diff options
26 files changed, 60 insertions, 60 deletions
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml index 020f763852..d68d26fa55 100644 --- a/.github/workflows/mkosi.yml +++ b/.github/workflows/mkosi.yml @@ -59,40 +59,47 @@ jobs: sanitizers: "" llvm: 0 cflags: "-O2 -D_FORTIFY_SOURCE=3" + relabel: no - distro: debian release: testing sanitizers: "" llvm: 0 cflags: "-Og" + relabel: no - distro: ubuntu release: noble sanitizers: "" llvm: 0 cflags: "-Og" + relabel: no - distro: fedora release: "40" sanitizers: "" llvm: 0 cflags: "-Og" + relabel: yes - distro: fedora release: rawhide sanitizers: address,undefined llvm: 1 cflags: "-Og" + relabel: yes - distro: opensuse release: tumbleweed sanitizers: "" llvm: 0 cflags: "-Og" + relabel: no - distro: centos release: "9" sanitizers: "" llvm: 0 cflags: "-Og" + relabel: yes steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: systemd/mkosi@6b66aa9096948e0bc38154333687584e0351f450 + - uses: systemd/mkosi@4681dd733a925cd048d0301af26221bce0c95eed # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space # immediately, we remove the files in the background. However, we first move them to a different location @@ -142,6 +149,8 @@ jobs: LLVM=${{ matrix.llvm }} SYSEXT=1 + SELinuxRelabel=${{ matrix.relabel }} + [Host] QemuMem=4G # We build with debuginfo so there's no point in mounting the sources into the machine. @@ -188,7 +197,7 @@ jobs: -Dvmspawn=enabled - name: Build image - run: meson compile -C build mkosi + run: sudo meson compile -C build mkosi - name: Run integration tests run: sudo --preserve-env meson test -C build --no-rebuild --suite integration-tests --print-errorlogs --no-stdsplit --num-processes "$(($(nproc) - 1))" diff --git a/mkosi.conf b/mkosi.conf index 907d69e0aa..b47b30c98b 100644 --- a/mkosi.conf +++ b/mkosi.conf @@ -11,7 +11,6 @@ BuildDirectory=build/mkosi.builddir CacheDirectory=build/mkosi.cache [Content] -SELinuxRelabel=no BuildSourcesEphemeral=yes Autologin=yes @@ -24,6 +23,10 @@ ExtraTrees= Environment= SYSTEMD_REPART_OVERRIDE_FSTYPE_ROOT=%F +# Disable relabeling by default as it only matters for TEST-06-SELINUX, takes a non-trivial amount of time +# and results in lots of errors when building images as a regular user. +SELinuxRelabel=no + # Adding more kernel command line arguments is likely to hit the kernel command line limit (512 bytes) in # various scenarios. Consider adding support for a credential instead if possible and using that. KernelCommandLine=systemd.crash_shell diff --git a/mkosi.conf.d/10-arch/mkosi.conf b/mkosi.conf.d/10-arch/mkosi.conf index 96ae8c88b1..d9f75c65d3 100644 --- a/mkosi.conf.d/10-arch/mkosi.conf +++ b/mkosi.conf.d/10-arch/mkosi.conf @@ -37,8 +37,8 @@ Packages= linux man-db multipath-tools + nmap open-iscsi - openbsd-netcat openssh openssl pacman @@ -54,7 +54,7 @@ Packages= shadow softhsm squashfs-tools - stress + stress-ng tgt tpm2-tools tpm2-tss diff --git a/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi.conf.d/10-centos-fedora/mkosi.conf index f200409d6f..4c6109a544 100644 --- a/mkosi.conf.d/10-centos-fedora/mkosi.conf +++ b/mkosi.conf.d/10-centos-fedora/mkosi.conf @@ -45,7 +45,7 @@ Packages= libcap-ng-utils libubsan man-db - netcat + nmap-ncat openssh-clients openssh-server pam @@ -62,7 +62,7 @@ Packages= sbsigntools softhsm squashfs-tools - stress + stress-ng tpm2-tools util-linux veritysetup diff --git a/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf index 9fe5509695..0a388f3c08 100644 --- a/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf +++ b/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf @@ -1,20 +1,13 @@ # SPDX-License-Identifier: LGPL-2.1-or-later +# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're +# building a /usr-only image. + [Match] Profile=!particle [Content] -# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're -# building a /usr-only image. Packages= selinux-policy selinux-policy-targeted setools-console - -# We relabel on first boot instead of at build time because it is only possible to label without root -# if the labels exist in the host system, and we want to be able to cross-build to other distributions. -SELinuxRelabel=no - -InitrdPackages= - selinux-policy - selinux-policy-targeted diff --git a/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.conf.d/10-debian-ubuntu/mkosi.conf index 5f9e3843e3..07bf95cee7 100644 --- a/mkosi.conf.d/10-debian-ubuntu/mkosi.conf +++ b/mkosi.conf.d/10-debian-ubuntu/mkosi.conf @@ -65,7 +65,7 @@ Packages= locales man-db multipath-tools - netcat-openbsd + ncat open-iscsi openssh-client openssh-server @@ -78,7 +78,7 @@ Packages= quota softhsm2 squashfs-tools - stress + stress-ng tgt tpm2-tools tzdata diff --git a/mkosi.conf.d/10-opensuse/mkosi.conf b/mkosi.conf.d/10-opensuse/mkosi.conf index c5a014f70b..7be269fbb8 100644 --- a/mkosi.conf.d/10-opensuse/mkosi.conf +++ b/mkosi.conf.d/10-opensuse/mkosi.conf @@ -8,13 +8,14 @@ InitrdInclude=initrd/ [Distribution] Release=tumbleweed +Repositories=non-oss PackageManagerTrees=macros.db_backend:/etc/rpm/macros.db_backend [Content] Environment= GIT_URL=https://src.opensuse.org/rpm/systemd GIT_BRANCH=devel - GIT_COMMIT=23bfa9d83b6e24a5395a704b816a351f3dc5b5316e580cacedd1b5d9e068c117 + GIT_COMMIT=8c025c3bdf03539682aafb73d7950324f00cacac51a74d22dd3c5c8ead6fef02 VolatilePackages= systemd @@ -60,6 +61,7 @@ Packages= libkmod2 libubsan1 multipath-tools + ncat open-iscsi openssh-clients openssh-server @@ -79,6 +81,7 @@ Packages= shadow softhsm squashfs + stress-ng tgt timezone tpm2.0-tools diff --git a/mkosi.extra/.autorelabel b/mkosi.extra/.autorelabel deleted file mode 100644 index e69de29bb2..0000000000 --- a/mkosi.extra/.autorelabel +++ /dev/null diff --git a/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset index c3640585e5..5a15e6bcbb 100644 --- a/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset +++ b/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset @@ -32,10 +32,10 @@ disable auditd.service # systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead. enable systemd-timesyncd.service -# Skipped if selinux is not enabled, required for TEST-06-SELINUX. -enable autorelabel.service - # Enabled by default on OpenSUSE and not conditioned out in containers, so let's disable these here instead. disable iscsi.service disable iscsid.socket disable iscsiuio.socket + +# mkosi relabels the image itself so no need to do it on boot. +disable selinux-autorelabel-mark.service diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf index 9b033975d6..4978ca5cf7 100644 --- a/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf +++ b/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf @@ -7,7 +7,7 @@ Distribution=arch Packages= inetutils iproute - openbsd-netcat + nmap RemoveFiles= # Arch Linux doesn't split their gcc-libs package so we manually remove diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf index 3a3e528640..c0a43cba19 100644 --- a/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf +++ b/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf @@ -9,4 +9,4 @@ Packages= hostname iproute iproute-tc - netcat + nmap-ncat diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf index a715ec1f6c..b293926b08 100644 --- a/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf +++ b/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf @@ -9,4 +9,4 @@ Packages= hostname iproute2 mount - netcat-openbsd + ncat diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf index 2e370ec04f..c164d32874 100644 --- a/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf +++ b/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf @@ -7,5 +7,5 @@ Distribution=opensuse Packages= hostname iproute2 - netcat-openbsd + ncat patterns-base-minimal_base diff --git a/mkosi.postinst.chroot b/mkosi.postinst.chroot index 46868020f6..7f2666e0a4 100755 --- a/mkosi.postinst.chroot +++ b/mkosi.postinst.chroot @@ -32,7 +32,7 @@ done # We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by # systemd-journald. -rm -r "$BUILDROOT/var/log/journal" +rm -rf "$BUILDROOT/var/log/journal" rm -f /etc/nsswitch.conf cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build index 110b65fbd7..ea1a381471 100644 --- a/test/TEST-06-SELINUX/meson.build +++ b/test/TEST-06-SELINUX/meson.build @@ -3,7 +3,7 @@ integration_tests += [ integration_test_template + { 'name' : fs.name(meson.current_source_dir()), - 'cmdline' : integration_test_template['cmdline'] + ['systemd.wants=autorelabel.service', 'selinux=1', 'lsm=selinux'], + 'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'], # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware. # Use 'auto' to automatically fallback on non-uefi architectures. 'firmware' : 'auto', diff --git a/test/TEST-13-NSPAWN/test.sh b/test/TEST-13-NSPAWN/test.sh index 9a0404f4b0..5c85b0c5dc 100755 --- a/test/TEST-13-NSPAWN/test.sh +++ b/test/TEST-13-NSPAWN/test.sh @@ -32,7 +32,7 @@ test_append_files() { ls \ md5sum \ mountpoint \ - nc \ + ncat \ ps \ seq \ sleep \ diff --git a/test/TEST-55-OOMD/test.sh b/test/TEST-55-OOMD/test.sh index 5e3096315c..3b2f4710b0 100755 --- a/test/TEST-55-OOMD/test.sh +++ b/test/TEST-55-OOMD/test.sh @@ -14,7 +14,7 @@ TEST_NO_NSPAWN=1 test_append_files() { local workspace="${1:?}" - image_install mkswap swapon swapoff stress + image_install mkswap swapon swapoff stress-ng image_install -o btrfs mkdir -p "${workspace:?}/etc/systemd/system/init.scope.d/" diff --git a/test/test-functions b/test/test-functions index 03f188b0a2..e219812e72 100644 --- a/test/test-functions +++ b/test/test-functions @@ -208,7 +208,7 @@ BASICTOOLS=( mount mountpoint mv - nc + ncat nproc ping pkill diff --git a/test/units/TEST-07-PID1.exec-context.sh b/test/units/TEST-07-PID1.exec-context.sh index 69274a5743..0809460955 100755 --- a/test/units/TEST-07-PID1.exec-context.sh +++ b/test/units/TEST-07-PID1.exec-context.sh @@ -186,27 +186,27 @@ if ! systemd-detect-virt -cq; then ) # We should fail with EPERM when trying to bind to a socket not on the allow list - # (nc exits with 2 in that case) + # (ncat exits with 2 in that case) systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -l 127.0.0.1 9999; exit 42' + bash -xec 'timeout 1s ncat -l 127.0.0.1 9999; exit 42' systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -l ::1 9999; exit 42' + bash -xec 'timeout 1s ncat -l ::1 9999; exit 42' systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -6 -u -l ::1 9999; exit 42' + bash -xec 'timeout 1s ncat -6 -u -l ::1 9999; exit 42' systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -4 -l 127.0.0.1 6666; exit 42' + bash -xec 'timeout 1s ncat -4 -l 127.0.0.1 6666; exit 42' systemd-run --wait -p SuccessExitStatus="1 2" --pipe -p SocketBindDeny=any \ - bash -xec 'timeout 1s nc -l 127.0.0.1 9999; exit 42' + bash -xec 'timeout 1s ncat -l 127.0.0.1 9999; exit 42' # Consequently, we should succeed when binding to a socket on the allow list # and keep listening on it until we're killed by `timeout` (EC 124) systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -4 -l 127.0.0.1 1234; exit 1' + bash -xec 'timeout 1s ncat -4 -l 127.0.0.1 1234; exit 1' systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -4 -u -l 127.0.0.1 5678; exit 1' + bash -xec 'timeout 1s ncat -4 -u -l 127.0.0.1 5678; exit 1' systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -6 -l ::1 1234; exit 1' + bash -xec 'timeout 1s ncat -6 -l ::1 1234; exit 1' systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -6 -l ::1 6666; exit 1' + bash -xec 'timeout 1s ncat -6 -l ::1 6666; exit 1' fi losetup -d "$LODEV" diff --git a/test/units/TEST-07-PID1.issue-2467.sh b/test/units/TEST-07-PID1.issue-2467.sh index de0577b978..083a1e723f 100755 --- a/test/units/TEST-07-PID1.issue-2467.sh +++ b/test/units/TEST-07-PID1.issue-2467.sh @@ -8,7 +8,7 @@ set -o pipefail rm -f /tmp/nonexistent systemctl start issue2467.socket -nc -i20 -w20 -U /run/test.ctl || : +ncat -i20 -w20 -U /run/test.ctl || : # TriggerLimitIntervalSec= by default is set to 2s. A "sleep 10" should give # systemd enough time even on slower machines, to reach the trigger limit. diff --git a/test/units/TEST-07-PID1.issue-3171.sh b/test/units/TEST-07-PID1.issue-3171.sh index 374df542b8..e1a4b6479f 100755 --- a/test/units/TEST-07-PID1.issue-3171.sh +++ b/test/units/TEST-07-PID1.issue-3171.sh @@ -30,21 +30,21 @@ EOF systemctl start issue-3171.socket systemctl is-active issue-3171.socket [[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]] -echo A | nc -w1 -U /run/issue-3171.socket +echo A | ncat -w1 -U /run/issue-3171.socket mv $U ${U}.disabled systemctl daemon-reload systemctl is-active issue-3171.socket [[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]] -echo B | nc -w1 -U /run/issue-3171.socket && exit 1 +echo B | ncat -w1 -U /run/issue-3171.socket && exit 1 mv ${U}.disabled $U systemctl daemon-reload systemctl is-active issue-3171.socket -echo C | nc -w1 -U /run/issue-3171.socket && exit 1 +echo C | ncat -w1 -U /run/issue-3171.socket && exit 1 [[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]] systemctl restart issue-3171.socket systemctl is-active issue-3171.socket -echo D | nc -w1 -U /run/issue-3171.socket +echo D | ncat -w1 -U /run/issue-3171.socket [[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]] diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh index 7901e9877b..c73b49b1a5 100755 --- a/test/units/TEST-13-NSPAWN.nspawn.sh +++ b/test/units/TEST-13-NSPAWN.nspawn.sh @@ -702,7 +702,7 @@ EOF testcase_notification_socket() { # https://github.com/systemd/systemd/issues/4944 local root - local cmd='echo a | nc -U -u -w 1 /run/host/notify' + local cmd='echo a | ncat -U -u -w 1 /run/host/notify' root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.check_notification_socket.XXX)" create_dummy_container "$root" diff --git a/test/units/TEST-55-OOMD-testbloat.service b/test/units/TEST-55-OOMD-testbloat.service index ba4f2bc88c..70c87727c8 100644 --- a/test/units/TEST-55-OOMD-testbloat.service +++ b/test/units/TEST-55-OOMD-testbloat.service @@ -3,8 +3,8 @@ Description=Create a lot of memory pressure [Service] -# A VERY small memory.high will cause the 'stress' (trying to use a lot of memory) +# A VERY small memory.high will cause the 'stress-ng' (trying to use a lot of memory) # to throttle and be put under heavy pressure. MemoryHigh=3M Slice=TEST-55-OOMD-workload.slice -ExecStart=stress --timeout 3m --vm 10 --vm-bytes 200M --vm-keep --vm-stride 1 +ExecStart=stress-ng --timeout 3m --vm 10 --vm-bytes 200M --vm-keep diff --git a/test/units/TEST-55-OOMD-testmunch.service b/test/units/TEST-55-OOMD-testmunch.service index 5659906ad1..79bd01838e 100644 --- a/test/units/TEST-55-OOMD-testmunch.service +++ b/test/units/TEST-55-OOMD-testmunch.service @@ -5,4 +5,4 @@ Description=Create some memory pressure [Service] MemoryHigh=12M Slice=TEST-55-OOMD-workload.slice -ExecStart=stress --timeout 3m --vm 10 --vm-bytes 200M --vm-keep --vm-stride 1 +ExecStart=stress-ng --timeout 3m --vm 10 --vm-bytes 200M --vm-keep diff --git a/test/units/TEST-55-OOMD.sh b/test/units/TEST-55-OOMD.sh index b04ebca7e2..944067c541 100755 --- a/test/units/TEST-55-OOMD.sh +++ b/test/units/TEST-55-OOMD.sh @@ -6,14 +6,6 @@ set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh -. /etc/os-release -# OpenSUSE does not have the stress tool packaged. It does have stress-ng but the stress-ng does not support -# --vm-stride which this test uses. -if [[ "$ID" =~ "opensuse" ]]; then - echo "Skipping due to missing stress package in OpenSUSE" >>/skipped - exit 77 -fi - systemd-analyze log-level debug # Ensure that the init.scope.d drop-in is applied on boot diff --git a/tools/update-distro-hash.py b/tools/update-distro-hash.py index 16ed2e707a..fd23078aec 100755 --- a/tools/update-distro-hash.py +++ b/tools/update-distro-hash.py @@ -69,7 +69,7 @@ def update_distro(args, distro: str): print(f"+ {shlex.join(cmd)}") changes = subprocess.check_output(cmd, text=True).strip() - conf_dir = Path('mkosi.images/system/mkosi.conf.d') + conf_dir = Path('mkosi.conf.d') files = conf_dir.glob('*/*.conf') for file in files: s = file.read_text() |