Now that we can configure which controllers to delegate precisely, let's
limit wht we delegate to the user session: only "cpu" and "pids" as a
minimal baseline.
Fixes: #1715
When no entries matches with entry_oneshot, entry_default and
default_pattern, then log message shows a wrong entry.
Moreover, if none of entry_oneshot, entry_default and default_pattern
are set, then the index `i` is uninitialized.
This fixes such problem.
This moves the invocation a bit later, but that shoudln't matter. By
moving it we gain two things: first of all, its closer to other code
where it belongs, secondly its naturally conditioned properly, as we no
longer will rewrite the container ID file on every reexecution again,
and not in test mode either.
No real functional changes, just some rearranging to shorten the overly
long main() function a bit.
This gets rid of the arm_reboot_watchdog variable, as it can be directly
derived from shutdown_verb, and we need it only one time. By dropping it
we can reduce the number of arguments we need to pass around.
```
$ ./src/test/test-systemd-tmpfiles.py valgrind --leak-check=full --error-exitcode=1 ./build/systemd-tmpfiles
...
Running valgrind --leak-check=full --error-exitcode=1 ./build/systemd-tmpfiles on 'w /unresolved/argument - - - - "%Y"'
...
[<stdin>:1] Failed to substitute specifiers in argument: Invalid slot
...
==22602== 5 bytes in 1 blocks are definitely lost in loss record 1 of 2
==22602== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22602== by 0x4ECA7D4: malloc_multiply (alloc-util.h:74)
==22602== by 0x4ECA909: specifier_printf (specifier.c:59)
==22602== by 0x113490: specifier_expansion_from_arg (tmpfiles.c:1923)
==22602== by 0x1144E7: parse_line (tmpfiles.c:2159)
==22602== by 0x11551C: read_config_file (tmpfiles.c:2425)
==22602== by 0x115AB0: main (tmpfiles.c:2529)
```
The file /proc/xen/capabilities is only available if xenfs is mounted.
With a classic xenlinux based kernel that file is available
unconditionally. But with a modern pvops based kernel, xenfs must be
mounted before the "capabilities" may appear. xenfs is mounted very late
via .services files provided by the Xen toolstack. Other units may be
scheduled before xenfs is mounted, which will confuse the detection of
VIRTUALIZATION_XEN.
In all Xen enabled kernels, and if that kernel is actually running on
the Xen hypervisor, the "/proc/xen" directory is the reliable indicator
that this instance runs in a "Xen guest".
Adjust the code to check for /proc/xen instead of
/proc/xen/capabilities.
Fixes commit 3f61278b5 ("basic: Bugfix Detect XEN Dom0 as no virtualization")
Setting the secure_boot flag, avoids getting the printout
"EFI stub: UEFI Secure Boot is enabled." when booting
a Linux kernel with linuxx64.efi.stub and EFI SecureBoot enabled.
This is mainly a cosmetic fixup, as the "quiet" kernel parameter does
not silence pr_efi printouts in the linux kernel (this only works using
the efi stub from the linux source tree)
Ignore mkosi.builddir. In the future we can also add other patterns
if necessary.
run-intergration-tests.sh is updated to use the new script, and modified
to work from arbitrary directory.
Follow-up for #7494.
We currently look for "nobody" and "nfsnobody" when testing groups, both
of which do not exist on Ubuntu, our main testing environment. Let's
extend the tests slightly to also use "nogroup" if it exists.
The "nobody" user might possibly be seen by the journal or coredumping
code if unmapped userns-using processes are somehow visible to them.
Let's make sure we don't do the ACL magic for this user either, since
this is a special system user that might be backed by different real
users in different contexts.
We already synthesize records for both "root" and "nobody" in
nss-systemd. Let's do the same in our own NSS wrappers that are supposed
to bypass NSS if possible. Previously this was done for "root" only, but
let's clean this up, and do the same for "nobody" too, so that we
synthesize records the same way everywhere, regardless whether in NSS or
internally.
Instead of contacting PID 1 for dynamic UID/GID lookups for all
UIDs/GIDs that do not qualify as "system" do the more precise check
instead: check if they actually qualify for the "dynamic" range.
This adds uid_is_system() and gid_is_system(), similar in style to
uid_is_dynamic(). That a helper like this is useful is illustrated by
the fact that test-condition.c didn't get the check right so far, which
this patch fixes.
This might very well happen due to races between joining multicast
groups and network configuration and such, let's not complain, but just
drop the messages at debug level.
Fixes: #7527
%h is a special specifier because we look at $HOME (unless running suid, but
let's say that this case does not apply to tmpfiles, since the code is
completely unready to be run suid). For all other specifiers we query the user
db and use those values directly. I'm not sure if this exception is good, but
let's just "document" status quo for now. If this is changes, it should be in
a separate PR.
It's failing on artful s390x and i386:
Running /tmp/autopkgtest.Pexzdu/build.lfO/debian/build-deb/systemd-tmpfiles on 'f /tmp/test-systemd-tmpfiles.c236s1uq/arg - - - - %m'
expect: '01234567890123456789012345678901'
actual: 'e84bc78d162e472a8ac9759f5f1e4e0e'
--- stderr ---
Traceback (most recent call last):
File "/tmp/autopkgtest.Pexzdu/build.lfO/debian/src/test/test-systemd-tmpfiles.py", line 129, in <module>
test_valid_specifiers(user=False)
File "/tmp/autopkgtest.Pexzdu/build.lfO/debian/src/test/test-systemd-tmpfiles.py", line 89, in test_valid_specifiers
test_content('f {} - - - - %m', '{}'.format(id128.get_machine().hex), user=user)
File "/tmp/autopkgtest.Pexzdu/build.lfO/debian/src/test/test-systemd-tmpfiles.py", line 84, in test_content
assert content == expected
AssertionError
-------
Let's skip the test for now until this is resolved properly on the autopkgtest
side.
sd_path_home() returns ENXIO when a variable (such as $XDG_RUNTIME_DIR) is not
defined. Previously we used ENOKEY for unresolvable specifiers. To avoid having
two codes, or translating ENXIO to ENOKEY, I replaced ENOKEY use with ENXIO.
v2:
- use sd_path_home and change to ENXIO everywhere
An explicit --user switch is necessary because for the user@0.service instance
systemd-tmpfiles is running as root, and we need to distinguish that from
systemd-tmpfiles running in systemd-tmpfiles*.service.
Fixes#2208.
v2:
- restore "systemd-" prefix
- add systemd-tmpfiles-clean.{service,timer}, systemd-setup.service to
systemd-tmpfiles(8)
Yu Watanabe