picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
46,238 Commits 2 Branches 0 Tags 166 MiB
Commit Graph

125 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek 2aed63f427 tree-wide: fix spelling of "fallback" 
Similarly to "setup" vs. "set up", "fallback" is a noun, and "fall back"
is the verb. (This is pretty clear when we construct a sentence in the
present continous: "we are falling back" not "we are fallbacking").
 2020-08-20 17:45:32 +02:00
Luca Boccassi efc3b12fdb tree-wide: enable/disable libcrypsetup debug output depending on our level 
Avoid always setting to debug, as it will incur in many more callbacks from
libcrypsetup that then get discarded, wasting resources.
 2020-08-14 15:26:04 +01:00
Luca Boccassi ecab4c470c dissect: yield for 2ms when a verity device cannot be opened before retrying 
If we don't succeed on the first try it's because another process is
opening the same device. Do a microsleep for 2ms to increase the
chances it has completed the next time around the loop.
 2020-08-14 15:26:04 +01:00
Luca Boccassi 9ecb5c10fd dissect: account for EBUSY when verity device already exists 
In some cases, libdevmapper/libcrypsetup might return EBUSY instead of
EEXIST when opening a shared device. Treat it in the same way.
 2020-08-14 15:26:04 +01:00
Luca Boccassi c419b6f0cf dissect: wait for udev event if verity device not yet available 
The symlink /dev/mapper/dm_name is created by udev after a mapper
device is set up. So libdevmapper/libcrypsetup might tell us that
a verity device exists, but the symlink we use as the source for
the mount operation might not be there yet.
Instead of falling back to a new unique device set up, wait for
the udev event matching on the expected devlink for at least 100ms
(after which the benefits of sharing a device in terms of setup
time start to disappear - on my production machines, opening a new
verity device seems to take between 150ms and 300ms)
 2020-08-14 15:26:04 +01:00
Lennart Poettering af8219d562 dissect: show proper error strings for more errors 
Also, make inability to decrypt and EBUSY a non-fatal issue, since we
still are able to display the mount table then.
 2020-08-11 22:29:50 +02:00
Lennart Poettering af187ab237 dissect: introduce new helper dissected_image_mount_and_warn() and use it everywhere 2020-08-11 22:26:48 +02:00
Lennart Poettering fa45d12c1c dissect: use recognizable error if we are supposed to mount an encrypted fs 
Also, document EBUSY
 2020-08-11 22:26:48 +02:00
Lennart Poettering 37e44c3f95 dissect: immediately close pipes when we determined we have no data for them 
This effectively makes little difference because we exit soon later
anyway, which will close the fds, too. However, it's still useful since
it means the parent will get EOF events on them in the order we process
things and isn't delayed to process the data from the pipes until the
child dies.
 2020-08-11 22:26:48 +02:00
Lennart Poettering f5ea63a5e1 dissect: properly propagate some relevant dissection errors 
Let's send some specific error codes from helper process to parent via
the return value, and convert them back there.
 2020-08-11 22:26:48 +02:00
Lennart Poettering 5c05f06264 dissect: optionally mkdir directory to overmount 2020-08-11 22:26:48 +02:00
Lennart Poettering 834c15ec38 dissect: use new blockdev_partscan_enabled() API where appropriate 2020-08-11 10:30:19 +02:00
Lennart Poettering 6aa05ebdd8 firstboot: move --image= logic into common code 
That way we can reuse it in tmpfiles/sysusers/journalctl and so on.
 2020-08-05 20:34:58 +02:00
Luca Boccassi 18d7370587 service: add new RootImageOptions feature 
Allows to specify mount options for RootImage.
In case of multi-partition images, the partition number can be prefixed
followed by colon. Eg:

RootImageOptions=1:ro,dev 2:nosuid nodev

In absence of a partition number, 0 is assumed.
 2020-07-29 17:17:32 +01:00
Luca Boccassi ac1f3ad05f verity: re-use already open devices if the hashes match 
Opening a verity device is an expensive operation. The kernelspace operations
are mostly sequential with a global lock held regardless of which device
is being opened. In userspace jumps in and out of multiple libraries are
required. When signatures are used, there's the additional cryptographic
checks.

We know when two devices are identical: they have the same root hash.
If libcrypsetup returns EEXIST, double check that the hashes are really
the same, and that either both or none have a signature, and if everything
matches simply remount the already open device. The kernel will do
reference counting for us.

In order to quickly and reliably discover if a device is already open,
change the node naming scheme from '/dev/mapper/major:minor-verity' to
'/dev/mapper/$roothash-verity'.

Unfortunately libdevmapper is not 100% reliable, so in some case it
will say that the device already exists and it is active, but in
reality it is not usable. Fallback to an individually-activated
unique device name in those cases for robustness.
 2020-07-21 23:42:03 +01:00
Luca Boccassi 536879480a dm-util: use CRYPT_DEACTIVATE_DEFERRED instead of ioctl 2020-07-21 23:26:41 +01:00
Luca Boccassi c2923fdcd7 dissect/nspawn: add support for dm-verity root hash signature 
Since cryptsetup 2.3.0 a new API to verify dm-verity volumes by a
pkcs7 signature, with the public key in the kernel keyring,
is available. Use it if libcryptsetup supports it.
 2020-06-25 08:45:21 +01:00
Luca Boccassi 0389f4fa81 core: add RootHash and RootVerity service parameters 
Allow to explicitly pass root hash (explicitly or as a file) and verity
device/file as unit options. Take precedence over implicit checks.
 2020-06-23 10:50:09 +02:00
Luca Boccassi e7cbe5cb9e dissect: support single-filesystem verity images with external verity hash 
dm-verity support in dissect-image at the moment is restricted to GPT
volumes.
If the image a single-filesystem type without a partition table (eg: squashfs)
and a roothash/verity file are passed, set the verity flag and mark as
read-only.
 2020-06-09 12:19:21 +01:00
Luca Boccassi b1806441bb dissect-image: wait for udev for single filesystem images too 
Single filesystem images are mounted from the /dev/block/X:Y symlink
rather than /dev/loopZ, so we need to wait for udev to create it or
mounting will be racy and occasionally fail.
 2020-06-08 13:06:53 +01:00
Lennart Poettering 58dfbfbdd6 dissect: use log_debug_errno() where appropriate 2020-05-18 18:41:56 +02:00
Topi Miettinen 1887032f71 shared/dissect-image: log messages from cryptsetup 
Before:
```
write(2, "Device /dev/loop1p1 is too small.\n", 34) = -1 ENOTCONN (Transport
endpoint is not connected)
```

After:
```
$ journalctl -b -e | grep 'too small'
Apr 02 16:53:30 loora systemd[343579]: Device /dev/loop1p1 is too small.
```
 2020-04-03 17:44:20 +02:00
Vito Caputo 4fa744a35c *: convert amenable fdopen calls to take_fdopen 
Mechanical change to eliminate some cruft by using the
new take_fdopen{_unlocked}() wrappers where trivial.
 2020-03-31 06:48:03 -07:00
Topi Miettinen 0108c42f59 dissect-image: avoid scanning partitions 
In case the dissected image has a filesystem, don't scan for partitions. This
avoids problems with services using a `RootImage=` in early boot when udevd is
not yet started.
 2020-03-10 10:03:57 +01:00
Lennart Poettering cf32c48657 dissect: optionally, run fsck before mounting dissected images 
Some file systems want us to run fsck before mounting, hence do so,
optionally.
 2020-01-29 19:29:44 +01:00
Lennart Poettering 0f7c9a3d81 dissect: complain if partition flags are set that we don't know 2020-01-29 19:29:39 +01:00
Lennart Poettering d4dffb8533 dissect: introduce new recognizable partition types for /var and /var/tmp 
This has been requested many times before. Let's add it finally.

GPT auto-discovery for /var is a bit more complex than for other
partition types: the other partitions can to some degree be shared
between multiple OS installations on the same disk (think: swap, /home,
/srv). However, /var is inherently something bound to an installation,
i.e. specific to its identity, or actually *is* its identity, and hence
something that cannot be shared.

To deal with this this new code is particularly careful when it comes to
/var: it will not mount things blindly, but insist that the UUID of the
partition matches a hashed version of the machine-id of the
installation, so that each installation has a very specific /var
associated with it, and would never use any other. (We actually use
HMAC-SHA256 on the GPT partition type for /var, keyed by the machine-id,
since machine-id is something we want to keep somewhat private).

Setting the right UUID for installations takes extra care. To make
things a bit simpler to set up, we avoid this safety check for nspawn
and RootImage= in unit files, under the assumption that such container
and service images unlikely will have multiple installations on them.
The check is hence only required when booting full machines, i.e. in
in systemd-gpt-auto-generator.

To help with putting together images for full machines, PR #14368
introduces a repartition tool that can automatically fill in correctly
calculated UUIDs on first boot if images have the var partition UUID
initialized to all zeroes. With that in place systems can be put
together in a way that on first boot the machine ID is determined and
the partition table automatically adjusted to have the /var partition
with the right UUID.
 2019-12-23 14:43:59 +01:00
Lennart Poettering 10c1b18888 valgrind: temporarily handle that valgrind still doesn't know LOOP_GET_STATUS64 
Should be removed once valgrind learns it.
 2019-12-02 10:06:56 +01:00
Yu Watanabe f5947a5e92 tree-wide: drop missing.h 2019-10-31 17:57:03 +09:00
Zbigniew Jędrzejewski-Szmek a5648b8094 basic/fs-util: change CHASE_OPEN flag into a separate output parameter 
chase_symlinks() would return negative on error, and either a non-negative status
or a non-negative fd when CHASE_OPEN was given. This made the interface quite
complicated, because dependning on the flags used, we would get two different
"types" of return object. Coverity was always confused by this, and flagged
every use of chase_symlinks() without CHASE_OPEN as a resource leak (because it
would this that an fd is returned). This patch uses a saparate output parameter,
so there is no confusion.

(I think it is OK to have functions which return either an error or an fd. It's
only returning *either* an fd or a non-fd that is confusing.)
 2019-10-24 22:44:24 +09:00
Lennart Poettering 66855de739 tree-wide: make use of errno_or_else() everywhere 2019-07-11 23:20:31 +02:00
Lennart Poettering a709a3154d dissect: split out DM deferred remove into src/shared/dm-util.c 
The function is generally useful, let's split it out so that we can make
use of it later on in systemd-homed.
 2019-07-05 02:19:24 +09:00
Yu Watanabe 657ee2d82b tree-wide: replace strjoin() with path_join() 2019-06-21 03:26:16 +09:00
Yu Watanabe 1b47436e0e util: make device_wait_for_initialization() optionally takes timeout value 2019-06-04 01:19:43 +09:00
Ben Boeckel 5238e95759 codespell: fix spelling errors 2019-04-29 16:47:18 +02:00
Yu Watanabe 01234e1fe7 tree-wide: drop several missing_*.h and import relevant headers from kernel-5.0 2019-04-11 19:00:37 +02:00
Lennart Poettering d8b4d14df4 util: split out nulstr related stuff to nulstr-util.[ch] 2019-03-14 13:25:52 +01:00
Lennart Poettering d9223c07f5 dissect: when mounting an image mount the XBOOTLDR partition to /boot 
Previously, we'd mount the ESP to /efi if that existed and was empty,
falling back to /boot if that existed and was empty.

With this change, the XBOOTLDR partition is mounted to /boot
unconditionally. And the EFI is mounted to /efi if that exists (but it
doesn't have to be empty — after all the name is very indicative of what
this is supposed to be), and to /boot as a fallback but only if it
exists and is empty (we insist on emptiness for that, since it might be
used differently than what we assume).

The net effect is that $BOOT should be reliably found under /boot, and
the ESP is either /efi or /boot.

(Note that this commit only is relevant for nspawn and suchlike, i.e.
the codepaths that mount an image without involving udev during boot.)
 2019-03-01 12:41:32 +01:00
Lennart Poettering a8c47660bb dissect: automatically detect boot loader spec $BOOT partition 
The boot loader spec supports two places to store boot loader
configuration: the ESP and a generic replacement for it in case the ESP
is not available or not suitable. Let's look for both.
 2019-03-01 12:41:32 +01:00
Lennart Poettering 59ba6d0c17 dissect: use SYNTHETIC_ERRNO() where appropriate 2019-03-01 12:41:32 +01:00
Zbigniew Jędrzejewski-Szmek cd8c98d7a7 shared/dissect-image: make sure that we don't truncate device name 
gcc-9 complains that the string may be truncated when written into the output
structure. This shouldn't happen, but if it did, in principle we could remove a
different structure (with a matching name prefix). Let's just refuse the
operation if the name doesn't fit.
 2019-01-27 09:35:36 +01:00
Lennart Poettering f70e7f70c9 dissect: add some assert()s 2018-12-19 23:27:47 +01:00
Lennart Poettering 052eaf5c93 gpt-auto-generator: don't wait for udev 
Generators run in a context where waiting for udev is not an option,
simply because it's not running there yet. Hence, let's not wait for it
in this case.

This is generally OK to do as we are operating on the root disk only
here, which should have been probed already by the time we come this
far.

An alternative fix might be to remove the udev dependency from image
dissection again in the long run (and thus replace reliance on
/dev/block/x:y somehow with something else).

Fixes: #11205
 2018-12-19 23:27:47 +01:00
Zbigniew Jędrzejewski-Szmek a8040b6d0a dissect-image: wait for the main device and all partitions to be known by udev 
Fixes #10526.

Even if we waited for the root device to appear, the mount could still fail if
we didn't wait for udev to initalize the device. In particular, the
/dev/block/n:m path used to mount the device is created by udev, and nspawn
would sometimes win the race and the mount would fail with -ENOENT.

The same wait is done for partitions, since if we try to mount them, the same
considerations apply.

Note: I first implemented a version which just does a loop (with a short wait).
In that approach, udev takes on average ~800 µs to initialize the loopback
device. The approach where we set up a monitor and avoid the loop is a bit
nicer. There doesn't seem to be a significant difference in speed.
With 1000 invocations of 'systemd-nspawn -i image.squashfs echo':

loop (previous approach):
real	4m52.625s
user	0m37.094s
sys	2m14.705s

monitor (this patch):
real	4m50.791s
user	0m36.619s
sys	2m14.039s
 2018-12-17 13:50:57 +01:00
Zbigniew Jędrzejewski-Szmek b887c8b8a8 dissect-image: wait for the root to appear 
dissect-image would wait for the root device and paritions to appear. But if we
had an image with no partitions, we'd not wait at all. If the kernel or udev
were slow in creating device nodes or symlinks, subsequent mount attempt might
fail if nspawn won the race.

Calling wait_for_partitions_to_appear() in case of no partitions means that we
verify that the kernel agrees that there are no partitions. We verify that the
kernel sees the same number of partitions as blkid, so let's that also in this
case.

This makes the failure in #10526 much less likely, but doesn't eliminate it
completely. Stay tuned.
 2018-12-17 13:50:57 +01:00
Zbigniew Jędrzejewski-Szmek ea887be00b dissect-image: split out a chunk of dissect_image() out 
No functional change, just moving code around.
 2018-12-17 13:50:57 +01:00
Chris Down e92aaed30e tree-wide: Remove O_CLOEXEC from fdopen 
fdopen doesn't accept "e", it's ignored. Let's not mislead people into
believing that it actually sets O_CLOEXEC.

From `man 3 fdopen`:

> e (since glibc 2.7):
> Open the file with the O_CLOEXEC flag. See open(2) for more information. This flag is ignored for fdopen()

As mentioned by @jlebon in #11131.
 2018-12-12 20:47:40 +01:00
Lennart Poettering 686d13b9f2 util-lib: split out env file parsing code into env-file.c 
It's quite complex, let's split this out.

No code changes, just some file rearranging.
 2018-12-02 13:22:29 +01:00
Lennart Poettering e4de72876e util-lib: split out all temporary file related calls into tmpfiles-util.c 
This splits out a bunch of functions from fileio.c that have to do with
temporary files. Simply to make the header files a bit shorter, and to
group things more nicely.

No code changes, just some rearranging of source files.
 2018-12-02 13:22:29 +01:00
Zbigniew Jędrzejewski-Szmek b2ac2b01c8
Merge pull request #10996 from poettering/oci-prep 
Preparation for the nspawn-OCI work
 2018-11-30 10:09:00 +01:00