v252 batch #390
Merged
v252 batch #390
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resolved rejected RRsets containing a RR with a zero TTL and a RR with a nonzero TTL. In practice—see the linked issues—, this case triggered when an AF_UNSPEC query to a CNAMEd domain returned a zero TTL for the CNAME on one address family and a nonzero TTL for the CNAME on the other address family. The zero-nonzero TTL check cites RFC 2181 § 5.2 in a comment. That section says DNS clients should reject any RRset containing differing TTLs, which the check only implements a very special case of. That the old behavior caused real-world false NXDOMAIN results is reason enough to completely ignore the RFC's recommendation. However, mDNS treats zero TTLs specially, so the error case needs to be kept for mDNS. Fixes systemd/systemd#22177 Fixes systemd/systemd#20617 Fixes systemd/systemd#19118 (cherry picked from commit 8ec951e) Related to systemd#336 (cherry picked from commit a3f3d47) (cherry picked from commit 038effc)
On ppc64el with gcc 13.2 on Ubuntu 24.04: 3s In file included from ../src/basic/macro.h:386, 483s from ../src/basic/alloc-util.h:10, 483s from ../src/shared/install.c:12: 483s ../src/shared/install.c: In function ‘install_changes_dump’: 483s ../src/shared/install.c:432:64: error: ‘%s’ directive argument is null [-Werror=format-overflow=] 483s 432 | err = log_error_errno(changes[i].type, "Failed to %s unit, unit %s does not exist.", 483s | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 483s ../src/shared/install.c:432:75: note: format string is defined here 483s 432 | err = log_error_errno(changes[i].type, "Failed to %s unit, unit %s does not exist.", (cherry picked from commit 8040fa5) (cherry picked from commit f85d2c6) (cherry picked from commit 562cbec) (cherry picked from commit a85c9a2)
Kernel commit cb12fd8e0dabb9a1c8aef55a6a41e2c255fcdf4b added pidfs. Update filesystems-gperf.gperf and missing_magic.h accordingly. This fixes the following error building against a bleeding edge kernel. ``` ../src/basic/meson.build:234:8: ERROR: Problem encountered: Unknown filesystems defined in kernel headers: Filesystem found in kernel header but not in filesystems-gperf.gperf: PID_FS_MAGIC ``` (cherry picked from commit ed01b92) (cherry picked from commit 3676ca0) (cherry picked from commit a4ce409) (cherry picked from commit a57066f)
losetup in util-linux 2.40 started reporting lost loop devices [0] and it has an unfortunate side-effect where it reports lost devices even in containers, which then makes the loop device check "falsely" pass [1]. Let's just check for /dev/loop-control explicitly to "work around" this. [0] util-linux/util-linux@a6ca045 [1] util-linux/util-linux#2824 (cherry picked from commit 0348b50) (cherry picked from commit 5ab85d7) (cherry picked from commit c960f9a) (cherry picked from commit 686eb93)
sulogin from the latest util-linux started falling back to vt102 instead of linux, which makes screen sad (because we install only the linux terminfo into the test image) and expect trips over the unexpected warning. Let's just explicitly set TERM=linux before invoking screen to avoid this. + make -C TEST-69-SHUTDOWN setup run ... INFO:test-shutdown:log in and start screen root root Last login: Sun Mar 3 13:19:31 from 18.191.105.60 -bash-5.2# screen screen Cannot find terminfo entry for 'vt102'. -bash-5.2# ERROR:test-shutdown:Timeout exceeded. (cherry picked from commit 7a63c5e) (cherry picked from commit 275d720) (cherry picked from commit 58141ed) (cherry picked from commit ca08e02)
…d log file Given that the test involves screen(1), sending various control sequences to resize/clear the screen, most of the logs sent from the python script were nearly impossible to read or mixed with other messages sent to the console hence making the debug harder when the test is run manually. This patch introduces an option to redirect the pexpect IOs into a file (to be used in $STATEDIR/TEST-69-SHUTDOWN/run-nspawn). The pexpect logs are also enabled later so the boot logs are skipped since those are already included in the journal. (cherry picked from commit cf14d11) (cherry picked from commit dcea9bc) (cherry picked from commit 9fbbd59) (cherry picked from commit d3d3a89)
The logs from TEST-69 still contain a lot of unnecessary shell metacharacters, so to make the output more readable let's just set TERM=dumb, instead of having to strip everything semi-manually. Also, move the related --background= tweak to TEST-69, since it's relevant only for that particular test. Follow-up for 8d4bfd3. v255-only change: --background= is not supported in v255's sd-nspawn, so that hunk is dropped (cherry picked from commit 8d9cdb3) (cherry picked from commit 93c5ff0) (cherry picked from commit 75d7263) (cherry picked from commit 8db3e00)
This makes it easier for people packaging kernel-install plugins to get the path right. E.g. https://src.fedoraproject.org/rpms/python-virt-firmware/pull-request/3 fixes an issue where %{_libdir}/kernel/install.d was used, which gives incorrect results on 64-bit architectures. %_kernel_install_dir will make this even easier. (cherry picked from commit 5248a0c) (cherry picked from commit b25bd39) (cherry picked from commit 2a34c7d) (cherry picked from commit c520a83)
SO_BINDTODEVICE was used during connect() to fix an issue where IP_UNICAST_IF was improperly ignored for route lookups made by connect in linux. This has since been resolved upstream [1][2], but as a result we must apply the local socket excpetion to IP_UNICAST_IF as well. The SO_BINDTODEVICE is no longer necessary, but left in place for 5.x kernels. [1] https://lore.kernel.org/all/20220829111554.GA1771@debian/ [2] https://lore.kernel.org/all/20221208145437.GA75680@debian/ (cherry picked from commit 51d0568) (cherry picked from commit 78579f8) (cherry picked from commit 3b711f7) (cherry picked from commit bcdbba5)
with ExitType=cgroup It's not clear to me what the rationale of the logic was when ExitType=cgroup got introduced. But similar to the previous commit, I think we should not transition to 'start-post' on cgroup empty event. This is especially important for Type=dbus/notify services. (cherry picked from commit f52e9ed) (cherry picked from commit 9f4f1a1) (cherry picked from commit d7dfe88) (cherry picked from commit 8f58f8c)
Previously all queries to the reverse mapping domains (in-addr.arpa and ip6.arpa) were considered to be in-scope for mdns and llmnr at the same priority as DNS. This caused sd-resolved to ignore NXDOMAIN responses from dns in favor of lengthy timeouts. This narrows the scope of mdns and llmnr so they are not invariably considered as fallbacks for these domains. Now, mdns/llmnr on a link will only be used as a fallback when there is no suitable DNS scope, and when that link is DefaultRoute. (cherry picked from commit da920fe) (cherry picked from commit 28472e7) (cherry picked from commit a0e5271) (cherry picked from commit 6d43cb1)
From RFC 8880: Because the 'ipv4only.arpa' zone has to be an insecure delegation, DNSSEC cannot be used to protect these answers from tampering by malicious devices on the path. Consequently, the 'ipv4only.arpa' zone MUST be an insecure delegation to give DNS64/NAT64 gateways the freedom to synthesize answers to those queries at will, without the answers being rejected by DNSSEC-capable resolvers. DNSSEC-capable resolvers that follow this specification MUST NOT attempt to validate answers received in response to queries for the IPv6 AAAA address records for 'ipv4only.arpa'. Note that the name 'ipv4only.arpa' has no use outside of being used for this special DNS pseudo-query used to learn the DNS64/NAT64 address synthesis prefix, so the lack of DNSSEC security for that name is not a problem. See: https://datatracker.ietf.org/doc/html/rfc8880#name-security-considerations (cherry picked from commit 7406ebd) (cherry picked from commit 7c8ec64) (cherry picked from commit 4c2a1b4)
In some cases there is no configured server to answer a given question, because all scopes refused the query. In this case we currently return rcode SERVFAIL. In dns it is customary for authoritative nameservers to return REFUSED where the question is outside of their authority. This is better than SERVFAIL because it informs the client that they aren't likely to get an answer out of us anytime soon, and either the configuration, or the query, need to change. Similar logic invites us to use use the rcode REFUSED on the stub if we aren't configured with any suitable scope for this question. (cherry picked from commit 4f2da49) (cherry picked from commit 6669973) (cherry picked from commit c7d8464) (cherry picked from commit c71eecd)
In some cases we refuse a query based on the RR type, mostly old deprecated types. Let's return NOTIMP in this case, which best communicates why the query failed. (cherry picked from commit 591810c) (cherry picked from commit d06f248) (cherry picked from commit 187d339) (cherry picked from commit f76f3e1)
The specified vendor UUID is not actually a UUID. This changes it to an actual UUID. The new value matches the ones from the systemd-boot man page and [The Boot Loader Interface](https://systemd.io/BOOT_LOADER_INTERFACE/). (cherry picked from commit c6d0c66) (cherry picked from commit aa7b847) (cherry picked from commit 53cc058) (cherry picked from commit 3325834)
This happens when journal is rotated after a data is written but before an entry that linked to the data is not written yet. This is neither data corruption, nor program error. Let's downgrade the log level. Closes #32153. (cherry picked from commit cb7e892) (cherry picked from commit 99886c0) (cherry picked from commit ab5c221) (cherry picked from commit 3b92b7d)
When an IO event source owns relevant fd, replacing with a new fd leaks the previously assigned fd. === sd_event_add_io(event, &s, fd, ...); sd_event_source_set_io_fd_own(s, true); sd_event_source_set_io_fd(s, new_fd); <-- The previous fd is not closed. sd_event_source_unref(s); <-- new_fd is closed as expected. === Without the change, valgrind reports the leak: ==998589== ==998589== FILE DESCRIPTORS: 4 open (3 std) at exit. ==998589== Open file descriptor 4: ==998589== at 0x4F119AB: pipe2 (in /usr/lib64/libc.so.6) ==998589== by 0x408830: test_sd_event_source_set_io_fd (test-event.c:862) ==998589== by 0x403302: run_test_table (tests.h:171) ==998589== by 0x408E31: main (test-event.c:935) ==998589== ==998589== ==998589== HEAP SUMMARY: ==998589== in use at exit: 0 bytes in 0 blocks ==998589== total heap usage: 33,305 allocs, 33,305 frees, 1,283,581 bytes allocated ==998589== ==998589== All heap blocks were freed -- no leaks are possible ==998589== ==998589== For lists of detected and suppressed errors, rerun with: -s ==998589== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) (cherry picked from commit 2fa4805) (cherry picked from commit 6d2dd43) (cherry picked from commit 5f8cf63) (cherry picked from commit a4bb56c)
… is enabled The 'capability' sysattr was deprecated by torvalds/linux@e81cd5a (v6.3). (cherry picked from commit 33ff155) (cherry picked from commit 4798f03) (cherry picked from commit c936709) (cherry picked from commit 069f069)
This also fixes bugs in the previous code where we pass the server object as userdata to sd_event_add_signal which means that sd-event tries to use the value of the server pointer as its exit code when a signal is triggered. (cherry picked from commit dcd332a) (cherry picked from commit 247627c) (cherry picked from commit 233b373) (cherry picked from commit 3fd9306)
Until systemd/systemd#30056 is resolved. (cherry picked from commit 8ed7800) (cherry picked from commit b872bbd) (cherry picked from commit d031025) (cherry picked from commit 374b2aa)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.