-
-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v255 batch #435
Merged
Merged
v255 batch #435
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This fixes commit 9b0688f Author: Yu Watanabe <[email protected]> Date: Tue Jan 9 10:52:49 2024 +0900 virt: add Google Compute Engine support Signed-off-by: Daniel P. Berrangé <[email protected]> (cherry picked from commit 9ffdfc67c6aedcb66c2b18c2c61bc32e585e6d6e) (cherry picked from commit b077417713ea6df028d61287c042abc235fc0c41)
Currently, IS_SYNTHETIC_ERRNO() evaluates to true for all negative errnos, because of the two's-complement negative value representation. Subsequently, ERRNO= is not logged for most of our own code. Let's fix this, by formatting all synthetic errnos as positive. Then, treat all negative values as non-synthetic. While at it, mark the evaluation order explicitly, and remove unneeded comment. Fixes #33800 (cherry picked from commit 268f58076f7e0258dce75f521d08199092279853) (cherry picked from commit 4ad6b2631d73a574859a62d33715a7bdef810bcf)
Fixes #33834 (cherry picked from commit 639719e01065c3a2f557d70e4d8088c2ec71c7c6) (cherry picked from commit b2df49a87b17ba79b6e97d87199ceb1e4cbdb5de)
The signalfd_siginfo struct is received from outside via a FD, hence assert() is not appropriate way to check it. Just do a normal runtime check. (cherry picked from commit 7a64c5f23efbb51fe4f1229c1a8aed6dd858a0a9) (cherry picked from commit 7a48ea958bf146a45cb4a3b7ff7aeb5885469196)
EINVAL should be used when a function is called with an invalid argument. Here, the signal is not a function argument. Follow-up for 7a64c5f23efbb51fe4f1229c1a8aed6dd858a0a9. (cherry picked from commit ab9af70edb23f2a66e93e2e16f87cd98873885b7) (cherry picked from commit 84f0eda3781f49ff7f3035861b02fe247b89d65e)
…lesystems TEST-46-HOMED fails on ext4 because the filesystem is deemed to small for activation by cryptsetup. Let's bump the minimal filesystem size for ext4 a bit to be in the same ballpark as ext4 and btrfs to avoid weird errors due to impossibly small filesystems. (cherry picked from commit ae07feb401ff70b122650ac01041021703d4b8ad) (cherry picked from commit 161286e989a497537f7f38741dfe722dc2762a2e)
The new file, modules.weakdep, generated by depmod to get the weak dpendencies information can be present (kmod-project/kmod@05828b4), so remove it like the other similar files. Signed-off-by: Jose Ignacio Tornos Martinez <[email protected]> (cherry picked from commit eef4cd51f94d837bd0e71512c831634a2902522d) (cherry picked from commit 0cdec6e1fef4174c0d04aaca195ab56750437535)
- Improve wording for explanation when these variables are inherited - Clarify that these variables are not placed in the process environment block, so /proc/PID/environ cannot be used as a debugging tool (cherry picked from commit 6c1e0823b04525716d9ee0031a2b6735d3f7dfa4) (cherry picked from commit 5cf0c45f64079430b0b7c12ad323f238386260b0)
(cherry picked from commit 3f24fa57df552accc2a6f9ab4d36724ba7227eff) (cherry picked from commit ec3f2c8c8ad86004d6048510382167ee5f1ded61)
(cherry picked from commit 034b7dfc08062cde9f63847f34b4d1c604a19a46) (cherry picked from commit fb44ee89084a60c1400aa4f0d3676e4d05540714)
…ainer If we're running from within a container, we're very likely not going to want to use the kernel command line from /proc/cmdline, so let's add a check to see if we're running from a container to decide whether we'll use the kernel command line from /proc/cmdline. (cherry picked from commit 35c01ec59e0c2e6bd06cb18ca2ff612c6a7ea35d) (cherry picked from commit c386327fc851863abf4c27076bd368dfc55b83a0)
On CentOS/Fedora, dracut is configured to write the initrd to /boot/initramfs-$KERNEL_VERSION...img so let's check for that as well if no initrds were supplied. (cherry picked from commit b56920e36c5692c0dde701bfb48330653a9c62c9) (cherry picked from commit 1cb21b2cb194501464c52c1f32ae55f593689cc3)
Similar to the implementation of cgroup.kill in the kernel, let's skip kernel threads in cg_kill_items() as trying to kill kernel threads as an unprivileged process will fail with EPERM and doesn't do anything when running privileged. (cherry picked from commit 0fbb569de1dcc06118dba006cf7a40caf6cd94d0) (cherry picked from commit 3d90344e941f10b6fe7b1a315b79ca09c4451a86)
* document how TimeoutStartSec= affects notify-reload (cherry picked from commit a55d1b29a4cc2edc8550c5f4e062f2194807dcd3) (cherry picked from commit f23fe35c9f8963898040951fe16b68cb4463dbf7)
Even if a timespan specified to IgnoreCarrierLoss= for an interface, when the carrier of the interface lost, bound interfaces might be bring down immediately. Let's also postpone bringing down bound interfaces with the specified timespan. (cherry picked from commit e8eaed0240d642e70c567b08f3593e4cf45a255a) (cherry picked from commit 9468a6ea47cfb8412875923d09b8a8ae6ee02119)
The original CVM detection logic for TDX assumes that the guest can see the standard TDX CPUID leaf. This was true in Azure when this code was originally written, however, current Azure now blocks that leaf in the paravisor. Instead it is required to use the same Azure specific CPUID leaf that is used for SEV-SNP detection, which reports the VM isolation type. Signed-off-by: Daniel P. Berrangé <[email protected]> (cherry picked from commit 9d7be044cad1ae54e344daf8f2ec37da46faf0fd) (cherry picked from commit 812fc38b9147232862263e482ce19bec71137b95)
…e interface Otherwise, when an interface gained its carrier, the interface may not have matching .network file yet, then link_reconfigure_impl() returns zero, and link_handle_bound_by_list() is skipped. Fixes #33837. (cherry picked from commit 36b8ad085c6902631ad7054bffbda33d6d168823) (cherry picked from commit 0d98178abb5ea470d03d05680e58ff0e59fe69bd)
A PE image's memory footprint might be larger than its file size due to uninitialized memory sections. Normally all PE headers should be parsed to check the actual required size, but the legacy EFI handover protocol is only used for x86 Linux bzImages, so we know only the last section will require extra memory. Use SizeOfImage from the PE header and if it is larger than the file size, allocate and zero extra memory before using it. Fixes systemd/systemd#33816 (cherry picked from commit 19812661f1f65ebe777d1626b5abf6475faababc) (cherry picked from commit 84111f8916340e3e67d8166eb1d9938da94ce669)
(cherry picked from commit 4d6ab7e8440845301c90211beb22015e7232faa1) (cherry picked from commit c12c122e2ad3668848ffff69913006d420bda41d)
… station To avoid conflicts with user .network file for the wlan interface with Bond=. See systemd/systemd#19832 (comment). (cherry picked from commit e2becab08506d8a085f4c18231c7f354db16df9f) (cherry picked from commit ad861b6ae6ee9660912f03f73f771c98f426753c)
Several features were not being tested or weren't being evaluated thoroughly. (cherry picked from commit 38688bbc8ffb16a449a41cab344c27f6b1e74cd3) (cherry picked from commit fdf270a89e22ca9b0171153479cfda0c7922699e)
Although locked and empty passwords in /etc/passwd are treated the same, in all other cases the entry is configured to read the password from /etc/shadow. (cherry picked from commit 5088de9daa156a095e79684c658f9035db971538) (cherry picked from commit 21d270d38f821915949e3c13950637994c33d34f)
If /etc/passwd and/or /etc/shadow exist but don't have an existing root entry, one needs to be added. Previously this only worked if the files didn't exist. (cherry picked from commit 2319154a6bec7b8c42e901dfacaefe95bf4e3750) (cherry picked from commit 847dd914d0ee0e6f3ca576891b82896ee3e68d99)
Remove an early return that prevents --prompt-root-password or --prompt-root-shell and systemd.firstboot=off using credentials. In that case, arg_prompt_root_password and arg_prompt_root_shell will be false, but the prompt helpers still need to be called to read the credentials. Furthermore, if only the root shell has been set, don't overwrite the root password. (cherry picked from commit 35bc4c34240afdd55e117b909f26fa9a5dc54f3b) (cherry picked from commit b5448c16f8f7a67da5266bec7d5c6677cc34ab24)
All messages logged from exec_spawn() are attributed to the unit and as such we should set the log level to the unit's max log level for the duration of the function. (cherry picked from commit 7881f485c9f57b1c7de4308eeab54458890c5c19) (cherry picked from commit 4fd349953ea1d1ed580ecb94e5c0bf98c59d0fac)
Each log context field can expand to up to three iovecs (key, value and newline) so let's fix the size calculation to take this into account. (cherry picked from commit fc83ff3f55ee53fd9101d4e45736f3f996ee7ca6) (cherry picked from commit f2edebce25779018beca0acd28457864869c2546)
The kernel might start returning -EINVAL when trying to open pidfd's for kernel threads so let's not try to open pidfd's for kernel threads. (cherry picked from commit ead48ec35c863650944352a3455f26ce3b393058) (cherry picked from commit f1d4e79eff71102199d864175efb7a2353c36502)
(cherry picked from commit 590348e2bf8415053487324d47d0083b49dfdeb0) (cherry picked from commit ee85ef4ffa9367ff5122b5955039009080659ce0)
(cherry picked from commit 941a12dcba57f6673230a9c413738c51374d2998) (cherry picked from commit 1a3d8368bcc8c123145955affd76a9c97f819ad5)
Fixes CID#1548022 and CID#1548075. (cherry picked from commit f7012a93a7f04fa29c7933a4963aa17fcf120e97) (cherry picked from commit 11c15905cd4759b89a1da63d05772c1f7c3744a4)
tcp reset / icmp port-unreachable are markedly different conditions than packet loss. It doesn't make much sense to retry in this case. It's actually not clear if there is any benefit at all retrying tcp connections, which were presumably already retried as necessary by the tcp stack. (cherry picked from commit ddd710a355acc698b48159f3e501dda5a7dc2704) (cherry picked from commit f5376fea7de173e9369e8af569fc6ecabd0d7282)
We have different impls of detect_confidential_virtualization per architecture. The detection is cached in the x86_64 impl, and as we add support for more targets, we want to use caching for all. It thus makes sense to split caching out into an architecture independent method. Signed-off-by: Daniel P. Berrangé <[email protected]> (cherry picked from commit 1c4bd7adcc281af2a2dd40867f64f2ac54a43c7a) (cherry picked from commit a1359ac94068580b4a12b2714a590a8ac1d30cae)
The s390x platform provides confidential VMs using the "Secure Execution" technology, which is also referred to as "Protected Virtualization" or just "prot virt" in Linux / QEMU. This can be detected through a simple sysfs attribute. Signed-off-by: Daniel P. Berrangé <[email protected]> (cherry picked from commit 6c35e0a51cc6a852ce239ea46cd75c133212a68e) (cherry picked from commit 7a6d4cdc483c3cff03342d8c69b10c6792192171)
Add a section which lists the known confidential virtual machine technologies. Signed-off-by: Daniel P. Berrangé <[email protected]> (cherry picked from commit a8fb5d21fd6127a6d05757c793cc9ba47f65c893) (cherry picked from commit 037510812fbcaf689b5b107a85f3a031d15dc505)
…rk(5) Prompted by #33702. (cherry picked from commit 347c8822d1a8a5b70624920b3de2a91d4e0fca91) (cherry picked from commit ab4e1faca6e5128a3c32d93eedd5609709da8229)
…is reverted Follow-up for af7417a. Closes #33596. (cherry picked from commit 1c0130e8dc3c99d5a85be41e9172adb0ff0cf7fd) (cherry picked from commit ce940b62acfca1f229818d82edee07986c05b50c)
…zation (cherry picked from commit f0fdd13c2f06f9c78747103b971566e2c62b9333) (cherry picked from commit 8beae811239830a86107abbbd6256b13cde2e33f)
Otherwise, read_stripped_line() would spuriously drop trailing spaces. Fixes #33924 (cherry picked from commit 9be46b1da8b01c3f47e6c050185f2b45484d6300) (cherry picked from commit c3ede0cfe78c4d70cfbeb333897969e27a6c6dda)
Let's explicitly pass the value to -fstrict-flex-arrays. This does not change behavior but it does (selfishly) make my error not bug out with an error saying -fstrict-flex-arrays does not exist. (cherry picked from commit ad723ca3e5bd41d2d884760375534910bb55d9b3) (cherry picked from commit 2925fc2c6f4b13a2f098912fa3d44ad31e9f2cf0)
…> symlink In multi-arch distributions (debian and derivatives) multiarch tuples under /usr/lib are used, such as /usr/lib/x86_64-linux-gnu/ but the /lib64 symlink should never point there, it should always point to /usr/lib64, as that's how they are set up by distribution-specific tools. https://packages.debian.org/bookworm/amd64/libc6-i386/filelist https://packages.debian.org/bookworm/mipsel/libc6-mips64/filelist https://salsa.debian.org/md/usrmerge/-/blob/master/convert-usrmerge?ref_type=heads#L295 https://salsa.debian.org/md/usrmerge/-/blob/master/convert-usrmerge?ref_type=heads#L517 http://bugs.debian.org/1076491 Fixes systemd/systemd#33919 (cherry picked from commit b75c13731ee0867a8d7889348fc8da1869af7551) (cherry picked from commit 38caeac7680b3f7a81b741336f57f9b56d040297)
Fixes Fixes #33935. (cherry picked from commit b48ab08732a76b7337628e1e716f11c687000903) (cherry picked from commit 0195db6e919e80bdd6b4b706ebc24d5e935f5422)
(cherry picked from commit 0d113f8e70243c1a8f0587105195e51e027a4725) (cherry picked from commit 8d5806b1e22798d8ee18b889af47568f5fccf3ed)
Running the following commands: # mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d # /usr/lib/systemd/systemd-pcrlock predict --pcr=1+2+3+4+5+16 Will result in: ... Floating point exception Running the following commands: # mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d # /usr/lib/systemd/systemd-pcrlock make-policy --pcr=1+2+3+4+5+16 Will result to this (partial) log: ... Predicted future PCRs in 133us. [] ... Written policy digest 0000000000000000000000000000000000000000000000000000000000000000 to NV index 0x1921da6 ... So, add missing checks to handle gracefully cases where there's no variant inside the component. Signed-off-by: Arnaud Patard <[email protected]> (cherry picked from commit e7a93e75219b22424bab95fe45982f5eef21d581) (cherry picked from commit 74f830e048beab8b48c4a25dcb8666a861981aec)
When creating a user, check if the requested group name matches a user name in the queue. If that matched user name is also going to be a group name, then use it for the new user too. In other words, allow the following: u foo - u bar -:foo when both foo and bar are new users. Fixes #33547 (cherry picked from commit 18a8f03e5160ca3828d327d9bbd1b32f26d792a3) (cherry picked from commit edf52384c2e99cd5af9bcd4ae4b13fd8f79596d3)
gcc15 has -Wunterminated-string-initialization in -Wextra and warns about string constants that are not null terminated even though the functions do do out of bounds access. Silence the warnings by simply not providing an explicit size. (cherry picked from commit af1a6db58fde8f64edcf7d27e1f3b636c999934c) (cherry picked from commit ca09bc33e8b2cbc7c410c300b6df5cf3ce437a3b)
With af1a6db58fde8f64edcf7d27e1f3b636c999934c, now we can build with the option. (cherry picked from commit f548bc4011bcdab008b125b9d0993817efa00718) (cherry picked from commit 772549666cf291d85c28d3bfc1ab2b7227422d4f)
We generally don't care about library debuginfo so let's just disable debuginfod so it doesn't get in the way when debugging. We use /root/.gdbinit as the systemwide gdbinit location is distribution specific. (cherry picked from commit 2561e2a35601383bfba30da58d378303cb9e39aa) (cherry picked from commit afcc3f39a3fba9129325cdec0511bb63e0ba68c5)
When unit_need_daemon_reload() calls unit_find_dropin_paths() to check for new drop-in configs, the manager's unit path cache is used to limit which directories are considered. If a new drop-in directory is created, it may not be in the unit path cache, and hence unit_need_daemon_reload() may return false, despite a new drop-in being present. However, if a unit path cache is not given to unit_file_find_dropin_paths() at all, then it behaves as if the target path was found in the unit path cache. So, to fix this, adapt unit_find_dropin_paths() to take a boolean argument indicating whether or not to pass along the unit path cache. Set this to false in unit_need_daemon_reload(). Fixes #31752 (cherry picked from commit 82c482d573c9d2f3ab36f7be8d32772f90f2c335) (cherry picked from commit 6f57f9b8aa4084179c82c98ec654315a63532fe9)
The nice value is part of struct sched_attr, and consequently invoking sched_setattr() after setpriority() would clobber the nice value with the default (as we are not setting it in struct sched_attr). It would be best to combine both calls, but for now simply invoke setpriority() after sched_setattr() to make sure Nice= remains effective when used together with CPUSchedulingPolicy=. (cherry picked from commit 711a157738b3dcd29a5ebc8f498eb46bfac59652) (cherry picked from commit b628d4dfa61234d28ffaa648ec09c5e9972f832a)
Let's mention that the new mount API may be used to establish new mounts in a container without needing the /run/host/incoming directory. (cherry picked from commit 74cc5e2041a2c32e1824b32316bd95f2c8a811f5) (cherry picked from commit 65eff444c4fa7be5eb1be71c5d94ab8732167e11)
(cherry picked from commit 7628565604f5a6a572cb4a33ccde9a64fcc9ff09) (cherry picked from commit 46d6146776f1c0beebec77704d78ba2b62d10208)
Bit 60 is the one corresponding to ReadOnly, not 50. Fix this. (cherry picked from commit 932cc94436e653d0487c29e0dd44685610cd7bcb) (cherry picked from commit 2665618555d08fc3877043cac392f1b6573811b7)
PTP device symlink creation rules are currently executed only when the udev action is 'add'. If a user reloads the rules and runs the udevadm trigger command to reapply changes, the symlink may be deleted, which can prevent the chronyd service from restarting properly. Signed-off-by: Chengen Du <[email protected]> (cherry picked from commit 6bd12be3fa7761f190e17efdbdbff4440da7528b) (cherry picked from commit 2a328ce80923baa55925c99a923c40ec46b86243)
(cherry picked from commit e9a5b4a10eaa10fd43c69d148d57c7f4d8e10a4f) (cherry picked from commit 8e9af7b18ac5f2adf64b5f9bdc9c4df67ec5d721)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.