the first space (if any) after the equals sign. This correctly handles
existing non-prefixed, prefixed, multiple-prefixed commands.
About half commands seem to repeat themself, thus sort -u cuts the list of
binaries to install about in half.
To validate change of behaviour both old and new functions were modified to
echo parsed binaries into separate files, and then diffed. The incorrect
-/bin/sh was missing in the new output.
Without this patch tests fail on default Ubuntu installs.
(cherry picked from commit 84c0a34987d00158e943e3151a1fe21caa78d40c)
---
test/test-functions | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/test/test-functions b/test/test-functions
index 745c0a9..2957de5 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -424,9 +424,8 @@ install_execs() {
export PKG_CONFIG_PATH=$BUILD_DIR/src/core/
systemdsystemunitdir=$(pkg-config --variable=systemdsystemunitdir systemd)
systemduserunitdir=$(pkg-config --variable=systemduserunitdir systemd)
- egrep -ho '^Exec[^ ]*=[^ ]+' $initdir/{$systemdsystemunitdir,$systemduserunitdir}/*.service \
- | while read i; do
- i=${i##Exec*=}; i=${i##[@+\!-]}; i=${i##\!}
+ sed -n 's|^Exec[a-zA-Z]*=[^/]*\(/[^ ]*\).*|\1|gp' $initdir/{$systemdsystemunitdir,$systemduserunitdir}/*.service \
+ | sort -u | while read i; do
# some {rc,halt}.local scripts and programs are okay to not exist, the rest should
inst $i || [ "${i%.local}" != "$i" ] || [ "${i%systemd-update-done}" != "$i" ]
done
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Fri, 16 Feb 2018 13:28:31 +0000
Subject: test/test-functions: launch qemu with -vga none
When booting ppc64el virtual machines, they require seabios, unless -vga none
is specified. Since we do a direct kernel & initrd boot, with -nographic, we
really have no need for vga or seabios in this case.
---
test/test-functions | 1 +
1 file changed, 1 insertion(+)
diff --git a/test/test-functions b/test/test-functions
index 24fd3f2..b347321 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -129,6 +129,7 @@ $KERNEL_APPEND \
-net none \
-m 512M \
-nographic \
+-vga none \
-kernel $KERNEL_BIN \
-drive format=raw,cache=unsafe,file=${TESTDIR}/rootdisk.img \
"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment