| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Also remove the systemd-measure dependency from the mkosi target as
mkosi doesn't invoke systemd-measure itself.
|
| |\
| |
| |
| |
| |
| |
| | |
Let's gather generic key/certificate operations in a new tool
systemd-keyutil instead of spreading them across various special purpose
tools.
Fixes #35087
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Let's gather generic key/certificate operations in a new tool
systemd-keyutil instead of spreading them across various special
purpose tools.
Fixes #35087
|
| | | |
|
| | |
| |
| |
| |
| | |
Those two programs are used together and it makes sense to keep them
together. makefs is smaller, so name the directory after growfs.
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I very much dislike the approach in which we were mixing Linux and UEFI C code
in the same subdirectory. No code was shared between two environments. This
layout was created in e7dd673d1e0acfe5420599588c559fd85a3a9e8f, with the
justification of "being more consistent with the rest of systemd", but I don't
see how it's supposed to be so.
Originally, when the C code was just a single bootctl.c file, this wasn't so
bad. But over time the userspace code grew quite a bit. With the moves done in
previuos commits, the intermediate subdirectory is now empty except for the
efi/ subdir, and this additional subdirectory level doesn't have a good
justification. The components is called "systemd-boot", not "systemd-efi", and
we can remove one level of indentation.
|
| |
|
|
|
| |
It's already two files, and I expect that more will come. It's nicer to give
its own subdirectory to maintain consistent structure.
|
| |
|
|
|
|
| |
We have other subdirectories with just a single C file. And I expect
that systemd-measure will only grow over time, adding new functionality.
It's nicer to give its own subdirectory to maintain consistent structure.
|
| | |
|
| |
|
|
|
| |
It's been split into a bunch of files and deserves its own subdirectory
similarly to systemctl.
|
| | |
|
| |
|
|
|
|
| |
This commit introduces a build-time option to enable/disable sysupdated
separately from sysupdate. 'auto' translated to enabled by default in
developer builds.
|
| |
|
|
|
|
|
|
| |
The default definition to add is `-D__loongarch64__`, which is not searched in [bpf_tracing.h](https://github.com/libbpf/libbpf/blob/09b9e83102eb8ab9e540d36b4559c55f3bcdb95d/src/bpf_tracing.h#L68)
This may avoid `error: Must specify a BPF target arch via __TARGET_ARCH_xxx` in loongarch64
Signed-off-by: Zhou Qiankang <wszqkzqk@qq.com>
|
| |
|
|
| |
While at it, also add -Wunknown-warning-option to basic_disabled_warnings to fix compilation with clang
|
| | |
|
| |
|
|
|
| |
So that sd_path_lookup() can be utilized to replace
duplicate functions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
IPE is a new LSM being introduced in 6.12. Like IMA, it works based on a
policy file that has to be loaded at boot, the earlier the better. So
like IMA, if such a policy is present, load it and activate it.
If there are any .p7b files in /etc/ipe/, load them as policies.
The files have to be inline signed in DER format as per IPE documentation.
For more information on the details of IPE:
https://microsoft.github.io/ipe/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For compiling bpf code, the system include directory needs to be
constructed. On Debian-like systems, this requires passing a multiarch
directory. Since clang's -dump-machine prints something other that the
multiarch triplet, gcc was interrogated earlier, but that also yields a
wrong result for cross compilation and was thus skipped resulting in
clang not finding asm/types.h.
Rather than, -dump-machine we should ask for -print-multiarch (which
rarely differs). Whenever gcc is in use, this is right (even for cross
building). Since clang does not support -print-multiarch and its
-dump-machine never matches Debian's multiarch, we resort to asking gcc
when building natively. For cross builds using clang, we are out of
luck.
|
| |
|
|
|
|
|
|
|
| |
Let's make use of libcryptsetup's new crypt_token_set_external_path()
API in place of the interposition stuff we have been doing before. Let's
kill it entirely, given that this was a developer feature only anyway
(and guarded by an appropriate ifdef).
Fixes: #30098
|
| |
|
|
| |
and welcome messages
|
| |
|
|
|
| |
Now, we have copy of vm_sockets.h, hence these definitions are not
necessary anymore.
|
| |
|
|
|
|
| |
We currently search for 'bpf-gcc' and 'bpf-none-gcc'. Gentoo's
sys-devel/bpf-toolchain package uses 'bpf-unknown-none-gcc', as does Fedora's
cross-binutils. Search for this name too.
|
| |
|
|
|
| |
Co-authored-by: Tom Coldrick <thomas.coldrick@codethink.co.uk>
Co-authored-by: Abderrahim Kitouni <abderrahim.kitouni@codethink.co.uk>
|
| |
|
|
|
| |
With af1a6db58fde8f64edcf7d27e1f3b636c999934c, now we can build with the
option.
|
| | |
|
| |
|
|
|
|
| |
Let's explicitly pass the value to -fstrict-flex-arrays. This does
not change behavior but it does (selfishly) make my error not bug
out with an error saying -fstrict-flex-arrays does not exist.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When building packages of arbitrary commits of systemd-stable,
distributors might want to include a git sha of the exact commit
they're on. Let's extend vcs-tag a little to make this possible.
If we're on a commit matching a tag, don't generate a git sha at all.
If we're not on a commit matching a tag, generate a vcs tag as usually.
However, if we're not in developer mode, don't append a '^' if the tree
is dirty to accomodate package builds applying various patches to the
tree which shouldn't be considered as "dirty" edits.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If building with clang and clang does not support bpf, then enabling
-Dbpf-framework=enabled would silently drop the feature (even printing
bpf-framework: enabled in the meson build recap, and no message anywhere
that'd hint at the failure!)
This is unexpected, so add check to fail hard in this case.
All other code paths (gcc, missing bpftool) properly check for the
option, but it is not as easy for a custom command so check explicitly
|
| |
|
|
|
|
|
|
|
|
| |
Let's document in detail how to build the integration test image and run
the integration tests without building systemd. To streamline the process,
we stop automatically using binaries from build/ when invoking mkosi directly
and don't automatically use a tools tree anymore if systemd on the host is too
old. Instead, we document these options in HACKING.md and change the mkosi meson
target to automatically use the current build directory as an extra binary search
path for mkosi.
|
| |
|
|
|
|
|
|
|
|
| |
It's time. sd-json was already done earlier in this cycle, let's now
make sd-varlink public too.
This is mostly just a search/replace job of epical proportions.
I left some functions internal (mostly IDL handling), and I turned some
static inline calls into regular calls.
|
| |\
| |
| | |
Link executor statically
|
| | |
| |
| |
| |
| |
| |
| | |
Our variables for internal libraries are named 'libfoo' for the shared lib
variant, and 'libfoo_static' for the static lib variant. The only exception was
libbasic, because we didn't have a shared variant for it. But let's rename it
for consitency. This makes the build config easier to understand.
|
| |/
|
|
|
|
|
|
|
| |
Follow up for 8b3b01c4b7e0fde39b4be354990ee68f5e612c52
We switch to PROJECT_VERSION instead of PROJECT_VERSION_FULL where
we report our version and which is likely being parsed to avoid
breaking compat. If we didn't, the output would change from systemd
255 to systemd 255.1 which could break various tools.
|
| |
|
|
|
|
|
|
|
| |
These are required by the bpf_tracing.h header in libbpf, see
https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h.
bpf_tracing.h does have a few fallbacks in case __TARGET_ARCH_XXX
is not defined but recommends using the __TARGET_ARCH macros instead
so let's do that.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
nscd is known to be racy [1] and it was already deprecated and later dropped in
Fedora a while back [1,2]. We don't need to support obsolete stuff in systemd,
and the cache in systemd-resolved provides a better solution anyway.
We announced the plan to drop nscd in d44934f3785ad9ca4aab757beb80a9b11ba4bc04.
[1] https://fedoraproject.org/wiki/Changes/DeprecateNSCD
[2] https://fedoraproject.org/wiki/Changes/RemoveNSCD
The option is kept as a stub without any effect to make the transition easier.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In mkosi.images/system/mkosi.conf, we configure the certificate as
an extra tree so it's available inside the image. However, we pick up
the certificate from the top level repository directory and not from the
build directory where it is generated by the genkey meson target.
We currently have no way to access the build directory that mkosi was
invoked from when parsing the configuration file. Thus we have no way to
specify the correct location to the certificate when it's located in the
build directory.
For now, let's look for the key and certificate in the top level repository
root directory and drop the genkey target.
We don't have to change the Github Actions CI because it already runs genkey
manually before the image build (which is something we forgot to remove when
introducing the genkey target and is the reason this didn't cause issues before).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The kernel's sched_setattr interface allows for more control over a processes
scheduling attributes as the previously used sched_setscheduler interface.
Using sched_setattr is also the prerequisite for support of utilization
clamping (UCLAMP [1], see #26705) and allows to set sched_runtime. The latter,
sched_runtime, will probably become a relevant scheduling parameter of the
EEVDF scheduler [2, 3], and therefore will not only apply to processes
scheduled via SCHED_DEADLINE, but also for processes scheduled via
SCHED_OTHER/SCHED_BATCH (i.e., most processes).
1: https://docs.kernel.org/next/scheduler/sched-util-clamp.html
2: https://lwn.net/Articles/969062/
3: https://lwn.net/ml/linux-kernel/20240405110010.934104715@infradead.org/
|
| |
|
|
|
|
|
|
|
| |
During cross-compilation of systemd, the compiler used to build the bpf's needs
to be pointed at the correct include searchpath. Which can be done by passing
the corresponding directory in through the cflags; for example in yocto/bitbake
this would work: CFLAGS += "--sysroot=${STAGING_DIR_TARGET}"
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is preparation for making our Varlink API a public API. Since our
Varlink API is built on top of our JSON API we need to make that public
first (it's a nice API, but JSON APIs there are already enough, this is
purely about the Varlink angle).
I made most of the json.h APIs public, and just placed them in
sd-json.h. Sometimes I wasn't so sure however, since the underlying data
structures would have to be made public too. If in doubt I didn#t risk
it, and moved the relevant API to src/libsystemd/sd-json/json-util.h
instead (without any sd_* symbol prefixes).
This is mostly a giant search/replace patch.
|
| |
|
|
|
| |
crypt_reencrypt() is deprecated, so let's look for and prefer
crypt_reencrypt_run() if it is available.
|
| |
|
|
| |
Otherwise we fail to detect crypt_reencrypt() if -Werror is used.
|
| |
|
|
|
| |
If static libraries are enabled, then group them in the build target together
with the shared libraries, to match the install tags.
|
| |
|
|
|
|
| |
Add aliases grouping these modules, so that they can be built
without knowing the SONAME version in advance. Match the install
tag names.
|
| | |
|
| |\
| |
| | |
Optionally link ssh dropins
|
| | |
| |
| |
| |
| |
| |
| | |
all cases
It's only needed on distros where sshd doesn't support drop-ins in /usr, which
is not the case on SUSE.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
in all cases
On distros like SUSE where ssh config dropins in /usr are supported, there's no
need for a symlink in /etc/ssh/ssh_config.d/ that points to the dropin
installed somewhere in /usr (that is not reachable by ssh).
|
| | |
| |
| |
| |
| | |
Sometimes meson decides to rerun the command even if the files already
exist. Let's run with --force so we don't fail if that's the case.
|
