From 88963802d6939f5e61a56bc4ba93613cee8c1419 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Jul 17 2023 10:50:58 +0000 Subject: Merge branch 'c9s-sig-hyperscale' into c8s-sig-hyperscale --- diff --git a/0001-pam-align-second-and-third-columns.patch b/0001-pam-align-second-and-third-columns.patch deleted file mode 100644 index 8ab341b..0000000 --- a/0001-pam-align-second-and-third-columns.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 9efb224443d819b7d64ec76cb94c8aa625a8abf2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 23 Nov 2022 16:05:48 +0100 -Subject: [PATCH 1/2] pam: align second and third columns - -In our template file, we have jinja2 template markers, so the file -looks fairly messy. But once it's rendered, it looks pretty clean, except -that the columns are unaligned becuase of "-" in some lines in the first -column. Let's make them aligned. ---- - src/login/systemd-user.in | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in -index 39bcbd71fe..d5597d28cb 100644 ---- a/src/login/systemd-user.in -+++ b/src/login/systemd-user.in -@@ -4,18 +4,18 @@ - # Used by systemd --user instances. - - {% if ENABLE_HOMED %} ---account sufficient pam_systemd_home.so -+-account sufficient pam_systemd_home.so - {% endif %} --account sufficient pam_unix.so no_pass_expiry --account required pam_permit.so -+account sufficient pam_unix.so no_pass_expiry -+account required pam_permit.so - - {% if HAVE_SELINUX %} --session required pam_selinux.so close --session required pam_selinux.so nottys open -+session required pam_selinux.so close -+session required pam_selinux.so nottys open - {% endif %} --session required pam_loginuid.so --session optional pam_keyinit.so force revoke -+session required pam_loginuid.so -+session optional pam_keyinit.so force revoke - {% if ENABLE_HOMED %} ---session optional pam_systemd_home.so -+-session optional pam_systemd_home.so - {% endif %} --session optional pam_systemd.so -+session optional pam_systemd.so --- -2.38.1 - diff --git a/0002-pam-add-a-call-to-pam_namespace.patch b/0002-pam-add-a-call-to-pam_namespace.patch deleted file mode 100644 index 51564d9..0000000 --- a/0002-pam-add-a-call-to-pam_namespace.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 0ef48896d9f23b9fd547a532a4e6e6b8f8b12901 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 23 Nov 2022 16:09:56 +0100 -Subject: [PATCH 2/2] pam: add a call to pam_namespace - -A call to pam_namespace is required so that children of user@.service end up in -a namespace as expected. pam_namespace gets called as part of the stack that -creates a session (login, sshd, gdm, etc.) and those processes end up in a -namespace, but it also needs to be called from our stack which is parallel and -descends from pid1 itself. - -The call to pam_namespace is similar to the call to pam_keyinit that was added -in ab79099d1684457d040ee7c28b2012e8c1ea9a4f. The pam stack for user@.service -creates a new session which is disconnected from the parent environment. Both -calls are not suitable for inclusion in the shared part of the stack (e.g. -@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser -should not include them. - -Fixes #17043 (Allow to execute user service into dedicated namespace - if pam_namespace enabled) -Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836 -(Polyinstantiation is ignored/bypassed in GNOME sessions) ---- - src/login/systemd-user.in | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in -index d5597d28cb..06f7e36458 100644 ---- a/src/login/systemd-user.in -+++ b/src/login/systemd-user.in -@@ -15,6 +15,7 @@ session required pam_selinux.so nottys open - {% endif %} - session required pam_loginuid.so - session optional pam_keyinit.so force revoke -+session required pam_namespace.so - {% if ENABLE_HOMED %} - -session optional pam_systemd_home.so - {% endif %} --- -2.38.1 - diff --git a/0003-pam-actually-align-the-columns.patch b/0003-pam-actually-align-the-columns.patch deleted file mode 100644 index da4fcf2..0000000 --- a/0003-pam-actually-align-the-columns.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 369dfbf43a0064b70a774ccdd3dd1c1a09fd95ca Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 14 Dec 2022 22:23:31 +0100 -Subject: [PATCH 3/4] pam: actually align the columns - -In 9efb224443d819b7d64ec76cb94c8aa625a8abf2 was supposed to align -them, but for some reason I just added a second space everywhere. ---- - src/login/systemd-user.in | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in -index 06f7e36458..9a665bd959 100644 ---- a/src/login/systemd-user.in -+++ b/src/login/systemd-user.in -@@ -4,19 +4,19 @@ - # Used by systemd --user instances. - - {% if ENABLE_HOMED %} ---account sufficient pam_systemd_home.so -+-account sufficient pam_systemd_home.so - {% endif %} - account sufficient pam_unix.so no_pass_expiry --account required pam_permit.so -+account required pam_permit.so - - {% if HAVE_SELINUX %} --session required pam_selinux.so close --session required pam_selinux.so nottys open -+session required pam_selinux.so close -+session required pam_selinux.so nottys open - {% endif %} --session required pam_loginuid.so --session optional pam_keyinit.so force revoke --session required pam_namespace.so -+session required pam_loginuid.so -+session optional pam_keyinit.so force revoke -+session required pam_namespace.so - {% if ENABLE_HOMED %} ---session optional pam_systemd_home.so -+-session optional pam_systemd_home.so - {% endif %} --session optional pam_systemd.so -+session optional pam_systemd.so --- -2.38.1 - diff --git a/10-map-count.conf b/10-map-count.conf new file mode 100644 index 0000000..5cf5677 --- /dev/null +++ b/10-map-count.conf @@ -0,0 +1,3 @@ +# Increase the number of virtual memory areas that one process may request +# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount +vm.max_map_count=1048576 diff --git a/10-oomd-per-slice-defaults.conf b/10-oomd-per-slice-defaults.conf index fbf6f00..63d8162 100644 --- a/10-oomd-per-slice-defaults.conf +++ b/10-oomd-per-slice-defaults.conf @@ -1,3 +1,3 @@ [Slice] ManagedOOMMemoryPressure=kill -ManagedOOMMemoryPressureLimit=50% +ManagedOOMMemoryPressureLimit=80% diff --git a/10-timeout-abort.conf b/10-timeout-abort.conf new file mode 100644 index 0000000..4852648 --- /dev/null +++ b/10-timeout-abort.conf @@ -0,0 +1,14 @@ +# This file is part of the systemd package. +# See https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer. +# +# To facilitate debugging when a service fails to stop cleanly, +# TimeoutStopFailureMode=abort is set to "crash" services that fail to stop in +# the time allotted. This will cause the service to be terminated with SIGABRT +# and a coredump to be generated. +# +# To undo this configuration change, create a mask file: +# sudo mkdir -p /etc/systemd/system/service.d +# sudo ln -sv /dev/null /etc/systemd/system/service.d/10-timeout-abort.conf + +[Service] +TimeoutStopFailureMode=abort diff --git a/26494.patch b/26494.patch new file mode 100644 index 0000000..19bc67b --- /dev/null +++ b/26494.patch @@ -0,0 +1,30 @@ +From 6b25470ee28843a49c50442e9d8a98edc842ceca Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 20 Feb 2023 12:00:30 +0900 +Subject: [PATCH] core/manager: run generators directly when we are in initrd + +Some initrd system write files at ourside of /run, /etc, or other +allowed places. This is a kind of workaround, but in most cases, such +sandboxing is not necessary as the filesystem is on ramfs when we are in +initrd. + +Fixes #26488. +--- + src/core/manager.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 7b394794b0d4..306477c6e6c2 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -3822,8 +3822,8 @@ static int manager_run_generators(Manager *m) { + /* If we are the system manager, we fork and invoke the generators in a sanitized mount namespace. If + * we are the user manager, let's just execute the generators directly. We might not have the + * necessary privileges, and the system manager has already mounted /tmp/ and everything else for us. +- */ +- if (MANAGER_IS_USER(m)) { ++ * If we are in initrd, let's also execute the generators directly, as we are in ramfs. */ ++ if (MANAGER_IS_USER(m) || in_initrd()) { + r = manager_execute_generators(m, paths, /* remount_ro= */ false); + goto finish; + } diff --git a/98-default-mac-none.link b/98-default-mac-none.link new file mode 100644 index 0000000..8440f98 --- /dev/null +++ b/98-default-mac-none.link @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: MIT-0 +# +# This config file is installed as part of systemd. +# It may be freely copied and edited (following the MIT No Attribution license). +# +# To make local modifications, one of the following methods may be used: +# 1. add a drop-in file that extends this file by creating the +# /etc/systemd/network/98-default-mac-none.link.d/ directory and creating a +# new .conf file there. +# 2. copy this file into /etc/systemd/network or one of the other paths checked +# by systemd-udevd and edit it there. +# This file should not be edited in place, because it'll be overwritten on upgrades. + +[Match] +Kind=bridge bond team + +[Link] +NamePolicy=keep kernel database onboard slot path +AlternativeNamesPolicy=database onboard slot path +MACAddressPolicy=none diff --git a/sources b/sources index 43bb180..33272ce 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (systemd-hs-252.4.tar.gz) = 89ec58da01429b83d6a2d80797ca140c2c40ab750198b2a8e395a9e94169882739b07aff21dfbb013b52241d9632b10354d2e9cbfed2fa05355440ff10c251a7 -SHA512 (systemd-hs+fb-252.4.tar.gz) = e6d971184ec03708e679355d0bda13d9315e0b9861ffd8e5d45905714eb27d738f006b92d68e7f05cbd73a6d9cbc49fa969b1ac0a572f668141fc8942ddd7e66 +SHA512 (systemd-hs-253.5.tar.gz) = fbbb62c3e04a45b7ab3900cea8eb4468ec150d345ba49b11a7b41b00fd014a5f3df06524f1816b171d56d9f04f576cc218ccdb4b6db7d378102dc1cd183cc77d +SHA512 (systemd-hs+fb-253.5.tar.gz) = c114c0398a9480fc06863b92a4d0378e5668aaade0a8d01db1ba492226edee359166361446b548fe80e63d0c94b80ce1f80fee51eb310774a35333b87167b59f diff --git a/split-files.py b/split-files.py index ebd0835..11fda6a 100644 --- a/split-files.py +++ b/split-files.py @@ -18,6 +18,7 @@ def files(root): o_libs = open('.file-list-libs', 'w') o_udev = open('.file-list-udev', 'w') +o_ukify = open('.file-list-ukify', 'w') o_boot = open('.file-list-boot', 'w') o_pam = open('.file-list-pam', 'w') o_rpm_macros = open('.file-list-rpm-macros', 'w') @@ -28,8 +29,10 @@ o_oomd_defaults = open('.file-list-oomd-defaults', 'w') o_remote = open('.file-list-remote', 'w') o_resolve = open('.file-list-resolve', 'w') o_tests = open('.file-list-tests', 'w') +o_standalone_repart = open('.file-list-standalone-repart', 'w') o_standalone_tmpfiles = open('.file-list-standalone-tmpfiles', 'w') o_standalone_sysusers = open('.file-list-standalone-sysusers', 'w') +o_standalone_shutdown = open('.file-list-standalone-shutdown', 'w') o_main = open('.file-list-main', 'w') for file in files(buildroot): n = file.path[1:] @@ -54,12 +57,27 @@ for file in files(buildroot): /var(/cache|/log|/lib|/run|)$ ''', n, re.X): continue - if '/security/pam_' in n or '/man8/pam_' in n: + + if n.endswith('.standalone'): + if 'repart' in n: + o = o_standalone_repart + elif 'tmpfiles' in n: + o = o_standalone_tmpfiles + elif 'sysusers' in n: + o = o_standalone_sysusers + elif 'shutdown' in n: + o = o_standalone_shutdown + else: + assert False, 'Found .standalone not belonging to known packages' + + elif '/security/pam_' in n or '/man8/pam_' in n: o = o_pam elif '/rpm/' in n: o = o_rpm_macros elif '/usr/lib/systemd/tests' in n: o = o_tests + elif 'ukify' in n: + o = o_ukify elif re.search(r'/libsystemd-(shared|core)-.*\.so$', n): o = o_main elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n): @@ -106,7 +124,6 @@ for file in files(buildroot): hwdb| bootctl| boot-update| - sd-boot|systemd-boot\.|loader.conf| bless-boot| boot-system-token| kernel-install| @@ -124,6 +141,7 @@ for file in files(buildroot): pstore| sleep|suspend|hibernate| systemd-tmpfiles-setup-dev| + network/98-default-mac-none.link| network/99-default.link| growfs|makefs|makeswap|mkswap| fsck| @@ -151,7 +169,10 @@ for file in files(buildroot): # confused if those user-facing binaries are not available. o = o_udev - elif re.search(r'''/boot/efi''', n, re.X): + elif re.search(r'''/boot/efi| + /usr/lib/systemd/boot| + sd-boot|systemd-boot\.|loader.conf + ''', n, re.X): o = o_boot elif re.search(r'''resolved|resolve1| @@ -164,14 +185,6 @@ for file in files(buildroot): elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X): o = o_oomd_defaults - elif n.endswith('.standalone'): - if 'tmpfiles' in n: - o = o_standalone_tmpfiles - elif 'sysusers' in n: - o = o_standalone_sysusers - else: - assert False, 'Found .standalone not belonging to known packages' - else: o = o_main diff --git a/systemd.spec b/systemd.spec index b3a5450..85c2912 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,12 +1,10 @@ #global commit c4b843473a75fb38ed5bf54e9d3cfb1cb3719efa %{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})} -%global stable 1 - %if 0%{?facebook} -%global hs_commit 1d360fe852a59e3fd4253b234f72cc9bf28a1214 +%global hs_commit 56f097a40674300444908809da2c7f2962a4c072 %else -%global hs_commit 41a7f97e13ba7bb986d97f6873fa3c3fe0808517 +%global hs_commit c8cecf12d59b11f1e75db1e49b20ba07c7db4c69 %endif # We ship a .pc file but don't want to have a dep on pkg-config. We @@ -36,16 +34,17 @@ Name: systemd Url: https://pagure.io/centos-sig-hyperscale/systemd %if %{without inplace} -Version: 252.4 -Release: 598.13%{?dist} +Version: 253.5 %else # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') -Release: 2 %endif +Release: 1.1%{?dist} + +%global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?) # For a breakdown of the licensing, see README -License: LGPLv2+ and MIT and GPLv2+ +License: LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later Summary: System and Service Manager # download tarballs with "spectool -g systemd.spec" @@ -69,12 +68,16 @@ Source13: libsystemd-shared.abignore Source14: 10-oomd-defaults.conf Source15: 10-oomd-per-slice-defaults.conf +Source16: 10-timeout-abort.conf +Source17: 10-map-count.conf Source21: macros.sysusers Source22: sysusers.attr Source23: sysusers.prov Source24: sysusers.generate-pre.sh +Source25: 98-default-mac-none.link + # Needed for selinux subpackage Source100: Makefile.selinux Source101: systemd_hs.te @@ -93,9 +96,9 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # than in the next section. Packit CI will drop any patches in this range before # applying upstream pull requests. -Patch0001: 0001-pam-align-second-and-third-columns.patch -Patch0002: 0002-pam-add-a-call-to-pam_namespace.patch -Patch0003: 0003-pam-actually-align-the-columns.patch +# https://github.com/systemd/systemd/issues/26488 +# https://bugzilla.redhat.com/show_bug.cgi?id=2164404 +Patch0001: https://github.com/systemd/systemd/pull/26494.patch # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 @@ -140,7 +143,9 @@ BuildRequires: kmod-devel BuildRequires: elfutils-devel BuildRequires: openssl-devel BuildRequires: gnutls-devel +%if %{undefined rhel} BuildRequires: qrencode-devel +%endif BuildRequires: libmicrohttpd-devel BuildRequires: libxkbcommon-devel BuildRequires: iptables-devel @@ -158,12 +163,20 @@ BuildRequires: gawk BuildRequires: tree BuildRequires: hostname BuildRequires: python3 -BuildRequires: python3dist(lxml) +BuildRequires: python3-devel BuildRequires: python3dist(jinja2) -BuildRequires: firewalld-filesystem -%if 0%{?have_gnu_efi} -BuildRequires: gnu-efi gnu-efi-devel +BuildRequires: python3dist(lxml) +BuildRequires: python3dist(pefile) +%if %{undefined rhel} +BuildRequires: python3dist(pillow) +BuildRequires: python3dist(pytest-flakes) %endif +BuildRequires: python3dist(pytest) +%if 0%{!?el8} +BuildRequires: python3dist(zstd) +%endif +# gzip and lzma are provided by the stdlib +BuildRequires: firewalld-filesystem BuildRequires: libseccomp-devel %if 0%{?el8} BuildRequires: meson >= 0.57 @@ -176,6 +189,10 @@ BuildRequires: valgrind-devel BuildRequires: pkgconfig(bash-completion) BuildRequires: perl BuildRequires: perl(IPC::SysV) +%if 0%{?el8} +BuildRequires: gnu-efi +BuildRequires: gnu-efi-devel +%endif %ifnarch %ix86 # bpftool is not built for i368 @@ -183,6 +200,13 @@ BuildRequires: bpftool %global have_bpf 1 %endif +%if 0%{?fedora} +%ifarch x86_64 aarch64 +# That package is only built for those two architectures +BuildRequires: xen-devel +%endif +%endif + Requires(post): coreutils Requires(post): grep # systemd-machine-id-setup requires libssl @@ -215,10 +239,14 @@ Conflicts: fedora-release < 23-0.12 %endif Obsoletes: timedatex < 0.6-3 Provides: timedatex = 0.6-3 +Conflicts: %{name}-standalone-repart < %{version}-%{release}^ +Provides: %{name}-repart = %{version}-%{release} Conflicts: %{name}-standalone-tmpfiles < %{version}-%{release}^ Provides: %{name}-tmpfiles = %{version}-%{release} Conflicts: %{name}-standalone-sysusers < %{version}-%{release}^ Provides: %{name}-sysusers = %{version}-%{release} +Conflicts: %{name}-standalone-shutdown < %{version}-%{release}^ +Provides: %{name}-shutdown = %{version}-%{release} # Recommends to replace normal Requires deps for stuff that is dlopen()ed Recommends: libidn2.so.0%{?elf_suffix} @@ -226,7 +254,11 @@ Recommends: libidn2.so.0(IDN2_0.0.0)%{?elf_bits} Recommends: libpcre2-8.so.0%{?elf_suffix} Recommends: libpwquality.so.1%{?elf_suffix} Recommends: libpwquality.so.1(LIBPWQUALITY_1.0)%{?elf_bits} +%if %{undefined rhel} Recommends: libqrencode.so.4%{?elf_suffix} +%endif +Recommends: libbpf.so.0%{?elf_suffix} +Recommends: libbpf.so.0(LIBBPF_0.4.0)%{?elf_bits} Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy) @@ -255,12 +287,12 @@ utilities to control basic system configuration like the hostname, date, locale, maintain a list of logged-in users, system accounts, runtime directories and settings, and a logging daemons. %if 0%{?stable} -This package was built from the %{version}-stable branch of systemd. +This package was built from the %(c=%version; echo "v${c%.*}-stable") branch of systemd. %endif %package libs Summary: systemd libraries -License: LGPLv2+ and MIT +License: LGPL-2.1-or-later AND MIT Obsoletes: libudev < 183 Obsoletes: systemd < 185-4 Conflicts: systemd < 185-4 @@ -297,7 +329,7 @@ for information how to use those macros. %package devel Summary: Development headers for systemd -License: LGPLv2+ and MIT +License: LGPL-2.1-or-later AND MIT Requires: %{name}-libs%{_isa} = %{version}-%{release} Requires: (%{name}-rpm-macros = %{version}-%{release} if rpm-build) Provides: libudev-devel = %{version} @@ -310,7 +342,7 @@ to libudev or libsystemd. %package udev Summary: Rule-based device node and kernel event manager -License: LGPLv2+ +License: LGPL-2.1-or-later Requires: systemd%{_isa} = %{version}-%{release} Requires(post): systemd @@ -340,8 +372,9 @@ Recommends: libdw.so.1(ELFUTILS_0.186)%{?elf_bits} Recommends: libelf.so.1%{?elf_suffix} Recommends: libelf.so.1(ELFUTILS_1.7)%{?elf_bits} -# used by home, cryptsetup, cryptenroll +# used by home, cryptsetup, cryptenroll, logind Recommends: libfido2.so.1%{?elf_suffix} +Recommends: libp11-kit.so.0%{?elf_suffix} Recommends: libtss2-esys.so.0%{?elf_suffix} Recommends: libtss2-mu.so.0%{?elf_suffix} Recommends: libtss2-rc.so.0%{?elf_suffix} @@ -366,14 +399,36 @@ It also contains tools to manage encrypted home areas and secrets bound to the machine, and to create or grow partitions and make file systems automatically. %if 0%{?have_gnu_efi} +%if 0%{!?el8} +%package ukify +Summary: Tool to build Unified Kernel Images +Requires: %{name} = %{version}-%{release} + +# We prefer llvm-objcopy over objcopy. +Requires: (llvm or binutils) +Recommends: llvm + +Requires: python3dist(pefile) +Requires: python3dist(zstd) +Recommends: python3dist(pillow) + +BuildArch: noarch + +%description ukify +This package provides ukify, a script that combines a kernel image, an initrd, +with a command line, and possibly PCR measurements and other metadata, into a +Unified Kernel Image (UKI). +%endif + %package boot-unsigned Summary: UEFI boot manager (unsigned version) Provides: systemd-boot-unsigned-%{efi_arch} = %version-%release Provides: systemd-boot = %version-%release Provides: systemd-boot%{_isa} = %version-%release -Conflicts: systemd-boot < %{version}-%{release} -Obsoletes: systemd-boot < %{version}-%{release} +# A provides with just the version, no release or dist, used to build systemd-boot +Provides: version(systemd-boot-unsigned) = %version +Provides: version(systemd-boot-unsigned)%{_isa} = %version # self-obsoletes to install both packages after split of systemd-boot Obsoletes: systemd-udev < 252.2^ @@ -398,7 +453,7 @@ Requires(postun): systemd Obsoletes: %{name} < 229-5 # Bias the system towards libcurl-minimal if nothing pulls in full libcurl (#1997040) Suggests: libcurl-minimal -License: LGPLv2+ +License: LGPL-2.1-or-later %description container Systemd tools to spawn and manage containers and virtual machines. @@ -410,7 +465,7 @@ systemd-importd. # Name is the same as in Debian Summary: Tools to send journal events over the network Requires: %{name}%{_isa} = %{version}-%{release} -License: LGPLv2+ +License: LGPL-2.1-or-later Requires: firewalld-filesystem Provides: %{name}-journal-gateway = %{version}-%{release} Provides: %{name}-journal-gateway%{_isa} = %{version}-%{release} @@ -428,7 +483,7 @@ systemd-journal-upload. %package networkd Summary: System daemon that manages network configurations Requires: %{name}%{_isa} = %{version}-%{release} -License: LGPLv2+ +License: LGPL-2.1-or-later %if 0%{?facebook} == 0 # https://src.fedoraproject.org/rpms/systemd/pull-request/34 Obsoletes: systemd < 246.6-2 @@ -457,7 +512,7 @@ resolver, as well as an LLMNR and MulticastDNS resolver and responder. %package oomd-defaults Summary: Configuration files for systemd-oomd Requires: %{name} = %{version}-%{release} -License: LGPLv2+ +License: LGPL-2.1-or-later BuildArch: noarch %description oomd-defaults @@ -467,31 +522,51 @@ a userspace out-of-memory (OOM) killer. %package tests Summary: Internal unit tests for systemd Requires: %{name}%{_isa} = %{version}-%{release} -License: LGPLv2+ +License: LGPL-2.1-or-later %description tests "Installed tests" that are usually run as part of the build system. They can be useful to test systemd internals. +%package standalone-repart +Summary: Standalone systemd-repart binary for use on systems without systemd +Provides: %{name}-repart = %{version}-%{release} +RemovePathPostfixes: .standalone + +%description standalone-repart +Standalone systemd-repart binary with no dependencies on the systemd-shared library or +other libraries from systemd-libs. This package conflicts with the main systemd +package and is meant for use on systems without systemd. + %package standalone-tmpfiles -Summary: Standalone tmpfiles binary for use in non-systemd systems +Summary: Standalone systemd-tmpfiles binary for use on systems without systemd Provides: %{name}-tmpfiles = %{version}-%{release} RemovePathPostfixes: .standalone %description standalone-tmpfiles -Standalone tmpfiles binary with no dependencies on the systemd-shared library or +Standalone systemd-tmpfiles binary with no dependencies on the systemd-shared library or other libraries from systemd-libs. This package conflicts with the main systemd -package and is meant for use in non-systemd systems. +package and is meant for use on systems without systemd. %package standalone-sysusers -Summary: Standalone sysusers binary for use in non-systemd systems +Summary: Standalone systemd-sysusers binary for use on systems without systemd Provides: %{name}-sysusers = %{version}-%{release} RemovePathPostfixes: .standalone %description standalone-sysusers -Standalone sysusers binary with no dependencies on the systemd-shared library or +Standalone systemd-sysusers binary with no dependencies on the systemd-shared library or +other libraries from systemd-libs. This package conflicts with the main systemd +package and is meant for use on systems without systemd. + +%package standalone-shutdown +Summary: Standalone systemd-shutdown binary for use on systems without systemd +Provides: %{name}-shutdown = %{version}-%{release} +RemovePathPostfixes: .standalone + +%description standalone-shutdown +Standalone systemd-shutdown binary with no dependencies on the systemd-shared library or other libraries from systemd-libs. This package conflicts with the main systemd -package and is meant for use in non-systemd systems. +package and is meant for use in exitrds. %package selinux Summary: SELinux module for systemd @@ -514,9 +589,27 @@ runs properly under an environment with SELinux enabled. # the top directory is hsfb-250.3 instead of hs+fb-250.3. %autosetup -n %{name}-hs%{?facebook:fb}-%{version} -p1 +# We want to update sd-boot from packaging scriptlets after package update. +# Let's disable the service. +sed -r -i '/^enable systemd-boot-update.service/d' presets/90-systemd.preset + +sed -r 's|/system/|/user/|g' %{SOURCE16} >10-timeout-abort.conf.user + mkdir selinux cp %SOURCE100 %SOURCE101 %SOURCE102 %SOURCE103 selinux +%if 0%{!?el8} +%generate_buildrequires +%if 0%{?have_gnu_efi} +if grep -q gnu-efi meson_options.txt; then + echo 'gnu-efi' + echo 'gnu-efi-devel' +else + echo 'python3dist(pyelftools)' +fi +%endif +%endif + %build %global ntpvendor %(source /etc/os-release; echo ${ID}) %{!?ntpvendor: echo 'NTP vendor zone is not set!'; exit 1} @@ -565,7 +658,7 @@ CONFIGURE_OPTS=( %endif -Delfutils=true -Dpwquality=true - -Dqrencode=true + -Dqrencode=%{?rhel:false}%{?!rhel:true} -Dgnutls=true -Dmicrohttpd=true -Dlibidn2=true @@ -573,7 +666,6 @@ CONFIGURE_OPTS=( -Dlibcurl=true -Dlibfido2=true -Defi=true - -Dgnu-efi=%{?have_gnu_efi:true}%{?!have_gnu_efi:false} -Dtpm=true -Dtpm2=true -Dhwdb=true @@ -609,6 +701,9 @@ CONFIGURE_OPTS=( -Ddefault-llmnr=resolve # https://bugzilla.redhat.com/show_bug.cgi?id=2028169 -Dstatus-unit-format-default=combined + # https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer + -Ddefault-timeout-sec=45 + -Ddefault-user-timeout-sec=45 -Doomd=true -Dadm-gid=4 -Daudio-gid=63 @@ -644,6 +739,15 @@ CONFIGURE_OPTS+=( ) %endif +if grep gnu-efi meson_options.txt; then + CONFIGURE_OPTS+=( -Dgnu-efi=%{?have_gnu_efi:true}%{?!have_gnu_efi:false} ) +else + # For now, let's build the bootloader in the same places where we + # built with gnu-efi. Later on, we might want to extend coverage, but + # considering that that support is untested, let's not do this now. + CONFIGURE_OPTS+=( -Dbootloader=%{?have_gnu_efi:true}%{?!have_gnu_efi:false} ) +fi + %if %{without lto} %global _lto_cflags %nil %endif @@ -755,9 +859,14 @@ install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3} # systemd-oomd default configuration install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/oomd.conf.d/ %{SOURCE14} -install -Dm0644 -t %{buildroot}%{system_unit_dir}/user-.slice.d/ %{SOURCE15} install -Dm0644 -t %{buildroot}%{system_unit_dir}/system.slice.d/ %{SOURCE15} install -Dm0644 -t %{buildroot}%{user_unit_dir}/slice.d/ %{SOURCE15} +# https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer +install -Dm0644 -t %{buildroot}%{system_unit_dir}/service.d/ %{SOURCE16} +install -Dm0644 10-timeout-abort.conf.user %{buildroot}%{user_unit_dir}/service.d/10-timeout-abort.conf + +# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount +install -Dm0644 -t %{buildroot}%{_prefix}/lib/sysctl.d/ %{SOURCE17} sed -i 's|#!/usr/bin/env python3|#!%{__python3}|' %{buildroot}/usr/lib/systemd/tests/run-unit-tests.py @@ -766,6 +875,9 @@ install -m 0644 -D -t %{buildroot}%{_rpmconfigdir}/fileattrs/ %{SOURCE22} install -m 0755 -D -t %{buildroot}%{_rpmconfigdir}/ %{SOURCE23} install -m 0755 -D -t %{buildroot}%{_rpmconfigdir}/ %{SOURCE24} +# https://bugzilla.redhat.com/show_bug.cgi?id=2107754 +install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/network/ %{SOURCE25} + %find_lang %{name} # Split files in build root into rpms. See split-files.py for the @@ -908,11 +1020,17 @@ if systemctl -q is-enabled systemd-resolved.service &>/dev/null; then systemctl start systemd-resolved.service &>/dev/null || : fi -%triggerpostun -- systemd < 247.3-2 +%triggerun -- systemd < 247.3-2 # This is for upgrades from previous versions before oomd-defaults is available. +systemctl --no-reload preset systemd-oomd.service &>/dev/null || : + +%triggerpostun -- systemd < 253~rc1-2 +# This is for upgrades from previous versions where systemd-journald-audit.socket +# had a static enablement symlink. # We use %%triggerpostun here because rpm doesn't allow a second %%triggerun with # a different package version. -systemctl --no-reload preset systemd-oomd.service &>/dev/null || : +systemctl --no-reload preset systemd-journald-audit.socket &>/dev/null || : + %global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-timesyncd.service %{?have_gnu_efi:systemd-boot-update.service} @@ -1110,6 +1228,9 @@ fi %files udev -f .file-list-udev %if 0%{?have_gnu_efi} +%if 0%{!?el8} +%files ukify -f .file-list-ukify +%endif %files boot-unsigned -f .file-list-boot %endif @@ -1124,16 +1245,31 @@ fi %files tests -f .file-list-tests +%files standalone-repart -f .file-list-standalone-repart + %files standalone-tmpfiles -f .file-list-standalone-tmpfiles %files standalone-sysusers -f .file-list-standalone-sysusers +%files standalone-shutdown -f .file-list-standalone-shutdown + %files selinux %{_datadir}/selinux/devel/include/contrib/systemd_hs.if %{_datadir}/selinux/packages/systemd_hs.pp.bz2 %changelog +* Mon Jul 17 2023 Daan De Meyer - 253.5-1.1 +- Add back python3-zstd on c9s now that it's been added to EPEL 9 +- Add back support for c8s builds (without ukify) +- Add full backport of bpftool version requirement lowering + +* Mon Jul 03 2023 Daan De Meyer - 253.5-1.1 +- Condition out python3-zstd until it is added to EPEL + +* Fri Jun 23 2023 Anita Zhang - 253.5-1.1 +- Sync from Fedora rawhide 5982ae9504c8f2697a839c6ce2a82287a60c1043 + * Thu May 25 2023 Daan De Meyer - 252.4-598.13 - Backport https://github.com/systemd/systemd/pull/25385 diff --git a/sysusers.generate-pre.sh b/sysusers.generate-pre.sh index a077bb7..4a87d53 100755 --- a/sysusers.generate-pre.sh +++ b/sysusers.generate-pre.sh @@ -20,16 +20,16 @@ user() { if [ "$uid" = '-' ] || [ "$uid" = '' ]; then cat <<-EOF getent passwd '$user' >/dev/null || \\ - useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user' || : + useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || : EOF else cat <<-EOF - if ! getent passwd '$user' >/dev/null; then - if ! getent passwd '$uid' >/dev/null; then - useradd -r -u '$uid' -g '$group' -d '$home' -s '$shell' -c '$desc' '$user' || : - else - useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user' || : - fi + if ! getent passwd ${user@Q} >/dev/null; then + if ! getent passwd ${uid@Q} >/dev/null; then + useradd -r -u ${uid@Q} -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || : + else + useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || : + fi fi EOF @@ -42,11 +42,11 @@ group() { if [ "$gid" = '-' ]; then cat <<-EOF - getent group '$group' >/dev/null || groupadd -r '$group' || : + getent group ${group@Q} >/dev/null || groupadd -r ${group@Q} || : EOF else cat <<-EOF - getent group '$group' >/dev/null || groupadd -f -g '$gid' -r '$group' || : + getent group ${group@Q} >/dev/null || groupadd -f -g ${gid@Q} -r ${group@Q} || : EOF fi } @@ -56,8 +56,8 @@ usermod() { group="$2" cat <<-EOF - if getent group '$group' >/dev/null; then - usermod -a -G '$group' '$user' || : + if getent group ${group@Q} >/dev/null; then + usermod -a -G ${group@Q} '$user' || : fi EOF }