summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* po: Translated using Weblate (German)Weblate Translation Memory2024-11-051-2/+3
| | | | | | | | | | | | | | | | | | | | Currently translated at 90.9% (230 of 253 strings) po: Translated using Weblate (German) Currently translated at 89.3% (226 of 253 strings) po: Translated using Weblate (German) Currently translated at 88.9% (225 of 253 strings) po: Translated using Weblate (German) Currently translated at 88.1% (223 of 253 strings) Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/ Translation: systemd/main
* po: Translated using Weblate (German)Ettore Atalan2024-11-051-24/+17
| | | | | | | | | | | | | | | | | | | | Currently translated at 90.9% (230 of 253 strings) po: Translated using Weblate (German) Currently translated at 89.3% (226 of 253 strings) po: Translated using Weblate (German) Currently translated at 88.9% (225 of 253 strings) po: Translated using Weblate (German) Currently translated at 88.1% (223 of 253 strings) Co-authored-by: Ettore Atalan <atalanttore@googlemail.com> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/ Translation: systemd/main
* run: handle gracefully if we can't find binary client-side due to permsLennart Poettering2024-11-051-3/+5
| | | | Fixes: #35022
* resolved: log error messages for openssl/gnutls context creationZbigniew Jędrzejewski-Szmek2024-11-052-4/+9
| | | | | | | | | | | In https://bugzilla.redhat.com/show_bug.cgi?id=2322937 we're getting an error message: Okt 29 22:21:03 fedora systemd-resolved[29311]: Could not create manager: Cannot allocate memory I expect that this actually comes from dnstls_manager_init(), the openssl version. But without real logs it's hard to know for sure. Use EIO instead of ENOMEM, because the problem is unlikely to be actually related to memory.
* network: limit the total number of Encrypted DNS options processedRonan Pigott2024-11-051-0/+6
| | | | | | | We need a sensible limit on the number of Encrypted DNS options allowed so that the set of resolvers per link does not grow without bound. Fixes: 0c90d1d2f243 ("ndisc: Parse RFC9463 encrypted DNS (DNR) option")
* sd-daemon: some tweaks (#35011)Luca Boccassi2024-11-054-56/+105
|\
| * sd-daemon: add fd array size safety check to sd_notify_with_fds()Lennart Poettering2024-11-044-0/+35
| | | | | | | | | | | | | | | | | | The previous commit removed the UINT_MAX check for the fd array. Let's now re-add one, but at a better place, and with a more useful limit. As it turns out the kernel does not allow passing more than 253 fds at the same time, hence use that as limit. And do so immediately before calculating the control buffer size, so that we catch multiplication overflows.
| * sd-daemon: count array elements in size_tLennart Poettering2024-11-041-11/+2
| | | | | | | | | | | | | | | | We fucked that up in the original sd_listen() calls, and then we fixed that on the newer flavours. But pour internal common implementation should of course use the full range size_t, as it should be. This then allows us to drop a redundant range check.
| * sd-daemon: drop some redundant 'else'Lennart Poettering2024-11-041-3/+3
| |
| * sd-daemon: clean up env var unsettingLennart Poettering2024-11-041-45/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This cleans up the handling of the "unset_environment" parameter to sd_listen() and related calls: the man pages claim we operate on it on error too. Hence, actually do so in strictly all error paths. Previously we'd miss out on some, because wrapper functions mishandled them. This was addressed before in 362dcfc5db0271cd6b3a564c528cabf0ac0e7993 but some codepaths were missed. Complete the work now. This establishes a common pattern: a function to unset the relevant env vars, that is called from a goto section at the botom on both success and failure.
* | ci: add coverage for builds without sd-boot (#35016)Luca Boccassi2024-11-042-2/+4
|\ \ | | | | | | | | | This should catch compilation issues such as: https://github.com/systemd/systemd/pull/35014
| * | ci: add coverage for builds without sd-bootLuca Boccassi2024-11-041-1/+1
| | | | | | | | | | | | | | | This should catch compilation issues such as: https://github.com/systemd/systemd/pull/35014
| * | test: set nullglob to avoid failure when building without sd-bootLuca Boccassi2024-11-041-0/+2
| | | | | | | | | | | | | | | | | | | | | 2024-11-04T20:13:17.3258095Z + for loader in build/src/boot/efi/*{.efi,.efi.stub} 2024-11-04T20:13:17.3258275Z ++ sbverify --list 'build/src/boot/efi/*.efi' 2024-11-04T20:13:17.3258525Z + [[ Error reading file build/src/boot/efi/*.efi: No such file or directory 2024-11-04T20:13:17.3258952Z Can't open image build/src/boot/efi/*.efi != \N\o\ \s\i\g\n\a\t\u\r\e\ \t\a\b\l\e\ \p\r\e\s\e\n\t ]]
| * | test: fix tool name in commentLuca Boccassi2024-11-041-1/+1
|/ /
* | network: sevearal random trivial cleanups (#34994)Yu Watanabe2024-11-0414-39/+92
|\ \ | | | | | | split-out of #34989.
| * | network/dhcp4: keep DHCP address and routes on stop even when SendDecline=yesYu Watanabe2024-11-041-5/+5
| | | | | | | | | | | | | | | KeepConfiguration=dhcp or dhcp-on-stop already violate RFC. It is not necessary to honor the RFC about sending decline message on stop.
| * | network: expose log_route_debug() and log_address_debug()Yu Watanabe2024-11-044-2/+6
| | | | | | | | | | | | They will be used in another file in a later commit.
| * | network: add more debugging logsYu Watanabe2024-11-042-8/+21
| | | | | | | | | | | | | | | This also fixes the position of the logging "Enumeration completed.", and downgrade its log level.
| * | network: check if interface is initialized after enumeration completedYu Watanabe2024-11-043-1/+22
| | | | | | | | | | | | | | | | | | | | | | | | We enumerate interfaces at first, then enumerate other configurations like addresses and so on. If we are running on a container, previously we started to configure the enumerated interfaces before enumerating other configurations. Let's configure interfaces after all configurations are enumerated.
| * | network: check earlier if we are running in test modeYu Watanabe2024-11-041-13/+20
| | |
| * | network: introduce network_config_source_from_string()Yu Watanabe2024-11-042-1/+2
| | | | | | | | | | | | | | | It is currently unused, but will be used later. Preparation for later commits.
| * | network/json: add missing entries for route propertiesYu Watanabe2024-11-041-0/+2
| | |
| * | network: remove unexpected netlink socket from service managerYu Watanabe2024-11-041-2/+2
| | |
| * | daemon-util: expose notify_push_fd()Yu Watanabe2024-11-042-1/+2
| | | | | | | | | | | | It will be used in a later commit.
| * | network/address: slightly optimize link_address_is_dynamic()Yu Watanabe2024-11-041-1/+5
| | |
| * | network: realign string tableYu Watanabe2024-11-041-5/+5
| | |
* | | tmpfiles: Implement L? to only create symlinks if source existsDaan De Meyer2024-11-043-10/+56
|/ / | | | | | | | | | | This allows a single tmpfiles snippet with lines to symlink directories from /usr/share/factory to be shared across many different configurations while making sure symlinks only get created if the source actually exists.
* | efi-loader: add missing stub for efi_stub_get_device_part_uuid()Franck Bui2024-11-041-0/+4
| |
* | json: add json_dispatch_ifindex() helper (#34982)Lennart Poettering2024-11-047-45/+37
|\ \ | | | | | | Inspired by: #34640
| * | tree-wide: port things over to new json_dispatch_ifindex()Lennart Poettering2024-11-044-28/+16
| | |
| * | json-util: generalize json_dispatch_ifindex()Lennart Poettering2024-11-043-17/+21
| |/ | | | | | | | | | | | | | | Let's move the helper from nss-resolve.c to generic code, as it's going to be useful in #34640. Also, let's tighten the rules, and refuse negative ifindexes, because they are invalid.
* | pcrlock: Pad pe hash to a multiple of 8 bytesDaan De Meyer2024-11-041-0/+4
| | | | | | | | | | All other tools (sbsigntools, osslsigncode, sbctl, goblin) do this as well so let's follow suite.
* | network: refuse new requests on stop (#35004)Luca Boccassi2024-11-047-5/+28
|\ \ | | | | | | split-out of #34989..
| * | network: free DHCP client and friends in link_free()Yu Watanabe2024-11-033-5/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | No functional change, at least now. Preparation for later commits. But we are planning to extend KeepConfiguration= and also keep addresses and so on assigned by other dynamic configuration protocol like DHCPv6 or NDisc. However, when link_free_engines() is called here, acquired addresses so on by NDisc will be removed, even if link_stop_engines() handles restarting networkd or KeepConfiguration= gracefully. So, let's not free engines here, but free them later in link_free(). It is not necessary to be called here anyway.
| * | network: refuse further requests when manager is in MANAGER_STOPPEDYu Watanabe2024-11-034-0/+26
| | | | | | | | | | | | | | | In that case, requests will never be processed anyway. But further more, we cannot call link_ref() at that stage. Otherwise, we trigger assertion.
* | | network: cleanups for IPv4LL (#34995)Luca Boccassi2024-11-042-18/+21
|\ \ \ | | | | | | | | split-out of #34989.
| * | | network/ipv4ll: not necessary to set initial address on each startYu Watanabe2024-11-022-13/+16
| | | |
| * | | network/dhcp4: do not restart IPv4LL client when KeepConfiguration=dhcpYu Watanabe2024-11-021-5/+5
| | | | | | | | | | | | | | | | | | | | When KeepConfiguration=dhcp, we do not remove acquired address, hence not necessary to restart IPv4LL client.
* | | | test-dhcp-client: utilize log_info instead of printfColin Foster2024-11-041-11/+11
| | | | | | | | | | | | | | | | | | | | log_info appears to be the preferred method to convey information from tests. Convert all the printfs to log_info to follow this standard.
* | | | update NEWSLennart Poettering2024-11-041-10/+37
| |_|/ |/| |
* | | update TODOLennart Poettering2024-11-041-0/+4
| | |
* | | udev-builtin-path_id: SAS wide ports must have num_phys > 1Martin Wilck2024-11-041-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some kernel SAS drivers (e.g. smartpqi) expose ports with num_phys = 0. udev shouldn't treat these ports as wide ports. SAS wide ports always have num_phys > 1. See comments for sas_port_add_phy() in the kernel sources. Sample data from a smartpqi system to illustrate the issue below. Here the phy device is attached to port 0:0, which has no end devices attached and the SAS end device (where sda is attached) is associated with SAS port 0:1, which has no associated phy device. Thus num_phys for port-0:1 is 0. This is arguably wrong, but it's how smartpqi has always set up its devices in sysfs. /sys/class/sas_phy/phy-0:0 -> ../../devices/pci0000:46/0000:46:02.0/0000:47:00.0/host0/scsi_host/host0/phy-0:0/sas_phy/phy-0:0 /sys/devices/pci0000:46/0000:46:02.0/0000:47:00.0/host0/scsi_host/host0/port-0:0/phy-0:0 -> ../phy-0:0 /sys/devices/pci0000:46/0000:46:02.0/0000:47:00.0/host0/scsi_host/host0/phy-0:0/port -> ../port-0:0 /sys/class/sas_device/end_device-0:1 -> ../../devices/pci0000:46/0000:46:02.0/0000:47:00.0/host0/scsi_host/host0/port-0:1/end_device-0:1/sas_device/end_device-0:1 /sys/class/block/sda -> ../../devices/pci0000:46/0000:46:02.0/0000:47:00.0/host0/scsi_host/host0/port-0:1/end_device-0:1/target0:0:0/0:0:0:0/block/sda Signed-off-by: Martin Wilck <mwilck@suse.com>
* | | openssl-util: Query engine/provider pin via ask-password (#34948)Daan De Meyer2024-11-0332-266/+866
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In mkosi, we want to support signing via a hardware token. We already support this in systemd-repart and systemd-measure. However, if the hardware token is protected by a pin, the pin is asked as many as 20 times when building an image as the pin is not cached and thus requested again for every operation. Let's introduce a custom openssl ui when we use engines and providers and plug systemd-ask-password into the process. With systemd-ask-password, the pin can be cached in the kernel keyring, allowing us to reuse it without querying the user again every time to enter the pin. We use the private key URI as the keyring identifier so that the cached pin can be shared across multiple tools.
| * | bootctl: Add --secure-boot-auto-enrollDaan De Meyer2024-11-0311-4/+396
| | | | | | | | | | | | | | | | | | When specified, bootctl install will also set up secure boot auto-enrollment. For now, We sign all variables using the same certificate and key pair.
| * | openssl-util: Query engine/provider pin via ask-passwordDaan De Meyer2024-11-034-168/+334
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In mkosi, we want to support signing via a hardware token. We already support this in systemd-repart and systemd-measure. However, if the hardware token is protected by a pin, the pin is asked as many as 20 times when building an image as the pin is not cached and thus requested again for every operation. Let's introduce a custom openssl ui when we use engines and providers and plug systemd-ask-password into the process. With systemd-ask-password, the pin can be cached in the kernel keyring, allowing us to reuse it without querying the user again every time to enter the pin. We use the private key URI as the keyring identifier so that the cached pin can be shared across multiple tools. Note that if the private key is pin protected, openssl will prompt both when loading the private key using the pkcs11 engine and when actually signing the roothash. To make sure our custom UI is used when signing the roothash, we have to also configure it with ENGINE_ctrl() which takes a non-owning pointer to the UI_METHOD object and its userdata object which we have to keep alive so we introduce a new AskPasswordUserInterface struct which we use to keep both objects alive together with the EVP_PKEY object. Because the AskPasswordRequest struct stores non-owning pointers to its fields, we change repart to store the private key URI as a global variable again instead of the EVP_PKEY object so that we can use the private key argument as the keyring field of the AskPasswordRequest instance without running into lifetime issues.
| * | efivars: Remove STRINGIFY() helper macrosDaan De Meyer2024-11-0220-83/+79
| | | | | | | | | | | | | | | | | | | | | | | | The names of these conflict with macros from efi.h that we'll move to efi-fundamental.h in a later commit. Let's avoid the conflict by getting rid of these helpers. Arguably this also improves readability by clearly indicating we're passing arbitrary strings and not constants to the macros when we invoke them.
| * | ask-password: Add $SYSTEMD_ASK_PASSWORD_KEYRING_TYPEDaan De Meyer2024-11-022-1/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | Currently ask_password_auto() will always try to store the password into the user keyring. Let's make this configurable so that we can configure ask_password_auto() into the session keyring. This is required when working with user namespaces, as the user keyring is namespaced by user namespaces which makes it impossible to share cached keys across user namespaces by using the user namespace while this is possible with the session keyring.
| * | ask-password: Drop "default" for SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SECDaan De Meyer2024-11-022-7/+6
| | | | | | | | | | | | Users can simply unset the environment variable to achieve the same effect.
| * | ask-password: Use default timeout if ↵Daan De Meyer2024-11-021-4/+2
|/ / | | | | | | | | | | SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC is unset Follow-up for d9f4dad986dcebd51bdaeb8ba3d2c00cdc0d701e
* | mkosi: Add extra tools tree packages required to run integration testsDaan De Meyer2024-11-025-0/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With https://github.com/systemd/mkosi/pull/3164, we'll be able to run arbitrary commands in the mkosi sandbox, which has /usr from the tools tree if one is configured. Let's add the required packages to be able to run meson to setup the integration tests. This allows running the integration tests without having to install meson or other build dependencies on the host system. """ mkosi sandbox meson setup build mkosi sandbox meson compile -C build mkosi mkosi sandbox env SYSTEMD_INTEGRATION_TESTS=1 meson test -C build ... """
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-04 13:53:45 +0100