| Commit message (Collapse) | Author | Files | Lines |
|---|
|
nscd is known to be racy [1] and it was already deprecated and later dropped in
Fedora a while back [1,2]. We don't need to support obsolete stuff in systemd,
and the cache in systemd-resolved provides a better solution anyway.
We announced the plan to drop nscd in d44934f3785ad9ca4aab757beb80a9b11ba4bc04.
[1] https://fedoraproject.org/wiki/Changes/DeprecateNSCD
[2] https://fedoraproject.org/wiki/Changes/RemoveNSCD
The option is kept as a stub without any effect to make the transition easier.
|
|
In mkosi.images/system/mkosi.conf, we configure the certificate as
an extra tree so it's available inside the image. However, we pick up
the certificate from the top level repository directory and not from the
build directory where it is generated by the genkey meson target.
We currently have no way to access the build directory that mkosi was
invoked from when parsing the configuration file. Thus we have no way to
specify the correct location to the certificate when it's located in the
build directory.
For now, let's look for the key and certificate in the top level repository
root directory and drop the genkey target.
We don't have to change the Github Actions CI because it already runs genkey
manually before the image build (which is something we forgot to remove when
introducing the genkey target and is the reason this didn't cause issues before).
|
|
|
|
|
|
|
|
Update the man page of tmpfiles.d to remove outdated comments regarding the behavior of ownership with symlinks.
The behavior has been changed in this commit 51207ca134716a0dee5fd763a6c39204be849eb1
|
|
The old license was a copy&paste mistake.
|
|
Now that we're running on Noble instead of Jammy btrfs has the temp_fsid
feature which means we can mount the same image multiple times so let's
switch back to btrfs instead of ext4 as the filesystem as btrfs properly
records timestamps when building filesystems from a root directory unlike
ext4.
|
|
|
|
The new "password-cache" option allows customizing behavior of the
ask-password module in regards to caching credentials in the kernel
keyring. There are 3 possible values for this option:
* read-only - look for credentials in kernel keyring before asking
* on - same as read-only, but also save credentials input by user
* off - disable keyring credential cache
Currently the cache is forced upon the user and this can cause issues.
For example, if user wants to attach two volumes with two different
FIDO2 tokens in a quick succession, the attachment operation for the
second volume will use the PIN cached from the first FIDO2 token, which
of course will fail and since tokens are only attempted once, this will
cause fallback to a password prompt.
|
|
Currently, if user doesn't specify a key file, /etc/cryptsetup-keys.d/
and /run/cryptsetup-keys.d/ will be searched for a key file with name
matching the volume name. But current implementation has an important
flaw. When the auto-discovered key is a socket file - it will read the
key only once, while the socket might provide different keys for
different types of tokens. The issue is fixed by trying to discover the
key on each unlock attempt, this way we can populate the socket bind
name with something the key provider might use to differentiate between
different keys it has to provide.
|
|
This gets us a kernel with btrfs support.
|
|
|
|
|
|
|
|
|
|
|
|
'allowInteractiveAuthentication' varlink parameter
If people want they should be able to turn on this flag, to allow
interactive auth. Let's make sure this actually works. i.e. add it to
the introspection data and don't refuse the parameter in Describe().
(note the varlink handling already does parameter validation through
varlink_dispatch(), hence we can just drop any further validation)
|
|
reply to client with an error
The logic of the Describe() call was supposed to be: if we can acquire
the PK priv to get the product UUID then let's return the product UUID,
and if we cannot then return the data without it.
This didn't work however, since the polkit varlink glue would
immediately propagate the error it acquired from polkit its own client.
Let's turn this off, optionally, so that hostnamed can handle this
nicely.
|
|
The package was merged into the main systemd package in
https://src.opensuse.org/rpm/systemd/commit/23bfa9d83b6e24a5395a704b816a351f3dc5b5316e580cacedd1b5d9e068c117.
|
|
This patch does not apply anymore on upstream, so let's remove it
from the spec before building until the spec is fixed.
|
|
This adds varlink_server_add_connection_stdio() as wrapper around
varlink_server_add_connection_pair(), that steals stdin/stdout fds and
turns them into a varlink connection. To be safe it replaces
stdin/stdout with /dev/null fds.
|
|
This adds the server-side for varlink connections over two distinct fds.
|
|
This makes use of the functionality added in the previous commit to
implement the client-side functionality for talking to servers via a
pair of fds.
|
|
When invoking another process via a pair of pipes it makes sense to
allow reading from one fd, and writing from another. Teach our varlink
code to do so optionally.
(sd-bus supports something similar, fill the gap).
This is preparation for a later commit that uses this to talk to remote
SSH invocations via pipes.
|
|
The kernel's sched_setattr interface allows for more control over a processes
scheduling attributes as the previously used sched_setscheduler interface.
Using sched_setattr is also the prerequisite for support of utilization
clamping (UCLAMP [1], see #26705) and allows to set sched_runtime. The latter,
sched_runtime, will probably become a relevant scheduling parameter of the
EEVDF scheduler [2, 3], and therefore will not only apply to processes
scheduled via SCHED_DEADLINE, but also for processes scheduled via
SCHED_OTHER/SCHED_BATCH (i.e., most processes).
1: https://docs.kernel.org/next/scheduler/sched-util-clamp.html
2: https://lwn.net/Articles/969062/
3: https://lwn.net/ml/linux-kernel/20240405110010.934104715@infradead.org/
|
|
Just a tiny change to fix an eyesore in cryptsetup luksDump display :)
|
|
We have very similar code for setting generic efi vars in sd-stub and
sd-boot. Let's share it.
This changes behaviour in a minor way: if you chainload multiple
versions of an sd-boot you'll see the efi vars of the first one now in
the OS, not of the last one.
But this should not matter, invocation like that should generally not
happen.
|
|
Always put the success path at least indentation, and indent the error
paths.
|
|
|
|
sectin into char* string
|
|
|
|
|
|
|
|
Always pass the pointer through so that the functions combine the flags
directly, instead of doing that in the caller.
|
|
|
|
|
|
Let's do the section measurement first, before we use any data of it.
Let's bring up the boot splash next, so that it covers anything else we
might do.
|
|
|
|
|
|
Instead of keeping the lists for the global and per-UKI addons separate
throughout, just merge them. We apply them in the same order after all.
|
|
|
|
Instead of keeping three parallel arrays of dt base, dt size and dt
filename, just introduce a proper structure and use an array of that,
greatly simplifying DT handling.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Let's maintain an array of "struct iovec" for the initrds. It becomes a
ton easier and shorter to process/combine the various initrds then.
|
