From cdb273799b4d38ab5fedd1d80497c21a0f40f726 Mon Sep 17 00:00:00 2001 From: Matteo Croce Date: Sep 12 2024 14:29:16 +0000 Subject: Merge remote-tracking branch 'fedora/rawhide' into c10s-sig-hyperscale --- diff --git a/33861.patch b/33861.patch deleted file mode 100644 index b443387..0000000 --- a/33861.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 1310492f7a58db4315390db174da65aef699aa91 Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Mon, 29 Jul 2024 15:41:51 +0200 -Subject: [PATCH] kernel-install: Try some more initrd variants in - 90-loaderentry.install - -On CentOS/Fedora, dracut is configured to write the initrd to -/boot/initramfs-$KERNEL_VERSION...img so let's check for that as well -if no initrds were supplied. ---- - src/kernel-install/90-loaderentry.install.in | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/src/kernel-install/90-loaderentry.install.in b/src/kernel-install/90-loaderentry.install.in -index 4ef6aca169c1a..84f7a4a97fb43 100755 ---- a/src/kernel-install/90-loaderentry.install.in -+++ b/src/kernel-install/90-loaderentry.install.in -@@ -205,8 +205,18 @@ mkdir -p "${LOADER_ENTRY%/*}" || { - have_initrd=yes - done - -- # Try "initrd", generated by dracut in its kernel-install hook, if no initrds were supplied -- [ -z "$have_initrd" ] && [ -f "$ENTRY_DIR_ABS/initrd" ] && echo "initrd $ENTRY_DIR/initrd" -+ # Try a few variations that are generated by various initrd generators in their kernel-install hooks if -+ # no initrds were supplied. -+ -+ if [ -z "$have_initrd" ] && [ -f "$ENTRY_DIR_ABS/initrd" ]; then -+ echo "initrd $ENTRY_DIR/initrd" -+ have_initrd=yes -+ fi -+ -+ if [ -z "$have_initrd" ] && [ -f "$BOOT_ROOT/initramfs-$KERNEL_VERSION.img" ]; then -+ echo "initrd /initramfs-$KERNEL_VERSION.img" -+ have_initrd=yes -+ fi - : - } >"$LOADER_ENTRY" || { - echo "Error: could not create loader entry '$LOADER_ENTRY'." >&2 diff --git a/33864.patch b/33864.patch deleted file mode 100644 index 290af4c..0000000 --- a/33864.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 94a2999f250e3f7579883f5c79815b80398043cd Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Mon, 29 Jul 2024 17:13:28 +0200 -Subject: [PATCH] kernel-install: Only read cmdline from /proc/cmdline when not - in container - -If we're running from within a container, we're very likely not going -to want to use the kernel command line from /proc/cmdline, so let's add -a check to see if we're running from a container to decide whether we'll -use the kernel command line from /proc/cmdline. ---- - src/kernel-install/90-loaderentry.install.in | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/kernel-install/90-loaderentry.install.in b/src/kernel-install/90-loaderentry.install.in -index 4ef6aca169c1a..79427684cc5c9 100755 ---- a/src/kernel-install/90-loaderentry.install.in -+++ b/src/kernel-install/90-loaderentry.install.in -@@ -79,8 +79,10 @@ elif [ -f /etc/kernel/cmdline ]; then - BOOT_OPTIONS="$(tr -s "$IFS" ' ' -Date: Wed, 14 Dec 2022 22:24:53 +0100 -Subject: [PATCH] fedora: use system-auth in pam systemd-user - ---- - src/login/systemd-user.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in -index 8a3c9e0165..74ef5f2552 100644 ---- a/src/login/systemd-user.in -+++ b/src/login/systemd-user.in -@@ -7,7 +7,7 @@ - -account sufficient pam_systemd_home.so - {% endif %} - account sufficient pam_unix.so no_pass_expiry --account required pam_permit.so -+account include system-auth - - {% if HAVE_SELINUX %} - session required pam_selinux.so close -@@ -20,4 +20,4 @@ session required pam_namespace.so - -session optional pam_systemd_home.so - {% endif %} - session optional pam_umask.so silent --session optional pam_systemd.so -+session include system-auth --- -2.41.0 - diff --git a/sources b/sources index dca53b1..ad04ada 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-256.4.tar.gz) = 0357f1b61a07e594aff118dec54bd7233f37b69ccdfa393b91f46f32f08238fa7dd44df70d1df858464c866e114868ae1bec66dc685703d425cbd4c86baddfb8 +SHA512 (systemd-256.6.tar.gz) = 99d0fad02cab3559e081dabc2797d1d66bbc21daf9aaec847aeb6bce289456ff9c8599a34563c9bfa3826db36ae9ab30836b09bae00bf1a410b54d0bad9bd4dc diff --git a/split-files.py b/split-files.py index 3f66ada..51400fd 100644 --- a/split-files.py +++ b/split-files.py @@ -260,6 +260,6 @@ for file in files(buildroot): if [print(f'ERROR: no file names were written to {o.name}') for name, o in outputs.items() if (o.tell() == 0 and - not (no_bootloader and name in ('ukify', 'boot'))) + not (no_bootloader and name == 'boot')) ]: sys.exit(1) diff --git a/systemd-user b/systemd-user new file mode 100644 index 0000000..82dcd32 --- /dev/null +++ b/systemd-user @@ -0,0 +1,14 @@ +# Used by systemd --user instances. + +-account sufficient pam_systemd_home.so +account sufficient pam_unix.so no_pass_expiry +account include system-auth + +session required pam_selinux.so close +session required pam_selinux.so nottys open +session required pam_loginuid.so +session optional pam_keyinit.so force revoke +session required pam_namespace.so +-session optional pam_systemd_home.so +session optional pam_umask.so silent +session include system-auth diff --git a/systemd.spec b/systemd.spec index 0fca0eb..1b5208c 100644 --- a/systemd.spec +++ b/systemd.spec @@ -43,7 +43,7 @@ Name: systemd Url: https://systemd.io # Allow users to specify the version and release when building the rpm by # setting the %%version_override and %%release_override macros. -Version: %{?version_override}%{!?version_override:256.4} +Version: %{?version_override}%{!?version_override:256.6} Release: %{?release_override}%{!?release_override:1.1}%{?dist} %global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?) @@ -92,6 +92,8 @@ Source24: sysusers.generate-pre.sh Source25: 98-default-mac-none.link +Source26: systemd-user + %if 0 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip @@ -104,7 +106,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # than in the next section. Packit CI will drop any patches in this range before # applying upstream pull requests. -%if %{without upstream} %if 0%{?fedora} < 40 && 0%{?rhel} < 10 # Work-around for dracut issue: run generators directly when we are in initrd # https://bugzilla.redhat.com/show_bug.cgi?id=2164404 @@ -115,19 +116,12 @@ Patch0010: https://github.com/systemd/systemd/pull/26494.patch # Requested in https://bugzilla.redhat.com/show_bug.cgi?id=2298422 Patch0011: https://github.com/systemd/systemd/pull/33738.patch -Patch0012: https://github.com/systemd/systemd/pull/33861.patch -Patch0013: https://github.com/systemd/systemd/pull/33864.patch - # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 Patch0491: https://github.com/systemd/systemd/pull/30846.patch # Soft-disable tmpfiles --purge until a good use case comes up. Patch0492: 0001-tmpfiles-make-purge-hard-to-mis-use.patch -%endif - -# Adjust upstream config to use our shared stack -Patch0499: fedora-use-system-auth-in-pam-systemd-user.patch %ifarch %{ix86} x86_64 aarch64 riscv64 %global want_bootloader 1 @@ -418,8 +412,10 @@ Obsoletes: systemd < 245.6-1 Provides: udev = %{version} Provides: udev%{_isa} = %{version} Obsoletes: udev < 183 +%if 0%{?fedora} || 0%{?rhel} >= 10 Requires: (grubby > 8.40-72 if grubby) Requires: (sdubby > 1.0-3 if sdubby) +%endif # A backport of systemd-timesyncd is shipped as a separate package in EPEL so # let's make sure we properly handle that. %if 0%{?rhel} @@ -483,18 +479,24 @@ This package also provides systemd-timesyncd, a network time protocol daemon. It also contains tools to manage encrypted home areas and secrets bound to the machine, and to create or grow partitions and make file systems automatically. -%if 0%{?want_bootloader} %package ukify Summary: Tool to build Unified Kernel Images Requires: %{name} = %{version}-%{release} -Requires: systemd-boot +Requires: (systemd-boot if %{shrink:( + filesystem(x86-32) or + filesystem(x86-64) or + filesystem(aarch64) or + filesystem(riscv64) +)}) Requires: python3dist(pefile) %if 0%{?fedora} Requires: python3dist(zstd) %endif Requires: python3dist(cryptography) +%if 0%{?fedora} Recommends: python3dist(pillow) +%endif # for tests %ifarch riscv64 @@ -510,6 +512,7 @@ This package provides ukify, a script that combines a kernel image, an initrd, with a command line, and possibly PCR measurements and other metadata, into a Unified Kernel Image (UKI). +%if 0%{?want_bootloader} %package boot-unsigned Summary: UEFI boot manager (unsigned version) @@ -824,10 +827,8 @@ CONFIGURE_OPTS=( # For now, let's build the bootloader in the same places where we # built with gnu-efi. Later on, we might want to extend coverage, but # considering that that support is untested, let's not do this now. - # Note, ukify requires bootloader, let's also explicitly enable/disable it - # here for https://github.com/systemd/systemd/pull/24175. -Dbootloader=%[%{?want_bootloader}?"enabled":"disabled"] - -Dukify=%[%{?want_bootloader}?"enabled":"disabled"] + -Dukify=enabled ) %if 0%{?facebook} @@ -1012,6 +1013,15 @@ mv -v %{buildroot}/usr/sbin/* %{buildroot}%{_bindir}/ rm %{buildroot}/usr/lib/sysusers.d/basic.conf %endif +# Disable sshd_config.d/20-systemd-userdb.conf for now. +# This option may override an existing AuthorizedKeysCommand setting +# (or be ineffective, depending on the order of configuration). +# See https://github.com/systemd/systemd/issues/33648. +rm %{buildroot}/etc/ssh/sshd_config.d/20-systemd-userdb.conf +mv %{buildroot}/usr/lib/tmpfiles.d/20-systemd-userdb.conf{,.example} + +install -m 0644 -t %{buildroot}%{_prefix}/lib/pam.d/ %{SOURCE26} + %find_lang %{name} # Split files in build root into rpms @@ -1269,8 +1279,8 @@ fi %files udev -f .file-list-udev -%if 0%{?want_bootloader} %files ukify -f .file-list-ukify +%if 0%{?want_bootloader} %files boot-unsigned -f .file-list-boot %endif