#1 Resync c8s-sig-hyperscale branch
Merged 2 months ago by dcavalca. Opened 2 months ago by dcavalca.
rpms/ dcavalca/systemd c8s-sig-hyperscale  into  c8s-sig-hyperscale

Disable legacy iptables support
Davide Cavalca • 8 months ago  
revert to previous python build deps
Anita Zhang • 12 months ago  
minor correction to changelog
Anita Zhang • 12 months ago  
249.2-1.1: new release
Anita Zhang • 12 months ago  
Add missing SELinux rules for 248
Davide Cavalca • a year ago  
248.2: new release
Anita Zhang • a year ago  
new release 247.3-1
Anita Zhang • a year ago  
file added
+5
@@ -0,0 +1,5 @@ 

+ BUILD/

+ BUILDROOT/

+ RPMS/

+ SOURCES/*.tar.gz

+ SRPMS/

file added
+1
@@ -0,0 +1,1 @@ 

+ 5e3b9df64a15cb3b446c0e74556ea9020ce50b8b SOURCES/systemd-249.4.tar.gz

@@ -1,42 +0,0 @@ 

- From b177b0ef92d226a9f303aecbff0cf2e7293667b3 Mon Sep 17 00:00:00 2001

- From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>

- Date: Sat, 8 Aug 2020 09:21:37 +0200

- Subject: [PATCH] Do not assert in test_add_acls_for_user()

- 

- This is failing on s390x with:

- /* test_add_acls_for_user */

- add_acls_for_user(3, 1000): Invalid argument

- Assertion 'r >= 0' failed at src/test/test-acl-util.c:46, function test_add_acls_for_user(). Aborting.

- ---

-  src/test/test-acl-util.c | 4 ----

-  1 file changed, 4 deletions(-)

- 

- diff --git a/src/test/test-acl-util.c b/src/test/test-acl-util.c

- index 9f0e594e67..a91d64ab0c 100644

- --- a/src/test/test-acl-util.c

- +++ b/src/test/test-acl-util.c

- @@ -43,24 +43,20 @@ static void test_add_acls_for_user(void) {

-  

-          r = add_acls_for_user(fd, uid);

-          log_info_errno(r, "add_acls_for_user(%d, "UID_FMT"): %m", fd, uid);

- -        assert_se(r >= 0);

-  

-          cmd = strjoina("ls -l ", fn);

-          assert_se(system(cmd) == 0);

-  

-          cmd = strjoina("getfacl -p ", fn);

- -        assert_se(system(cmd) == 0);

-  

-          /* set the acls again */

-  

-          r = add_acls_for_user(fd, uid);

- -        assert_se(r >= 0);

-  

-          cmd = strjoina("ls -l ", fn);

-          assert_se(system(cmd) == 0);

-  

-          cmd = strjoina("getfacl -p ", fn);

- -        assert_se(system(cmd) == 0);

-  

-          unlink(fn);

-  }

@@ -1,30 +0,0 @@ 

- From a73d30081a13eaeffce87f997726a179ec44d817 Mon Sep 17 00:00:00 2001

- From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>

- Date: Fri, 31 Jul 2020 10:50:37 +0200

- Subject: [PATCH 1/2] Revert "test-path: increase timeout"

- 

- This partially reverts commit 500727c220354b81b68ed6667d9a6f0fafe3ba19.

- 

- I was confused by the error message: the test says it timed out, but that's

- because it's waiting for a failed unit to come back to life. There is no actual

- timeout.

- 

- So let's keep the minor refactoring that was done, but revert to the old short

- timeout.

- ---

-  src/test/test-path.c | 2 +-

-  1 file changed, 1 insertion(+), 1 deletion(-)

- 

- diff --git a/src/test/test-path.c b/src/test/test-path.c

- index 1075f31bc6..63b709c8da 100644

- --- a/src/test/test-path.c

- +++ b/src/test/test-path.c

- @@ -82,7 +82,7 @@ static void check_states(Manager *m, Path *path, Service *service, PathState pat

-          assert_se(m);

-          assert_se(service);

-  

- -        usec_t end = now(CLOCK_MONOTONIC) + 30 * USEC_PER_SEC;

- +        usec_t end = now(CLOCK_MONOTONIC) + 2 * USEC_PER_SEC;

-  

-          while (path->result != PATH_SUCCESS || service->result != SERVICE_SUCCESS ||

-                 path->state != path_state || service->state != service_state) {

@@ -1,427 +0,0 @@ 

- From a1ff72565c2f12b644a081ebbe3492f93ceb3bd5 Mon Sep 17 00:00:00 2001

- From: Chris Down <chris@chrisdown.name>

- Date: Thu, 29 Oct 2020 12:03:52 +0000

- Subject: [PATCH 1/3] bpf: pid1: Pin reference to BPF programs for

-  post-coldplug

- MIME-Version: 1.0

- Content-Type: text/plain; charset=UTF-8

- Content-Transfer-Encoding: 8bit

- 

- During `daemon-reload` and `daemon-reexec`, we detach and reattach all

- BPF programs attached to cgroups. This, however, poses a real practical

- problem for DevicePolicy (and some other settings using BPF): it

- presents a period of time where the old device filtering BPF program has

- been unloaded, but the new one has not been loaded yet.

- 

- Since the filtering is at open() time, it has become apparent that that

- there's a non-trivial period where applications inside that ostensibly

- filtered cgroup can grab any device -- and often do so -- and then

- retain access to that device even after the reload is over. Due to the

- file continuing to be available after the initial open(), this issue is

- particularly visible for DevicePolicy={strict,closed}, however it also

- applies to other BPF programs we install.

- 

- In particular, for BPF ingress/egress filtering this may have more

- concerning implications: network traffic which is supposed to be

- filtered will -- for a very brief period of time -- not be filtered or

- subject to any restrictions imposed by BPF.

- 

- These BPF programs are fundamentally attached to a cgroup lifetime, not

- our unit lifetime, so it's enough to pin these programs by taking a

- reference to affected BPF programs before reload/reexec. We can then

- serialise the program's kernel-facing FD and cgroup attachment FD for

- the new daemon, and have the daemon on the other side unpin the programs

- after it's finished with coldplug.

- 

- That means that, for example, the BPF program lifecycle during

- daemon-reload or daemon-reexec changes from this:

- 

-     manager_clear_jobs_and_units

-                  │

-           ╔══════╪═════════╤═══════╗

-           ║ prog │ no prog │ prog' ║

-           ╚══════╧═════════╪═══════╝

-                            │

-                     manager_coldplug

- 

- to this:

- 

-     manager_clear_jobs_and_units         manager_dispatch_cgroup_realize_queue

-                  │                                       │

-           ╔══════╪═══════════════╤═══════════════════════╪═══════╗

-           ║ prog │ prog (orphan) │ prog (orphan) + prog' │ prog' ║

-           ╚══════╧═══════════════╪═══════════════════════╧═══════╝

-                                  │

-                           manager_coldplug

- 

- For daemon-reexec the semantics are mostly the same, but the point at

- which the program becomes orphan is tied to the process lifecycle

- instead.

- 

- None of the BPF programs we install require exclusive access, so having

- multiple instances of them running at the same time is fine. Custom

- programs, of course, are unknown, but it's hard to imagine legitimate

- cases which should be affected, whereas the benefits of this "overlap"

- approach with reference pinning is immediately tangible.

- 

- [keszybz: use _cleanup_ for unpin, use FOREACH_POINTER]

- ---

-  src/core/bpf-firewall.c  |   9 +--

-  src/core/main.c          |   9 +++

-  src/core/manager.c       | 163 ++++++++++++++++++++++++++++++++++++++-

-  src/core/manager.h       |   6 ++

-  src/shared/bpf-program.c |  10 +++

-  src/shared/bpf-program.h |   1 +

-  6 files changed, 191 insertions(+), 7 deletions(-)

- 

- diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c

- index bceb049b58..e3089ff6f4 100644

- --- a/src/core/bpf-firewall.c

- +++ b/src/core/bpf-firewall.c

- @@ -703,8 +703,7 @@ int bpf_firewall_install(Unit *u) {

-          if (r < 0)

-                  return log_unit_error_errno(u, r, "Failed to determine cgroup path: %m");

-  

- -        flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI &&

- -                 (u->type == UNIT_SLICE || unit_cgroup_delegate(u))) ? BPF_F_ALLOW_MULTI : 0;

- +        flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI) ? BPF_F_ALLOW_MULTI : 0;

-  

-          /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program, to

-           * minimize the time window when we don't account for IP traffic. */

- @@ -712,8 +711,7 @@ int bpf_firewall_install(Unit *u) {

-          u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed);

-  

-          if (u->ip_bpf_egress) {

- -                r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path,

- -                                              flags | (set_isempty(u->ip_bpf_custom_egress) ? 0 : BPF_F_ALLOW_MULTI));

- +                r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, flags);

-                  if (r < 0)

-                          return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path);

-  

- @@ -722,8 +720,7 @@ int bpf_firewall_install(Unit *u) {

-          }

-  

-          if (u->ip_bpf_ingress) {

- -                r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path,

- -                                              flags | (set_isempty(u->ip_bpf_custom_ingress) ? 0 : BPF_F_ALLOW_MULTI));

- +                r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, flags);

-                  if (r < 0)

-                          return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path);

-  

- diff --git a/src/core/main.c b/src/core/main.c

- index 4a376976e9..9873f35f5e 100644

- --- a/src/core/main.c

- +++ b/src/core/main.c

- @@ -1144,6 +1144,14 @@ static int prepare_reexecute(

-          if (!fds)

-                  return log_oom();

-  

- +        /* We need existing BPF programs to survive reload, otherwise there will be a period where no BPF

- +         * program is active during task execution within a cgroup. This would be bad since this may have

- +         * security or reliability implications: devices we should filter won't be filtered, network activity

- +         * we should filter won't be filtered, etc. We pin all the existing devices by bumping their

- +         * refcount, and then storing them to later have it decremented. */

- +        _cleanup_(manager_unpin_all_cgroup_bpf_programsp) Manager *m_unpin =

- +                manager_pin_all_cgroup_bpf_programs(m);

- +

-          r = manager_serialize(m, f, fds, switching_root);

-          if (r < 0)

-                  return r;

- @@ -1159,6 +1167,7 @@ static int prepare_reexecute(

-          if (r < 0)

-                  return log_error_errno(r, "Failed to disable O_CLOEXEC for serialization fds: %m");

-  

- +        TAKE_PTR(m_unpin);

-          *ret_f = TAKE_PTR(f);

-          *ret_fds = TAKE_PTR(fds);

-  

- diff --git a/src/core/manager.c b/src/core/manager.c

- index 41e0d73736..1ce0e05706 100644

- --- a/src/core/manager.c

- +++ b/src/core/manager.c

- @@ -64,6 +64,7 @@

-  #include "rlimit-util.h"

-  #include "rm-rf.h"

-  #include "serialize.h"

- +#include "set.h"

-  #include "signal-util.h"

-  #include "socket-util.h"

-  #include "special.h"

- @@ -3210,6 +3211,79 @@ static void manager_serialize_gid_refs(Manager *m, FILE *f) {

-          manager_serialize_uid_refs_internal(m, f, &m->gid_refs, "destroy-ipc-gid");

-  }

-  

- +static int serialize_limbo_bpf_program(FILE *f, FDSet *fds, BPFProgram *p) {

- +        int copy;

- +        _cleanup_free_ char *ap = NULL;

- +

- +        /* We don't actually need the instructions or other data, since this is only used on the other side

- +         * for BPF limbo, which just requires the program type, cgroup path, and kernel-facing BPF file

- +         * descriptor. We don't even need to know what unit or directive it's attached to, since we're just

- +         * going to expire it after coldplug. */

- +

- +        assert(f);

- +        assert(p);

- +

- +        /* If the program isn't attached to the kernel yet, there's no reason to serialise it for limbo. Just

- +         * let it be skeletonized and then coldplug can do the work on the other side if it's still

- +         * necessary. */

- +        if (p->kernel_fd < 0 || !p->attached_path)

- +                return -ENOTCONN;

- +

- +        copy = fdset_put_dup(fds, p->kernel_fd);

- +        if (copy < 0)

- +                return log_error_errno(copy, "Failed to add file descriptor to serialization set: %m");

- +

- +        /* Otherwise, on daemon-reload, we'd remain pinned. */

- +        safe_close(p->kernel_fd);

- +

- +        ap = cescape(p->attached_path);

- +        if (!ap)

- +                return log_oom();

- +

- +        return serialize_item_format(f, "bpf-limbo", "%i %i %i \"%s\"",

- +                                     copy, p->prog_type, p->attached_type, ap);

- +}

- +

- +static void deserialize_limbo_bpf_program(Manager *m, FDSet *fds, const char *value) {

- +        _cleanup_free_ char *raw_fd = NULL, *raw_pt = NULL, *raw_at = NULL, *cgpath = NULL;

- +        int fd, r, prog_type, attached_type;

- +

- +        assert(m);

- +        assert(value);

- +

- +        r = extract_first_word(&value, &raw_fd, NULL, 0);

- +        if (r <= 0 || safe_atoi(raw_fd, &fd) < 0 || fd < 0 || !fdset_contains(fds, fd))

- +                return (void) log_error("Failed to parse bpf-limbo FD: %s", value);

- +

- +        r = extract_first_word(&value, &raw_pt, NULL, 0);

- +        if (r <= 0 || safe_atoi(raw_pt, &prog_type) < 0)

- +                return (void) log_error("Failed to parse bpf-limbo program type: %s", value);

- +

- +        r = extract_first_word(&value, &raw_at, NULL, 0);

- +        if (r <= 0 || safe_atoi(raw_at, &attached_type) < 0)

- +                return (void) log_error("Failed to parse bpf-limbo attached type: %s", value);

- +

- +        r = extract_first_word(&value, &cgpath, NULL, EXTRACT_CUNESCAPE | EXTRACT_UNQUOTE);

- +        if (r <= 0)

- +                return (void) log_error("Failed to parse attached path for BPF limbo FD %s", value);

- +

- +        _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;

- +        r = bpf_program_new(prog_type, &p);

- +        if (r < 0)

- +                return (void) log_error_errno(r, "Failed to create BPF limbo program: %m");

- +

- +        /* Just enough to free it when the time is right, this does not have enough information be used as a

- +         * real BPFProgram. */

- +        p->attached_type = attached_type;

- +        p->kernel_fd = fdset_remove(fds, fd);

- +        p->attached_path = TAKE_PTR(cgpath);

- +

- +        r = set_ensure_put(&m->bpf_limbo_progs, NULL, p);

- +        if (r < 0)

- +                return (void) log_error_errno(r, "Failed to register BPF limbo program for FD %s: %m", value);

- +        TAKE_PTR(p);

- +}

- +

-  int manager_serialize(

-                  Manager *m,

-                  FILE *f,

- @@ -3221,6 +3295,7 @@ int manager_serialize(

-          Iterator i;

-          Unit *u;

-          int r;

- +        BPFProgram *p;

-  

-          assert(m);

-          assert(f);

- @@ -3265,6 +3340,9 @@ int manager_serialize(

-                  (void) serialize_dual_timestamp(f, joined, m->timestamps + q);

-          }

-  

- +        SET_FOREACH(p, m->bpf_limbo_progs, i)

- +                (void) serialize_limbo_bpf_program(f, fds, p);

- +

-          if (!switching_root)

-                  (void) serialize_strv(f, "env", m->client_environment);

-  

- @@ -3543,7 +3621,10 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {

-                          else

-                                  m->n_failed_jobs += n;

-  

- -                } else if ((val = startswith(l, "taint-usr="))) {

- +                } else if ((val = startswith(l, "bpf-limbo=")))

- +                        deserialize_limbo_bpf_program(m, fds, val);

- +

- +                else if ((val = startswith(l, "taint-usr="))) {

-                          int b;

-  

-                          b = parse_boolean(val);

- @@ -3719,6 +3800,67 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {

-          return manager_deserialize_units(m, f, fds);

-  }

-  

- +Manager* manager_pin_all_cgroup_bpf_programs(Manager *m) {

- +        int r;

- +        Unit *u;

- +        Iterator ih, is;

- +

- +        assert(m);

- +

- +        HASHMAP_FOREACH(u, m->units, ih) {

- +                BPFProgram *p;

- +

- +                FOREACH_POINTER(p,

- +                                u->bpf_device_control_installed,

- +                                u->ip_bpf_ingress,

- +                                u->ip_bpf_ingress_installed,

- +                                u->ip_bpf_egress,

- +                                u->ip_bpf_egress_installed)

- +                        if (p) {

- +                                r = set_ensure_put(&m->bpf_limbo_progs, NULL, p);

- +                                if (r < 0) {

- +                                        log_unit_error_errno(u, r, "Cannot store BPF program for reload, ignoring: %m");

- +                                        continue;

- +                                }

- +

- +                                bpf_program_ref(p);

- +                        }

- +

- +                Set *s;

- +                FOREACH_POINTER(s,

- +                                u->ip_bpf_custom_ingress,

- +                                u->ip_bpf_custom_ingress_installed,

- +                                u->ip_bpf_custom_egress,

- +                                u->ip_bpf_custom_egress_installed)

- +                        SET_FOREACH(p, s, is) {

- +                                r = set_ensure_put(&m->bpf_limbo_progs, NULL, p);

- +                                if (r < 0) {

- +                                        log_unit_error_errno(u, r, "Cannot store BPF program for reload, ignoring: %m");

- +                                        continue;

- +                                }

- +

- +                                bpf_program_ref(p);

- +                        }

- +        }

- +

- +        log_debug("Pinned %d BPF programs", set_size(m->bpf_limbo_progs));

- +

- +        return m;

- +}

- +

- +static void manager_skeletonize_all_cgroup_bpf_programs(Manager *m) {

- +        BPFProgram *p;

- +        Iterator i;

- +

- +        SET_FOREACH(p, m->bpf_limbo_progs, i)

- +                bpf_program_skeletonize(p);

- +}

- +

- +void manager_unpin_all_cgroup_bpf_programs(Manager *m) {

- +        log_debug("Unpinning %d BPF programs", set_size(m->bpf_limbo_progs));

- +        set_clear_with_destructor(m->bpf_limbo_progs, bpf_program_unref);

- +}

- +

-  int manager_reload(Manager *m) {

-          _cleanup_(manager_reloading_stopp) Manager *reloading = NULL;

-          _cleanup_fdset_free_ FDSet *fds = NULL;

- @@ -3738,6 +3880,13 @@ int manager_reload(Manager *m) {

-          /* We are officially in reload mode from here on. */

-          reloading = manager_reloading_start(m);

-  

- +        /* We need existing BPF programs to survive reload, otherwise there will be a period where no BPF

- +         * program is active during task execution within a cgroup. This would be bad since this may have

- +         * security or reliability implications: devices we should filter won't be filtered, network activity

- +         * we should filter won't be filtered, etc. We pin all the existing devices by bumping their

- +         * refcount, and then storing them to later have it decremented. */

- +        (void) manager_pin_all_cgroup_bpf_programs(m);

- +

-          r = manager_serialize(m, f, fds, false);

-          if (r < 0)

-                  return r;

- @@ -3762,6 +3911,12 @@ int manager_reload(Manager *m) {

-          m->uid_refs = hashmap_free(m->uid_refs);

-          m->gid_refs = hashmap_free(m->gid_refs);

-  

- +        /* The only canonical reference left to the dynamically allocated parts of these BPF programs is

- +         * going to be on the other side of manager_deserialize, so the freeable parts can now be freed. The

- +         * program itself will be detached as part of manager_vacuum. */

- +        manager_skeletonize_all_cgroup_bpf_programs(m);

- +        m->bpf_limbo_progs = set_free(m->bpf_limbo_progs);

- +

-          r = lookup_paths_init(&m->lookup_paths, m->unit_file_scope, 0, NULL);

-          if (r < 0)

-                  log_warning_errno(r, "Failed to initialize path lookup table, ignoring: %m");

- @@ -4700,6 +4855,12 @@ static void manager_vacuum(Manager *m) {

-  

-          /* Release any runtimes no longer referenced */

-          exec_runtime_vacuum(m);

- +

- +        /* Release any outmoded BPF programs that were deserialized from the previous manager, since new ones

- +         * should be in action now. We first need to make sure all entries in the cgroup realize queue are

- +         * complete, otherwise BPF firewalls/etc may not have been set up yet. */

- +        (void) manager_dispatch_cgroup_realize_queue(m);

- +        manager_unpin_all_cgroup_bpf_programs(m);

-  }

-  

-  int manager_dispatch_user_lookup_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) {

- diff --git a/src/core/manager.h b/src/core/manager.h

- index 81b0c13a95..6f8f8b04b4 100644

- --- a/src/core/manager.h

- +++ b/src/core/manager.h

- @@ -433,6 +433,8 @@ struct Manager {

-          bool honor_device_enumeration;

-  

-          VarlinkServer *varlink_server;

- +

- +        Set *bpf_limbo_progs;

-  };

-  

-  static inline usec_t manager_default_timeout_abort_usec(Manager *m) {

- @@ -474,6 +476,10 @@ int manager_add_job_by_name(Manager *m, JobType type, const char *name, JobMode

-  int manager_add_job_by_name_and_warn(Manager *m, JobType type, const char *name, JobMode mode, Set *affected_jobs,  Job **ret);

-  int manager_propagate_reload(Manager *m, Unit *unit, JobMode mode, sd_bus_error *e);

-  

- +Manager* manager_pin_all_cgroup_bpf_programs(Manager *m);

- +void manager_unpin_all_cgroup_bpf_programs(Manager *m);

- +DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_unpin_all_cgroup_bpf_programs);

- +

-  void manager_dump_units(Manager *s, FILE *f, const char *prefix);

-  void manager_dump_jobs(Manager *s, FILE *f, const char *prefix);

-  void manager_dump(Manager *s, FILE *f, const char *prefix);

- diff --git a/src/shared/bpf-program.c b/src/shared/bpf-program.c

- index e5c9df4004..cc479aa52e 100644

- --- a/src/shared/bpf-program.c

- +++ b/src/shared/bpf-program.c

- @@ -210,6 +210,16 @@ int bpf_program_cgroup_detach(BPFProgram *p) {

-          return 0;

-  }

-  

- +void bpf_program_skeletonize(BPFProgram *p) {

- +        assert(p);

- +

- +        /* Called shortly after serialization. From this point on, we are frozen for serialization and entry

- +         * into BPF limbo, so we should proactively free our instructions and attached path. However, we

- +         * shouldn't detach the program or close the kernel FD -- we need those on the other side. */

- +        free(p->instructions);

- +        free(p->attached_path);

- +}

- +

-  int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size_t max_entries, uint32_t flags) {

-          union bpf_attr attr = {

-                  .map_type = type,

- diff --git a/src/shared/bpf-program.h b/src/shared/bpf-program.h

- index a21589eb1f..6ea5d9a57c 100644

- --- a/src/shared/bpf-program.h

- +++ b/src/shared/bpf-program.h

- @@ -28,6 +28,7 @@ struct BPFProgram {

-  int bpf_program_new(uint32_t prog_type, BPFProgram **ret);

-  BPFProgram *bpf_program_unref(BPFProgram *p);

-  BPFProgram *bpf_program_ref(BPFProgram *p);

- +void bpf_program_skeletonize(BPFProgram *p);

-  

-  int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count);

-  int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size);

- -- 

- 2.24.1

- 

@@ -0,0 +1,257 @@ 

+ From d4bd8777a483ea834e687c1ee35dee32efe6e49f Mon Sep 17 00:00:00 2001

+ From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>

+ Date: Wed, 7 Jul 2021 14:02:36 +0200

+ Subject: [PATCH 1/5] rpm: don't specify the full path for systemctl and other

+  commands

+ 

+ We can make things a bit simpler and more readable by not specifying the path.

+ Since we didn't specify the full path for all commands (including those invoked

+ recursively by anythign we invoke), this didn't really privide any security or

+ robustness benefits. I guess that full paths were used because this style of

+ rpm packagnig was popular in the past, with macros used for everything

+ possible, with special macros for common commands like %{__ln} and %{__mkdir}.

+ 

+ (cherry picked from commit 7d9ee15d0fc2af87481ee371b278dbe7e68165ef)

+ ---

+  src/rpm/macros.systemd.in      | 24 ++++++++++++------------

+  src/rpm/triggers.systemd.in    | 18 +++++++++---------

+  src/rpm/triggers.systemd.sh.in | 18 +++++++++---------

+  3 files changed, 30 insertions(+), 30 deletions(-)

+ 

+ diff --git a/src/rpm/macros.systemd.in b/src/rpm/macros.systemd.in

+ index 3a0169a85f..3129ab2d61 100644

+ --- a/src/rpm/macros.systemd.in

+ +++ b/src/rpm/macros.systemd.in

+ @@ -46,9 +46,9 @@ OrderWithRequires(postun): systemd \

+  

+  %systemd_post() \

+  %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_post}} \

+ -if [ $1 -eq 1 ] && [ -x %{_bindir}/systemctl ]; then \

+ +if [ $1 -eq 1 ] && command -v systemctl >/dev/null; then \

+      # Initial installation \

+ -    %{_bindir}/systemctl --no-reload preset %{?*} || : \

+ +    systemctl --no-reload preset %{?*} || : \

+  fi \

+  %{nil}

+  

+ @@ -56,21 +56,21 @@ fi \

+  

+  %systemd_preun() \

+  %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_preun}} \

+ -if [ $1 -eq 0 ] && [ -x %{_bindir}/systemctl ]; then \

+ +if [ $1 -eq 0 ] && command -v systemctl >/dev/null; then \

+      # Package removal, not upgrade \

+      if [ -d /run/systemd/system ]; then \

+ -          %{_bindir}/systemctl --no-reload disable --now %{?*} || : \

+ +          systemctl --no-reload disable --now %{?*} || : \

+      else \

+ -          %{_bindir}/systemctl --no-reload disable %{?*} || : \

+ +          systemctl --no-reload disable %{?*} || : \

+      fi \

+  fi \

+  %{nil}

+  

+  %systemd_user_preun() \

+  %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_preun}} \

+ -if [ $1 -eq 0 ] && [ -x %{_bindir}/systemctl ]; then \

+ +if [ $1 -eq 0 ] && command -v systemctl >/dev/null; then \

+      # Package removal, not upgrade \

+ -    %{_bindir}/systemctl --global disable %{?*} || : \

+ +    systemctl --global disable %{?*} || : \

+  fi \

+  %{nil}

+  

+ @@ -84,10 +84,10 @@ fi \

+  

+  %systemd_postun_with_restart() \

+  %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_postun_with_restart}} \

+ -if [ $1 -ge 1 ] && [ -x %{_bindir}/systemctl ]; then \

+ +if [ $1 -ge 1 ] && command -v systemctl >/dev/null; then \

+      # Package upgrade, not uninstall \

+      for unit in %{?*}; do \

+ -         %{_bindir}/systemctl set-property $unit Markers=+needs-restart || : \

+ +        systemctl set-property $unit Markers=+needs-restart || : \

+      done \

+  fi \

+  %{nil}

+ @@ -105,17 +105,17 @@ fi \

+  # Deprecated. Use %tmpfiles_create_package instead

+  %tmpfiles_create() \

+  %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# tmpfiles_create}} \

+ -[ -x %{_bindir}/systemd-tmpfiles ] && %{_bindir}/systemd-tmpfiles --create %{?*} || : \

+ +command -v systemd-tmpfiles >/dev/null && systemd-tmpfiles --create %{?*} || : \

+  %{nil}

+  

+  # Deprecated. Use %sysusers_create_package instead

+  %sysusers_create() \

+  %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# sysusers_create}} \

+ -[ -x %{_bindir}/systemd-sysusers ] && %{_bindir}/systemd-sysusers %{?*} || : \

+ +command -v systemd-sysusers >/dev/null && systemd-sysusers %{?*} || : \

+  %{nil}

+  

+  %sysusers_create_inline() \

+ -[ -x %{_bindir}/systemd-sysusers ] && %{_bindir}/systemd-sysusers - <<SYSTEMD_INLINE_EOF || : \

+ +command -v systemd-sysusers >/dev/null && systemd-sysusers - <<SYSTEMD_INLINE_EOF || : \

+  %{?*} \

+  SYSTEMD_INLINE_EOF\

+  %{nil}

+ diff --git a/src/rpm/triggers.systemd.in b/src/rpm/triggers.systemd.in

+ index b33d2212e8..247358008a 100644

+ --- a/src/rpm/triggers.systemd.in

+ +++ b/src/rpm/triggers.systemd.in

+ @@ -16,14 +16,14 @@

+  if posix.access("/run/systemd/system") then

+      pid = posix.fork()

+      if pid == 0 then

+ -        assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))

+ +        assert(posix.execp("systemctl", "daemon-reload"))

+      elseif pid > 0 then

+          posix.wait(pid)

+      end

+  

+      pid = posix.fork()

+      if pid == 0 then

+ -        assert(posix.exec("%{_bindir}/systemctl", "reload-or-restart", "--marked"))

+ +        assert(posix.execp("systemctl", "reload-or-restart", "--marked"))

+      elseif pid > 0 then

+          posix.wait(pid)

+      end

+ @@ -38,7 +38,7 @@ end

+  if posix.access("/run/systemd/system") then

+      pid = posix.fork()

+      if pid == 0 then

+ -        assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))

+ +        assert(posix.execp("systemctl", "daemon-reload"))

+      elseif pid > 0 then

+          posix.wait(pid)

+      end

+ @@ -49,7 +49,7 @@ end

+  if posix.access("/run/systemd/system") then

+      pid = posix.fork()

+      if pid == 0 then

+ -        assert(posix.exec("%{_bindir}/systemctl", "reload-or-restart", "--marked"))

+ +        assert(posix.execp("systemctl", "reload-or-restart", "--marked"))

+      elseif pid > 0 then

+          posix.wait(pid)

+      end

+ @@ -62,7 +62,7 @@ end

+  if posix.access("/run/systemd/system") then

+      pid = posix.fork()

+      if pid == 0 then

+ -        assert(posix.exec("%{_bindir}/systemd-sysusers"))

+ +        assert(posix.execp("systemd-sysusers"))

+      elseif pid > 0 then

+          posix.wait(pid)

+      end

+ @@ -74,7 +74,7 @@ end

+  if posix.access("/run/systemd/system") then

+      pid = posix.fork()

+      if pid == 0 then

+ -        assert(posix.exec("%{_bindir}/systemd-hwdb", "update"))

+ +        assert(posix.execp("systemd-hwdb", "update"))

+      elseif pid > 0 then

+          posix.wait(pid)

+      end

+ @@ -86,7 +86,7 @@ end

+  if posix.access("/run/systemd/system") then

+      pid = posix.fork()

+      if pid == 0 then

+ -        assert(posix.exec("%{_bindir}/journalctl", "--update-catalog"))

+ +        assert(posix.execp("journalctl", "--update-catalog"))

+      elseif pid > 0 then

+          posix.wait(pid)

+      end

+ @@ -111,7 +111,7 @@ end

+  if posix.access("/run/systemd/system") then

+      pid = posix.fork()

+      if pid == 0 then

+ -        assert(posix.exec("%{_bindir}/systemd-tmpfiles", "--create"))

+ +        assert(posix.execp("systemd-tmpfiles", "--create"))

+      elseif pid > 0 then

+          posix.wait(pid)

+      end

+ @@ -123,7 +123,7 @@ end

+  if posix.access("/run/systemd/system") then

+      pid = posix.fork()

+      if pid == 0 then

+ -        assert(posix.exec("%{_bindir}/udevadm", "control", "--reload"))

+ +        assert(posix.execp("udevadm", "control", "--reload"))

+      elseif pid > 0 then

+          posix.wait(pid)

+      end

+ diff --git a/src/rpm/triggers.systemd.sh.in b/src/rpm/triggers.systemd.sh.in

+ index 22abad9812..1631be18c9 100644

+ --- a/src/rpm/triggers.systemd.sh.in

+ +++ b/src/rpm/triggers.systemd.sh.in

+ @@ -15,8 +15,8 @@

+  # installed, because other cases are covered by the *un scriptlets,

+  # so sometimes we will reload needlessly.

+  if test -d "/run/systemd/system"; then

+ -  %{_bindir}/systemctl daemon-reload || :

+ -  %{_bindir}/systemctl reload-or-restart --marked || :

+ +  systemctl daemon-reload || :

+ +  systemctl reload-or-restart --marked || :

+  fi

+  

+  %transfiletriggerpostun -P 1000100 -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system

+ @@ -26,13 +26,13 @@ fi

+  # have been installed, but before %postun scripts in packages get

+  # executed.

+  if test -d "/run/systemd/system"; then

+ -  %{_bindir}/systemctl daemon-reload || :

+ +  systemctl daemon-reload || :

+  fi

+  

+  %transfiletriggerpostun -P 10000 -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system

+  # We restart remaining services that should be restarted here.

+  if test -d "/run/systemd/system"; then

+ -  %{_bindir}/systemctl reload-or-restart --marked || :

+ +  systemctl reload-or-restart --marked || :

+  fi

+  

+  %transfiletriggerin -P 1000700 -- {{SYSUSERS_DIR}}

+ @@ -40,21 +40,21 @@ fi

+  # specified users automatically. The priority is set such that it

+  # will run before the tmpfiles file trigger.

+  if test -d "/run/systemd/system"; then

+ -  %{_bindir}/systemd-sysusers || :

+ +  systemd-sysusers || :

+  fi

+  

+  %transfiletriggerin -P 1000700 udev -- {{UDEV_HWDB_DIR}}

+  # This script will automatically invoke hwdb update if files have been

+  # installed or updated in {{UDEV_HWDB_DIR}}.

+  if test -d "/run/systemd/system"; then

+ -  %{_bindir}/systemd-hwdb update || :

+ +  systemd-hwdb update || :

+  fi

+  

+  %transfiletriggerin -P 1000700 -- {{SYSTEMD_CATALOG_DIR}}

+  # This script will automatically invoke journal catalog update if files

+  # have been installed or updated in {{SYSTEMD_CATALOG_DIR}}.

+  if test -d "/run/systemd/system"; then

+ -  %{_bindir}/journalctl --update-catalog || :

+ +  journalctl --update-catalog || :

+  fi

+  

+  %transfiletriggerin -P 1000700 -- {{BINFMT_DIR}}

+ @@ -71,14 +71,14 @@ fi

+  # tmpfiles automatically. The priority is set such that it will run

+  # after the sysusers file trigger, but before any other triggers.

+  if test -d "/run/systemd/system"; then

+ -  %{_bindir}/systemd-tmpfiles --create || :

+ +  systemd-tmpfiles --create || :

+  fi

+  

+  %transfiletriggerin -P 1000600 udev -- {{UDEV_RULES_DIR}}

+  # This script will automatically update udev with new rules if files

+  # have been installed or updated in {{UDEV_RULES_DIR}}.

+  if test -e /run/udev/control; then

+ -  %{_bindir}/udevadm control --reload || :

+ +  udevadm control --reload || :

+  fi

+  

+  %transfiletriggerin -P 1000500 -- {{SYSCTL_DIR}}

+ -- 

+ 2.31.1

+ 

@@ -0,0 +1,30 @@ 

+ From 0c21535392bf6296d213c35fd1a0b0bc89dbddb3 Mon Sep 17 00:00:00 2001

+ From: Anita Zhang <the.anitazha@gmail.com>

+ Date: Wed, 31 Mar 2021 14:04:09 -0700

+ Subject: [PATCH] sysv-generator: downgrade log warning about autogenerated to

+  debug

+ 

+ ---

+  src/sysv-generator/sysv-generator.c | 6 +++---

+  1 file changed, 3 insertions(+), 3 deletions(-)

+ 

+ diff --git a/src/sysv-generator/sysv-generator.c b/src/sysv-generator/sysv-generator.c

+ index 8c7aef23c3..89599a69ee 100644

+ --- a/src/sysv-generator/sysv-generator.c

+ +++ b/src/sysv-generator/sysv-generator.c

+ @@ -786,9 +786,9 @@ static int enumerate_sysv(const LookupPaths *lp, Hashmap *all_services) {

+                          if (!fpath)

+                                  return log_oom();

+ 

+ -                        log_warning("SysV service '%s' lacks a native systemd unit file. "

+ -                                    "Automatically generating a unit file for compatibility. "

+ -                                    "Please update package to include a native systemd unit file, in order to make it more safe and robust.", fpath);

+ +                        log_debug("SysV service '%s' lacks a native systemd unit file. "

+ +                                  "Automatically generating a unit file for compatibility. "

+ +                                  "Please update package to include a native systemd unit file, in order to make it more safe and robust.", fpath);

+ 

+                          service = new(SysvStub, 1);

+                          if (!service)

+ --

+ 2.30.2

+ 

@@ -1,46 +0,0 @@ 

- From 8cad57ed62a642515670ba79dddb30193456e803 Mon Sep 17 00:00:00 2001

- From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>

- Date: Fri, 7 Aug 2020 18:54:37 +0200

- Subject: [PATCH] test-acl-util: output more debug info

- 

- For some reason this failed in koji build on s390x:

- --- command ---

- 16:12:46 PATH='/builddir/build/BUILD/systemd-stable-246.1/s390x-redhat-linux-gnu:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin' SYSTEMD_LANGUAGE_FALLBACK_MAP='/builddir/build/BUILD/systemd-stable-246.1/src/locale/language-fallback-map' SYSTEMD_KBD_MODEL_MAP='/builddir/build/BUILD/systemd-stable-246.1/src/locale/kbd-model-map' /builddir/build/BUILD/systemd-stable-246.1/s390x-redhat-linux-gnu/test-acl-util

- --- stdout ---

- -rw-r-----. 1 mockbuild mock 0 Aug  7 16:12 /tmp/test-empty.7RzmEc

- other::---

- --- stderr ---

- Assertion 'r >= 0' failed at src/test/test-acl-util.c:42, function test_add_acls_for_user(). Aborting.

- ---

-  src/test/test-acl-util.c | 4 ++++

-  1 file changed, 4 insertions(+)

- 

- diff --git a/src/test/test-acl-util.c b/src/test/test-acl-util.c

- index df879747f5..9f0e594e67 100644

- --- a/src/test/test-acl-util.c

- +++ b/src/test/test-acl-util.c

- @@ -7,6 +7,7 @@

-  

-  #include "acl-util.h"

-  #include "fd-util.h"

- +#include "format-util.h"

-  #include "string-util.h"

-  #include "tmpfile-util.h"

-  #include "user-util.h"

- @@ -18,6 +19,8 @@ static void test_add_acls_for_user(void) {

-          uid_t uid;

-          int r;

-  

- +        log_info("/* %s */", __func__);

- +

-          fd = mkostemp_safe(fn);

-          assert_se(fd >= 0);

-  

- @@ -39,6 +42,7 @@ static void test_add_acls_for_user(void) {

-                  uid = getuid();

-  

-          r = add_acls_for_user(fd, uid);

- +        log_info_errno(r, "add_acls_for_user(%d, "UID_FMT"): %m", fd, uid);

-          assert_se(r >= 0);

-  

-          cmd = strjoina("ls -l ", fn);

@@ -1,124 +0,0 @@ 

- From b554f941a8f275124508794b0b83f0554c7b84dc Mon Sep 17 00:00:00 2001

- From: Anita Zhang <the.anitazha@gmail.com>

- Date: Thu, 22 Oct 2020 22:44:22 -0700

- Subject: [PATCH 2/3] core: clean up inactive/failed {service|scope}'s cgroups

-  when the last process exits

- 

- If processes remain in the unit's cgroup after the final SIGKILL is

- sent and the unit has exceeded stop timeout, don't release the unit's

- cgroup information. Pid1 will have failed to `rmdir` the cgroup path due

- to processes remaining in the cgroup and releasing would leave the cgroup

- path on the file system with no tracking for pid1 to clean it up.

- 

- Instead, keep the information around until the last process exits and pid1

- sends the cgroup empty notification. The service/scope can then prune

- the cgroup if the unit is inactive/failed.

- ---

-  src/core/cgroup.c  | 26 +++++++++++++++++++++++++-

-  src/core/cgroup.h  |  6 +++++-

-  src/core/scope.c   |  5 +++++

-  src/core/service.c |  7 +++++++

-  4 files changed, 42 insertions(+), 2 deletions(-)

- 

- diff --git a/src/core/cgroup.c b/src/core/cgroup.c

- index 031b28a684..bce5f44e78 100644

- --- a/src/core/cgroup.c

- +++ b/src/core/cgroup.c

- @@ -2414,6 +2414,29 @@ void unit_release_cgroup(Unit *u) {

-          }

-  }

-  

- +bool unit_maybe_release_cgroup(Unit *u) {

- +        int r;

- +

- +        assert(u);

- +

- +        if (!u->cgroup_path)

- +                return true;

- +

- +        /* Don't release the cgroup if there are still processes under it. If we get notified later when all the

- +         * processes exit (e.g. the processes were in D-state and exited after the unit was marked as failed)

- +         * we need the cgroup paths to continue to be tracked by the manager so they can be looked up and cleaned

- +         * up later. */

- +        r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path);

- +        if (r < 0)

- +                log_unit_debug_errno(u, r, "Error checking if the cgroup is recursively empty, ignoring: %m");

- +        else if (r == 1) {

- +                unit_release_cgroup(u);

- +                return true;

- +        }

- +

- +        return false;

- +}

- +

-  void unit_prune_cgroup(Unit *u) {

-          int r;

-          bool is_root_slice;

- @@ -2441,7 +2464,8 @@ void unit_prune_cgroup(Unit *u) {

-          if (is_root_slice)

-                  return;

-  

- -        unit_release_cgroup(u);

- +        if (!unit_maybe_release_cgroup(u)) /* Returns true if the cgroup was released */

- +                return;

-  

-          u->cgroup_realized = false;

-          u->cgroup_realized_mask = 0;

- diff --git a/src/core/cgroup.h b/src/core/cgroup.h

- index 52d028e740..be6856c20c 100644

- --- a/src/core/cgroup.h

- +++ b/src/core/cgroup.h

- @@ -220,11 +220,15 @@ int unit_set_cgroup_path(Unit *u, const char *path);

-  int unit_pick_cgroup_path(Unit *u);

-  

-  int unit_realize_cgroup(Unit *u);

- -void unit_release_cgroup(Unit *u);

-  void unit_prune_cgroup(Unit *u);

-  int unit_watch_cgroup(Unit *u);

-  int unit_watch_cgroup_memory(Unit *u);

-  

- +void unit_release_cgroup(Unit *u);

- +/* Releases the cgroup only if it is recursively empty.

- + * Returns true if the cgroup was released, false otherwise. */

- +bool unit_maybe_release_cgroup(Unit *u);

- +

-  void unit_add_to_cgroup_empty_queue(Unit *u);

-  int unit_check_oom(Unit *u);

-  

- diff --git a/src/core/scope.c b/src/core/scope.c

- index 42c51b0865..ffee783a4c 100644

- --- a/src/core/scope.c

- +++ b/src/core/scope.c

- @@ -487,6 +487,11 @@ static void scope_notify_cgroup_empty_event(Unit *u) {

-  

-          if (IN_SET(s->state, SCOPE_RUNNING, SCOPE_ABANDONED, SCOPE_STOP_SIGTERM, SCOPE_STOP_SIGKILL))

-                  scope_enter_dead(s, SCOPE_SUCCESS);

- +

- +        /* If the cgroup empty notification comes when the unit is not active, we must have failed to clean

- +         * up the cgroup earlier and should do it now. */

- +        if (IN_SET(s->state, SCOPE_DEAD, SCOPE_FAILED))

- +                unit_prune_cgroup(u);

-  }

-  

-  static void scope_sigchld_event(Unit *u, pid_t pid, int code, int status) {

- diff --git a/src/core/service.c b/src/core/service.c

- index 00e61945ba..db8f596ca6 100644

- --- a/src/core/service.c

- +++ b/src/core/service.c

- @@ -3334,6 +3334,13 @@ static void service_notify_cgroup_empty_event(Unit *u) {

-  

-                  break;

-  

- +        /* If the cgroup empty notification comes when the unit is not active, we must have failed to clean

- +         * up the cgroup earlier and should do it now. */

- +        case SERVICE_DEAD:

- +        case SERVICE_FAILED:

- +                unit_prune_cgroup(u);

- +                break;

- +

-          default:

-                  ;

-          }

- -- 

- 2.24.1

- 

@@ -0,0 +1,337 @@ 

+ From 09e8c6aa71ee4b5ff3ee85fc4855e2c1a246a079 Mon Sep 17 00:00:00 2001

+ From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>

+ Date: Thu, 22 Jul 2021 11:22:33 +0200

+ Subject: [PATCH 2/5] rpm: use a helper script to actually invoke systemctl

+  commands

+ MIME-Version: 1.0

+ Content-Type: text/plain; charset=UTF-8

+ Content-Transfer-Encoding: 8bit

+ 

+ Instead of embedding the commands to invoke directly in the macros,

+ let's use a helper script as indirection. This has a couple of advantages:

+ 

+ - the macro language is awkward, we need to suffix most commands by "|| :"

+   and "\", which is easy to get wrong. In the new scheme, the macro becomes

+   a single simple command.

+ - in the script we can use normal syntax highlighting, shellcheck, etc.

+ - it's also easier to test the invoked commands by invoking the helper

+   manually.

+ - most importantly, the logic is contained in the helper, i.e. we can

+   update systemd rpm and everything uses the new helper. Before, we would

+   have to rebuild all packages to update the macro definition.

+ 

+ This raises the question whether it makes sense to use the lua scriptlets when

+ the real work is done in a bash script. I think it's OK: we still have the

+ efficient lua scripts that do the short scripts, and we use a single shared

+ implementation in bash to do the more complex stuff.

+ 

+ The meson version is raised to 0.47 because that's needed for install_mode.

+ We were planning to raise the required version anyway…

+ 

+ (cherry picked from commit 6d825ab2d42d3219e49a192bf99f9c09134a0df4)

+ ---

+  README                           |  2 +-

+  meson.build                      |  3 +-

+  src/rpm/macros.systemd.in        | 30 ++++++++--------

+  src/rpm/meson.build              | 13 ++++---

+  src/rpm/systemd-update-helper.in | 60 ++++++++++++++++++++++++++++++++

+  src/rpm/triggers.systemd.in      | 43 ++++++++---------------

+  src/rpm/triggers.systemd.sh.in   | 13 ++-----

+  7 files changed, 105 insertions(+), 59 deletions(-)

+  create mode 100755 src/rpm/systemd-update-helper.in

+ 

+ diff --git a/README b/README

+ index 0e5c326deb..a8f23a0d5b 100644

+ --- a/README

+ +++ b/README

+ @@ -193,7 +193,7 @@ REQUIREMENTS:

+          python-jinja2

+          python-lxml (optional, required to build the indices)

+          python >= 3.5

+ -        meson >= 0.46 (>= 0.49 is required to build position-independent executables)

+ +        meson >= 0.47 (>= 0.49 is required to build position-independent executables)

+          ninja

+          gcc, awk, sed, grep, and similar tools

+          clang >= 10.0, llvm >= 10.0 (optional, required to build BPF programs

+ diff --git a/meson.build b/meson.build

+ index 738879eb21..fb986e84f7 100644

+ --- a/meson.build

+ +++ b/meson.build

+ @@ -10,7 +10,7 @@ project('systemd', 'c',

+                  'localstatedir=/var',

+                  'warning_level=2',

+          ],

+ -        meson_version : '>= 0.46',

+ +        meson_version : '>= 0.47',

+         )

+  

+  libsystemd_version = '0.32.0'

+ @@ -253,6 +253,7 @@ conf.set_quoted('SYSTEMD_SHUTDOWN_BINARY_PATH',               join_paths(rootlib

+  conf.set_quoted('SYSTEMD_STDIO_BRIDGE_BINARY_PATH',           join_paths(bindir, 'systemd-stdio-bridge'))

+  conf.set_quoted('SYSTEMD_TEST_DATA',                          join_paths(testsdir, 'testdata'))

+  conf.set_quoted('SYSTEMD_TTY_ASK_PASSWORD_AGENT_BINARY_PATH', join_paths(rootbindir, 'systemd-tty-ask-password-agent'))

+ +conf.set_quoted('SYSTEMD_UPDATE_HELPER_PATH',                 join_paths(rootlibexecdir, 'systemd-update-helper'))

+  conf.set_quoted('SYSTEMD_USERWORK_PATH',                      join_paths(rootlibexecdir, 'systemd-userwork'))

+  conf.set_quoted('SYSTEMD_VERITYSETUP_PATH',                   join_paths(rootlibexecdir, 'systemd-veritysetup'))

+  conf.set_quoted('SYSTEM_CONFIG_UNIT_DIR',                     join_paths(pkgsysconfdir, 'system'))

+ diff --git a/src/rpm/macros.systemd.in b/src/rpm/macros.systemd.in

+ index 3129ab2d61..bbdf036da7 100644

+ --- a/src/rpm/macros.systemd.in

+ +++ b/src/rpm/macros.systemd.in

+ @@ -46,31 +46,33 @@ OrderWithRequires(postun): systemd \

+  

+  %systemd_post() \

+  %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_post}} \

+ -if [ $1 -eq 1 ] && command -v systemctl >/dev/null; then \

+ +if [ $1 -eq 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \

+      # Initial installation \

+ -    systemctl --no-reload preset %{?*} || : \

+ +    {{SYSTEMD_UPDATE_HELPER_PATH}} install-system-units %{?*} || : \

+  fi \

+  %{nil}

+  

+ -%systemd_user_post() %{expand:%systemd_post \\--global %%{?*}}

+ +%systemd_user_post() \

+ +%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_post}} \

+ +if [ $1 -eq 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \

+ +    # Initial installation \

+ +    {{SYSTEMD_UPDATE_HELPER_PATH}} install-user-units %{?*} || : \

+ +fi \

+ +%{nil}

+  

+  %systemd_preun() \

+  %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_preun}} \

+ -if [ $1 -eq 0 ] && command -v systemctl >/dev/null; then \

+ +if [ $1 -eq 0 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \

+      # Package removal, not upgrade \

+ -    if [ -d /run/systemd/system ]; then \

+ -          systemctl --no-reload disable --now %{?*} || : \

+ -    else \

+ -          systemctl --no-reload disable %{?*} || : \

+ -    fi \

+ +    {{SYSTEMD_UPDATE_HELPER_PATH}} remove-system-units %{?*} || : \

+  fi \

+  %{nil}

+  

+  %systemd_user_preun() \

+  %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_preun}} \

+ -if [ $1 -eq 0 ] && command -v systemctl >/dev/null; then \

+ +if [ $1 -eq 0 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \

+      # Package removal, not upgrade \

+ -    systemctl --global disable %{?*} || : \

+ +    {{SYSTEMD_UPDATE_HELPER_PATH}} remove-user-units %{?*} || : \

+  fi \

+  %{nil}

+  

+ @@ -84,11 +86,9 @@ fi \

+  

+  %systemd_postun_with_restart() \

+  %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_postun_with_restart}} \

+ -if [ $1 -ge 1 ] && command -v systemctl >/dev/null; then \

+ +if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \

+      # Package upgrade, not uninstall \

+ -    for unit in %{?*}; do \

+ -        systemctl set-property $unit Markers=+needs-restart || : \

+ -    done \

+ +    {{SYSTEMD_UPDATE_HELPER_PATH}} mark-restart-system-units %{?*} || : \

+  fi \

+  %{nil}

+  

+ diff --git a/src/rpm/meson.build b/src/rpm/meson.build

+ index fc72fee73c..2ad3308cc1 100644

+ --- a/src/rpm/meson.build

+ +++ b/src/rpm/meson.build

+ @@ -1,9 +1,13 @@

+  # SPDX-License-Identifier: LGPL-2.1-or-later

+  

+  in_files = [

+ -        ['macros.systemd',      rpmmacrosdir != 'no'],

+ -        ['triggers.systemd',    false],

+ -        ['triggers.systemd.sh', false]]

+ +        ['macros.systemd',        rpmmacrosdir != 'no', rpmmacrosdir],

+ +

+ +        # we conditionalize on rpmmacrosdir, but install into rootlibexecdir

+ +        ['systemd-update-helper', rpmmacrosdir != 'no', rootlibexecdir, 'rwxr-xr-x'],

+ +

+ +        ['triggers.systemd',      false],

+ +        ['triggers.systemd.sh',   false]]

+  

+  # The last two don't get installed anywhere, one of them needs to included in

+  # the rpm spec file definition instead.

+ @@ -17,6 +21,7 @@ foreach tuple : in_files

+                  command : [meson_render_jinja2, config_h, '@INPUT@'],

+                  capture : true,

+                  install : tuple[1],

+ -                install_dir : rpmmacrosdir,

+ +                install_dir : tuple.length() > 2 ? tuple[2] : '',

+ +                install_mode : tuple.length() > 3 ? tuple[3] : false,

+                  build_by_default : true)

+  endforeach

+ diff --git a/src/rpm/systemd-update-helper.in b/src/rpm/systemd-update-helper.in

+ new file mode 100755

+ index 0000000000..9fa49fa131

+ --- /dev/null

+ +++ b/src/rpm/systemd-update-helper.in

+ @@ -0,0 +1,60 @@

+ +#!/bin/bash

+ +set -eu

+ +set -o pipefail

+ +

+ +command="${1:?}"

+ +shift

+ +

+ +command -v systemctl >/dev/null || exit 0

+ +

+ +case "$command" in

+ +    install-system-units)

+ +        systemctl --no-reload preset "$@"

+ +        ;;

+ +

+ +    install-user-units)

+ +        systemctl --no-reload preset --global "$@"

+ +        ;;

+ +

+ +    remove-system-units)

+ +        if [ -d /run/systemd/system ]; then

+ +            systemctl --no-reload disable --now "$@"

+ +        else

+ +            systemctl --no-reload disable "$@"

+ +        fi

+ +        ;;

+ +

+ +    remove-user-units)

+ +        systemctl --global disable "$@"

+ +        ;;

+ +

+ +    mark-restart-system-units)

+ +        [ -d /run/systemd/system ] || exit 0

+ +

+ +        for unit in "$@"; do

+ +            systemctl set-property "$unit" Markers=+needs-restart || :

+ +        done

+ +        ;;

+ +

+ +    system-reload-restart|system-reload|system-restart)

+ +        if [ -n "$*" ]; then

+ +            echo "Unexpected arguments for '$command': $*"

+ +            exit 2

+ +        fi

+ +

+ +        [ -d /run/systemd/system ] || exit 0

+ +

+ +        if [[ "$command" =~ reload ]]; then

+ +            systemctl daemon-reload

+ +        fi

+ +

+ +        if [[ "$command" =~ restart ]]; then

+ +            systemctl reload-or-restart --marked

+ +        fi

+ +        ;;

+ +

+ +    *)

+ +        echo "Unknown verb '$command'"

+ +        exit 3

+ +        ;;

+ +esac

+ diff --git a/src/rpm/triggers.systemd.in b/src/rpm/triggers.systemd.in

+ index 247358008a..d29cc33dfd 100644

+ --- a/src/rpm/triggers.systemd.in

+ +++ b/src/rpm/triggers.systemd.in

+ @@ -13,20 +13,11 @@

+  -- upgraded. We care about the case where a package is initially

+  -- installed, because other cases are covered by the *un scriptlets,

+  -- so sometimes we will reload needlessly.

+ -if posix.access("/run/systemd/system") then

+ -    pid = posix.fork()

+ -    if pid == 0 then

+ -        assert(posix.execp("systemctl", "daemon-reload"))

+ -    elseif pid > 0 then

+ -        posix.wait(pid)

+ -    end

+ -

+ -    pid = posix.fork()

+ -    if pid == 0 then

+ -        assert(posix.execp("systemctl", "reload-or-restart", "--marked"))

+ -    elseif pid > 0 then

+ -        posix.wait(pid)

+ -    end

+ +pid = posix.fork()

+ +if pid == 0 then

+ +    assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "system-reload-restart"))

+ +elseif pid > 0 then

+ +    posix.wait(pid)

+  end

+  

+  %transfiletriggerpostun -P 1000100 -p <lua> -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system

+ @@ -35,24 +26,20 @@ end

+  -- On upgrade, we need to run daemon-reload after any new unit files

+  -- have been installed, but before %postun scripts in packages get

+  -- executed.

+ -if posix.access("/run/systemd/system") then

+ -    pid = posix.fork()

+ -    if pid == 0 then

+ -        assert(posix.execp("systemctl", "daemon-reload"))

+ -    elseif pid > 0 then

+ -        posix.wait(pid)

+ -    end

+ +pid = posix.fork()

+ +if pid == 0 then

+ +    assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "system-reload"))

+ +elseif pid > 0 then

+ +    posix.wait(pid)

+  end

+  

+  %transfiletriggerpostun -P 10000 -p <lua> -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system

+  -- We restart remaining services that should be restarted here.

+ -if posix.access("/run/systemd/system") then

+ -    pid = posix.fork()

+ -    if pid == 0 then

+ -        assert(posix.execp("systemctl", "reload-or-restart", "--marked"))

+ -    elseif pid > 0 then

+ -        posix.wait(pid)

+ -    end

+ +pid = posix.fork()

+ +if pid == 0 then

+ +    assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "system-restart"))

+ +elseif pid > 0 then

+ +    posix.wait(pid)

+  end

+  

+  %transfiletriggerin -P 100700 -p <lua> -- {{SYSUSERS_DIR}}

+ diff --git a/src/rpm/triggers.systemd.sh.in b/src/rpm/triggers.systemd.sh.in

+ index 1631be18c9..83cd7617f8 100644

+ --- a/src/rpm/triggers.systemd.sh.in

+ +++ b/src/rpm/triggers.systemd.sh.in

+ @@ -14,10 +14,7 @@

+  # upgraded. We care about the case where a package is initially

+  # installed, because other cases are covered by the *un scriptlets,

+  # so sometimes we will reload needlessly.

+ -if test -d "/run/systemd/system"; then

+ -  systemctl daemon-reload || :

+ -  systemctl reload-or-restart --marked || :

+ -fi

+ +{{SYSTEMD_UPDATE_HELPER_PATH}} system-reload-restart || :

+  

+  %transfiletriggerpostun -P 1000100 -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system

+  # On removal, we need to run daemon-reload after any units have been

+ @@ -25,15 +22,11 @@ fi

+  # On upgrade, we need to run daemon-reload after any new unit files

+  # have been installed, but before %postun scripts in packages get

+  # executed.

+ -if test -d "/run/systemd/system"; then

+ -  systemctl daemon-reload || :

+ -fi

+ +{{SYSTEMD_UPDATE_HELPER_PATH}} system-reload || :

+  

+  %transfiletriggerpostun -P 10000 -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system

+  # We restart remaining services that should be restarted here.

+ -if test -d "/run/systemd/system"; then

+ -  systemctl reload-or-restart --marked || :

+ -fi

+ +{{SYSTEMD_UPDATE_HELPER_PATH}} system-restart || :

+  

+  %transfiletriggerin -P 1000700 -- {{SYSUSERS_DIR}}

+  # This script will process files installed in {{SYSUSERS_DIR}} to create

+ -- 

+ 2.31.1

+ 

@@ -1,53 +0,0 @@ 

- From a2deeaeaa90d493ef8a2b20656745cd0531a1b30 Mon Sep 17 00:00:00 2001

- From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>

- Date: Fri, 31 Jul 2020 10:36:57 +0200

- Subject: [PATCH 2/2] test-path: do not fail the test if we fail to start some

-  service

- 

- The test was failing because it couldn't start the service:

- 

- path-modified.service: state = failed; result = exit-code

- path-modified.path: state = waiting; result = success

- path-modified.service: state = failed; result = exit-code

- path-modified.path: state = waiting; result = success

- path-modified.service: state = failed; result = exit-code

- path-modified.path: state = waiting; result = success

- path-modified.service: state = failed; result = exit-code

- path-modified.path: state = waiting; result = success

- path-modified.service: state = failed; result = exit-code

- path-modified.path: state = waiting; result = success

- path-modified.service: state = failed; result = exit-code

- Failed to connect to system bus: No such file or directory

- -.slice: Failed to enable/disable controllers on cgroup /system.slice/kojid.service, ignoring: Permission denied

- path-modified.service: Failed to create cgroup /system.slice/kojid.service/path-modified.service: Permission denied

- path-modified.service: Failed to attach to cgroup /system.slice/kojid.service/path-modified.service: No such file or directory

- path-modified.service: Failed at step CGROUP spawning /bin/true: No such file or directory

- path-modified.service: Main process exited, code=exited, status=219/CGROUP

- path-modified.service: Failed with result 'exit-code'.

- Test timeout when testing path-modified.path

- 

- Let's just ignore the failure here. Services can occasionally fail to start,

- there's not much we can do in that case.

- ---

-  src/test/test-path.c | 8 ++++++++

-  1 file changed, 8 insertions(+)

- 

- diff --git a/src/test/test-path.c b/src/test/test-path.c

- index 63b709c8da..6c0db53f10 100644

- --- a/src/test/test-path.c

- +++ b/src/test/test-path.c

- @@ -98,6 +98,14 @@ static void check_states(Manager *m, Path *path, Service *service, PathState pat

-                                  service_state_to_string(service->state),

-                                  service_result_to_string(service->result));

-  

- +                if (service->state == SERVICE_FAILED) {

- +                        log_warning("Failed to start service %s, ignoring: %s/%s",

- +                                    UNIT(service)->id,

- +                                    service_state_to_string(service->state),

- +                                    service_result_to_string(service->result));

- +                        break;

- +                }