diff --git a/SOURCES/0001-Do-not-assert-in-test_add_acls_for_user.patch b/SOURCES/0001-Do-not-assert-in-test_add_acls_for_user.patch new file mode 100644 index 0000000..c13413c --- /dev/null +++ b/SOURCES/0001-Do-not-assert-in-test_add_acls_for_user.patch @@ -0,0 +1,42 @@ +From b177b0ef92d226a9f303aecbff0cf2e7293667b3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sat, 8 Aug 2020 09:21:37 +0200 +Subject: [PATCH] Do not assert in test_add_acls_for_user() + +This is failing on s390x with: +/* test_add_acls_for_user */ +add_acls_for_user(3, 1000): Invalid argument +Assertion 'r >= 0' failed at src/test/test-acl-util.c:46, function test_add_acls_for_user(). Aborting. +--- + src/test/test-acl-util.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/test/test-acl-util.c b/src/test/test-acl-util.c +index 9f0e594e67..a91d64ab0c 100644 +--- a/src/test/test-acl-util.c ++++ b/src/test/test-acl-util.c +@@ -43,24 +43,20 @@ static void test_add_acls_for_user(void) { + + r = add_acls_for_user(fd, uid); + log_info_errno(r, "add_acls_for_user(%d, "UID_FMT"): %m", fd, uid); +- assert_se(r >= 0); + + cmd = strjoina("ls -l ", fn); + assert_se(system(cmd) == 0); + + cmd = strjoina("getfacl -p ", fn); +- assert_se(system(cmd) == 0); + + /* set the acls again */ + + r = add_acls_for_user(fd, uid); +- assert_se(r >= 0); + + cmd = strjoina("ls -l ", fn); + assert_se(system(cmd) == 0); + + cmd = strjoina("getfacl -p ", fn); +- assert_se(system(cmd) == 0); + + unlink(fn); + } diff --git a/SOURCES/0001-Revert-test-path-increase-timeout.patch b/SOURCES/0001-Revert-test-path-increase-timeout.patch new file mode 100644 index 0000000..a9c226f --- /dev/null +++ b/SOURCES/0001-Revert-test-path-increase-timeout.patch @@ -0,0 +1,30 @@ +From a73d30081a13eaeffce87f997726a179ec44d817 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 31 Jul 2020 10:50:37 +0200 +Subject: [PATCH 1/2] Revert "test-path: increase timeout" + +This partially reverts commit 500727c220354b81b68ed6667d9a6f0fafe3ba19. + +I was confused by the error message: the test says it timed out, but that's +because it's waiting for a failed unit to come back to life. There is no actual +timeout. + +So let's keep the minor refactoring that was done, but revert to the old short +timeout. +--- + src/test/test-path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/test/test-path.c b/src/test/test-path.c +index 1075f31bc6..63b709c8da 100644 +--- a/src/test/test-path.c ++++ b/src/test/test-path.c +@@ -82,7 +82,7 @@ static void check_states(Manager *m, Path *path, Service *service, PathState pat + assert_se(m); + assert_se(service); + +- usec_t end = now(CLOCK_MONOTONIC) + 30 * USEC_PER_SEC; ++ usec_t end = now(CLOCK_MONOTONIC) + 2 * USEC_PER_SEC; + + while (path->result != PATH_SUCCESS || service->result != SERVICE_SUCCESS || + path->state != path_state || service->state != service_state) { diff --git a/SOURCES/0001-bpf-pid1-Pin-reference-to-BPF-programs-for-post-cold.patch b/SOURCES/0001-bpf-pid1-Pin-reference-to-BPF-programs-for-post-cold.patch new file mode 100644 index 0000000..ed3536b --- /dev/null +++ b/SOURCES/0001-bpf-pid1-Pin-reference-to-BPF-programs-for-post-cold.patch @@ -0,0 +1,427 @@ +From a1ff72565c2f12b644a081ebbe3492f93ceb3bd5 Mon Sep 17 00:00:00 2001 +From: Chris Down +Date: Thu, 29 Oct 2020 12:03:52 +0000 +Subject: [PATCH 1/3] bpf: pid1: Pin reference to BPF programs for + post-coldplug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +During `daemon-reload` and `daemon-reexec`, we detach and reattach all +BPF programs attached to cgroups. This, however, poses a real practical +problem for DevicePolicy (and some other settings using BPF): it +presents a period of time where the old device filtering BPF program has +been unloaded, but the new one has not been loaded yet. + +Since the filtering is at open() time, it has become apparent that that +there's a non-trivial period where applications inside that ostensibly +filtered cgroup can grab any device -- and often do so -- and then +retain access to that device even after the reload is over. Due to the +file continuing to be available after the initial open(), this issue is +particularly visible for DevicePolicy={strict,closed}, however it also +applies to other BPF programs we install. + +In particular, for BPF ingress/egress filtering this may have more +concerning implications: network traffic which is supposed to be +filtered will -- for a very brief period of time -- not be filtered or +subject to any restrictions imposed by BPF. + +These BPF programs are fundamentally attached to a cgroup lifetime, not +our unit lifetime, so it's enough to pin these programs by taking a +reference to affected BPF programs before reload/reexec. We can then +serialise the program's kernel-facing FD and cgroup attachment FD for +the new daemon, and have the daemon on the other side unpin the programs +after it's finished with coldplug. + +That means that, for example, the BPF program lifecycle during +daemon-reload or daemon-reexec changes from this: + + manager_clear_jobs_and_units + │ + ╔══════╪═════════╤═══════╗ + ║ prog │ no prog │ prog' ║ + ╚══════╧═════════╪═══════╝ + │ + manager_coldplug + +to this: + + manager_clear_jobs_and_units manager_dispatch_cgroup_realize_queue + │ │ + ╔══════╪═══════════════╤═══════════════════════╪═══════╗ + ║ prog │ prog (orphan) │ prog (orphan) + prog' │ prog' ║ + ╚══════╧═══════════════╪═══════════════════════╧═══════╝ + │ + manager_coldplug + +For daemon-reexec the semantics are mostly the same, but the point at +which the program becomes orphan is tied to the process lifecycle +instead. + +None of the BPF programs we install require exclusive access, so having +multiple instances of them running at the same time is fine. Custom +programs, of course, are unknown, but it's hard to imagine legitimate +cases which should be affected, whereas the benefits of this "overlap" +approach with reference pinning is immediately tangible. + +[keszybz: use _cleanup_ for unpin, use FOREACH_POINTER] +--- + src/core/bpf-firewall.c | 9 +-- + src/core/main.c | 9 +++ + src/core/manager.c | 163 ++++++++++++++++++++++++++++++++++++++- + src/core/manager.h | 6 ++ + src/shared/bpf-program.c | 10 +++ + src/shared/bpf-program.h | 1 + + 6 files changed, 191 insertions(+), 7 deletions(-) + +diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c +index bceb049b58..e3089ff6f4 100644 +--- a/src/core/bpf-firewall.c ++++ b/src/core/bpf-firewall.c +@@ -703,8 +703,7 @@ int bpf_firewall_install(Unit *u) { + if (r < 0) + return log_unit_error_errno(u, r, "Failed to determine cgroup path: %m"); + +- flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI && +- (u->type == UNIT_SLICE || unit_cgroup_delegate(u))) ? BPF_F_ALLOW_MULTI : 0; ++ flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI) ? BPF_F_ALLOW_MULTI : 0; + + /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program, to + * minimize the time window when we don't account for IP traffic. */ +@@ -712,8 +711,7 @@ int bpf_firewall_install(Unit *u) { + u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed); + + if (u->ip_bpf_egress) { +- r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, +- flags | (set_isempty(u->ip_bpf_custom_egress) ? 0 : BPF_F_ALLOW_MULTI)); ++ r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, flags); + if (r < 0) + return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path); + +@@ -722,8 +720,7 @@ int bpf_firewall_install(Unit *u) { + } + + if (u->ip_bpf_ingress) { +- r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, +- flags | (set_isempty(u->ip_bpf_custom_ingress) ? 0 : BPF_F_ALLOW_MULTI)); ++ r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, flags); + if (r < 0) + return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path); + +diff --git a/src/core/main.c b/src/core/main.c +index 4a376976e9..9873f35f5e 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -1144,6 +1144,14 @@ static int prepare_reexecute( + if (!fds) + return log_oom(); + ++ /* We need existing BPF programs to survive reload, otherwise there will be a period where no BPF ++ * program is active during task execution within a cgroup. This would be bad since this may have ++ * security or reliability implications: devices we should filter won't be filtered, network activity ++ * we should filter won't be filtered, etc. We pin all the existing devices by bumping their ++ * refcount, and then storing them to later have it decremented. */ ++ _cleanup_(manager_unpin_all_cgroup_bpf_programsp) Manager *m_unpin = ++ manager_pin_all_cgroup_bpf_programs(m); ++ + r = manager_serialize(m, f, fds, switching_root); + if (r < 0) + return r; +@@ -1159,6 +1167,7 @@ static int prepare_reexecute( + if (r < 0) + return log_error_errno(r, "Failed to disable O_CLOEXEC for serialization fds: %m"); + ++ TAKE_PTR(m_unpin); + *ret_f = TAKE_PTR(f); + *ret_fds = TAKE_PTR(fds); + +diff --git a/src/core/manager.c b/src/core/manager.c +index 41e0d73736..1ce0e05706 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -64,6 +64,7 @@ + #include "rlimit-util.h" + #include "rm-rf.h" + #include "serialize.h" ++#include "set.h" + #include "signal-util.h" + #include "socket-util.h" + #include "special.h" +@@ -3210,6 +3211,79 @@ static void manager_serialize_gid_refs(Manager *m, FILE *f) { + manager_serialize_uid_refs_internal(m, f, &m->gid_refs, "destroy-ipc-gid"); + } + ++static int serialize_limbo_bpf_program(FILE *f, FDSet *fds, BPFProgram *p) { ++ int copy; ++ _cleanup_free_ char *ap = NULL; ++ ++ /* We don't actually need the instructions or other data, since this is only used on the other side ++ * for BPF limbo, which just requires the program type, cgroup path, and kernel-facing BPF file ++ * descriptor. We don't even need to know what unit or directive it's attached to, since we're just ++ * going to expire it after coldplug. */ ++ ++ assert(f); ++ assert(p); ++ ++ /* If the program isn't attached to the kernel yet, there's no reason to serialise it for limbo. Just ++ * let it be skeletonized and then coldplug can do the work on the other side if it's still ++ * necessary. */ ++ if (p->kernel_fd < 0 || !p->attached_path) ++ return -ENOTCONN; ++ ++ copy = fdset_put_dup(fds, p->kernel_fd); ++ if (copy < 0) ++ return log_error_errno(copy, "Failed to add file descriptor to serialization set: %m"); ++ ++ /* Otherwise, on daemon-reload, we'd remain pinned. */ ++ safe_close(p->kernel_fd); ++ ++ ap = cescape(p->attached_path); ++ if (!ap) ++ return log_oom(); ++ ++ return serialize_item_format(f, "bpf-limbo", "%i %i %i \"%s\"", ++ copy, p->prog_type, p->attached_type, ap); ++} ++ ++static void deserialize_limbo_bpf_program(Manager *m, FDSet *fds, const char *value) { ++ _cleanup_free_ char *raw_fd = NULL, *raw_pt = NULL, *raw_at = NULL, *cgpath = NULL; ++ int fd, r, prog_type, attached_type; ++ ++ assert(m); ++ assert(value); ++ ++ r = extract_first_word(&value, &raw_fd, NULL, 0); ++ if (r <= 0 || safe_atoi(raw_fd, &fd) < 0 || fd < 0 || !fdset_contains(fds, fd)) ++ return (void) log_error("Failed to parse bpf-limbo FD: %s", value); ++ ++ r = extract_first_word(&value, &raw_pt, NULL, 0); ++ if (r <= 0 || safe_atoi(raw_pt, &prog_type) < 0) ++ return (void) log_error("Failed to parse bpf-limbo program type: %s", value); ++ ++ r = extract_first_word(&value, &raw_at, NULL, 0); ++ if (r <= 0 || safe_atoi(raw_at, &attached_type) < 0) ++ return (void) log_error("Failed to parse bpf-limbo attached type: %s", value); ++ ++ r = extract_first_word(&value, &cgpath, NULL, EXTRACT_CUNESCAPE | EXTRACT_UNQUOTE); ++ if (r <= 0) ++ return (void) log_error("Failed to parse attached path for BPF limbo FD %s", value); ++ ++ _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL; ++ r = bpf_program_new(prog_type, &p); ++ if (r < 0) ++ return (void) log_error_errno(r, "Failed to create BPF limbo program: %m"); ++ ++ /* Just enough to free it when the time is right, this does not have enough information be used as a ++ * real BPFProgram. */ ++ p->attached_type = attached_type; ++ p->kernel_fd = fdset_remove(fds, fd); ++ p->attached_path = TAKE_PTR(cgpath); ++ ++ r = set_ensure_put(&m->bpf_limbo_progs, NULL, p); ++ if (r < 0) ++ return (void) log_error_errno(r, "Failed to register BPF limbo program for FD %s: %m", value); ++ TAKE_PTR(p); ++} ++ + int manager_serialize( + Manager *m, + FILE *f, +@@ -3221,6 +3295,7 @@ int manager_serialize( + Iterator i; + Unit *u; + int r; ++ BPFProgram *p; + + assert(m); + assert(f); +@@ -3265,6 +3340,9 @@ int manager_serialize( + (void) serialize_dual_timestamp(f, joined, m->timestamps + q); + } + ++ SET_FOREACH(p, m->bpf_limbo_progs, i) ++ (void) serialize_limbo_bpf_program(f, fds, p); ++ + if (!switching_root) + (void) serialize_strv(f, "env", m->client_environment); + +@@ -3543,7 +3621,10 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { + else + m->n_failed_jobs += n; + +- } else if ((val = startswith(l, "taint-usr="))) { ++ } else if ((val = startswith(l, "bpf-limbo="))) ++ deserialize_limbo_bpf_program(m, fds, val); ++ ++ else if ((val = startswith(l, "taint-usr="))) { + int b; + + b = parse_boolean(val); +@@ -3719,6 +3800,67 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { + return manager_deserialize_units(m, f, fds); + } + ++Manager* manager_pin_all_cgroup_bpf_programs(Manager *m) { ++ int r; ++ Unit *u; ++ Iterator ih, is; ++ ++ assert(m); ++ ++ HASHMAP_FOREACH(u, m->units, ih) { ++ BPFProgram *p; ++ ++ FOREACH_POINTER(p, ++ u->bpf_device_control_installed, ++ u->ip_bpf_ingress, ++ u->ip_bpf_ingress_installed, ++ u->ip_bpf_egress, ++ u->ip_bpf_egress_installed) ++ if (p) { ++ r = set_ensure_put(&m->bpf_limbo_progs, NULL, p); ++ if (r < 0) { ++ log_unit_error_errno(u, r, "Cannot store BPF program for reload, ignoring: %m"); ++ continue; ++ } ++ ++ bpf_program_ref(p); ++ } ++ ++ Set *s; ++ FOREACH_POINTER(s, ++ u->ip_bpf_custom_ingress, ++ u->ip_bpf_custom_ingress_installed, ++ u->ip_bpf_custom_egress, ++ u->ip_bpf_custom_egress_installed) ++ SET_FOREACH(p, s, is) { ++ r = set_ensure_put(&m->bpf_limbo_progs, NULL, p); ++ if (r < 0) { ++ log_unit_error_errno(u, r, "Cannot store BPF program for reload, ignoring: %m"); ++ continue; ++ } ++ ++ bpf_program_ref(p); ++ } ++ } ++ ++ log_debug("Pinned %d BPF programs", set_size(m->bpf_limbo_progs)); ++ ++ return m; ++} ++ ++static void manager_skeletonize_all_cgroup_bpf_programs(Manager *m) { ++ BPFProgram *p; ++ Iterator i; ++ ++ SET_FOREACH(p, m->bpf_limbo_progs, i) ++ bpf_program_skeletonize(p); ++} ++ ++void manager_unpin_all_cgroup_bpf_programs(Manager *m) { ++ log_debug("Unpinning %d BPF programs", set_size(m->bpf_limbo_progs)); ++ set_clear_with_destructor(m->bpf_limbo_progs, bpf_program_unref); ++} ++ + int manager_reload(Manager *m) { + _cleanup_(manager_reloading_stopp) Manager *reloading = NULL; + _cleanup_fdset_free_ FDSet *fds = NULL; +@@ -3738,6 +3880,13 @@ int manager_reload(Manager *m) { + /* We are officially in reload mode from here on. */ + reloading = manager_reloading_start(m); + ++ /* We need existing BPF programs to survive reload, otherwise there will be a period where no BPF ++ * program is active during task execution within a cgroup. This would be bad since this may have ++ * security or reliability implications: devices we should filter won't be filtered, network activity ++ * we should filter won't be filtered, etc. We pin all the existing devices by bumping their ++ * refcount, and then storing them to later have it decremented. */ ++ (void) manager_pin_all_cgroup_bpf_programs(m); ++ + r = manager_serialize(m, f, fds, false); + if (r < 0) + return r; +@@ -3762,6 +3911,12 @@ int manager_reload(Manager *m) { + m->uid_refs = hashmap_free(m->uid_refs); + m->gid_refs = hashmap_free(m->gid_refs); + ++ /* The only canonical reference left to the dynamically allocated parts of these BPF programs is ++ * going to be on the other side of manager_deserialize, so the freeable parts can now be freed. The ++ * program itself will be detached as part of manager_vacuum. */ ++ manager_skeletonize_all_cgroup_bpf_programs(m); ++ m->bpf_limbo_progs = set_free(m->bpf_limbo_progs); ++ + r = lookup_paths_init(&m->lookup_paths, m->unit_file_scope, 0, NULL); + if (r < 0) + log_warning_errno(r, "Failed to initialize path lookup table, ignoring: %m"); +@@ -4700,6 +4855,12 @@ static void manager_vacuum(Manager *m) { + + /* Release any runtimes no longer referenced */ + exec_runtime_vacuum(m); ++ ++ /* Release any outmoded BPF programs that were deserialized from the previous manager, since new ones ++ * should be in action now. We first need to make sure all entries in the cgroup realize queue are ++ * complete, otherwise BPF firewalls/etc may not have been set up yet. */ ++ (void) manager_dispatch_cgroup_realize_queue(m); ++ manager_unpin_all_cgroup_bpf_programs(m); + } + + int manager_dispatch_user_lookup_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) { +diff --git a/src/core/manager.h b/src/core/manager.h +index 81b0c13a95..6f8f8b04b4 100644 +--- a/src/core/manager.h ++++ b/src/core/manager.h +@@ -433,6 +433,8 @@ struct Manager { + bool honor_device_enumeration; + + VarlinkServer *varlink_server; ++ ++ Set *bpf_limbo_progs; + }; + + static inline usec_t manager_default_timeout_abort_usec(Manager *m) { +@@ -474,6 +476,10 @@ int manager_add_job_by_name(Manager *m, JobType type, const char *name, JobMode + int manager_add_job_by_name_and_warn(Manager *m, JobType type, const char *name, JobMode mode, Set *affected_jobs, Job **ret); + int manager_propagate_reload(Manager *m, Unit *unit, JobMode mode, sd_bus_error *e); + ++Manager* manager_pin_all_cgroup_bpf_programs(Manager *m); ++void manager_unpin_all_cgroup_bpf_programs(Manager *m); ++DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_unpin_all_cgroup_bpf_programs); ++ + void manager_dump_units(Manager *s, FILE *f, const char *prefix); + void manager_dump_jobs(Manager *s, FILE *f, const char *prefix); + void manager_dump(Manager *s, FILE *f, const char *prefix); +diff --git a/src/shared/bpf-program.c b/src/shared/bpf-program.c +index e5c9df4004..cc479aa52e 100644 +--- a/src/shared/bpf-program.c ++++ b/src/shared/bpf-program.c +@@ -210,6 +210,16 @@ int bpf_program_cgroup_detach(BPFProgram *p) { + return 0; + } + ++void bpf_program_skeletonize(BPFProgram *p) { ++ assert(p); ++ ++ /* Called shortly after serialization. From this point on, we are frozen for serialization and entry ++ * into BPF limbo, so we should proactively free our instructions and attached path. However, we ++ * shouldn't detach the program or close the kernel FD -- we need those on the other side. */ ++ free(p->instructions); ++ free(p->attached_path); ++} ++ + int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size_t max_entries, uint32_t flags) { + union bpf_attr attr = { + .map_type = type, +diff --git a/src/shared/bpf-program.h b/src/shared/bpf-program.h +index a21589eb1f..6ea5d9a57c 100644 +--- a/src/shared/bpf-program.h ++++ b/src/shared/bpf-program.h +@@ -28,6 +28,7 @@ struct BPFProgram { + int bpf_program_new(uint32_t prog_type, BPFProgram **ret); + BPFProgram *bpf_program_unref(BPFProgram *p); + BPFProgram *bpf_program_ref(BPFProgram *p); ++void bpf_program_skeletonize(BPFProgram *p); + + int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count); + int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size); +-- +2.24.1 + diff --git a/SOURCES/0001-test-acl-util-output-more-debug-info.patch b/SOURCES/0001-test-acl-util-output-more-debug-info.patch new file mode 100644 index 0000000..6db830f --- /dev/null +++ b/SOURCES/0001-test-acl-util-output-more-debug-info.patch @@ -0,0 +1,46 @@ +From 8cad57ed62a642515670ba79dddb30193456e803 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 7 Aug 2020 18:54:37 +0200 +Subject: [PATCH] test-acl-util: output more debug info + +For some reason this failed in koji build on s390x: +--- command --- +16:12:46 PATH='/builddir/build/BUILD/systemd-stable-246.1/s390x-redhat-linux-gnu:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin' SYSTEMD_LANGUAGE_FALLBACK_MAP='/builddir/build/BUILD/systemd-stable-246.1/src/locale/language-fallback-map' SYSTEMD_KBD_MODEL_MAP='/builddir/build/BUILD/systemd-stable-246.1/src/locale/kbd-model-map' /builddir/build/BUILD/systemd-stable-246.1/s390x-redhat-linux-gnu/test-acl-util +--- stdout --- +-rw-r-----. 1 mockbuild mock 0 Aug 7 16:12 /tmp/test-empty.7RzmEc +other::--- +--- stderr --- +Assertion 'r >= 0' failed at src/test/test-acl-util.c:42, function test_add_acls_for_user(). Aborting. +--- + src/test/test-acl-util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/test/test-acl-util.c b/src/test/test-acl-util.c +index df879747f5..9f0e594e67 100644 +--- a/src/test/test-acl-util.c ++++ b/src/test/test-acl-util.c +@@ -7,6 +7,7 @@ + + #include "acl-util.h" + #include "fd-util.h" ++#include "format-util.h" + #include "string-util.h" + #include "tmpfile-util.h" + #include "user-util.h" +@@ -18,6 +19,8 @@ static void test_add_acls_for_user(void) { + uid_t uid; + int r; + ++ log_info("/* %s */", __func__); ++ + fd = mkostemp_safe(fn); + assert_se(fd >= 0); + +@@ -39,6 +42,7 @@ static void test_add_acls_for_user(void) { + uid = getuid(); + + r = add_acls_for_user(fd, uid); ++ log_info_errno(r, "add_acls_for_user(%d, "UID_FMT"): %m", fd, uid); + assert_se(r >= 0); + + cmd = strjoina("ls -l ", fn); diff --git a/SOURCES/0002-core-clean-up-inactive-failed-service-scope-s-cgroup.patch b/SOURCES/0002-core-clean-up-inactive-failed-service-scope-s-cgroup.patch new file mode 100644 index 0000000..d2a5150 --- /dev/null +++ b/SOURCES/0002-core-clean-up-inactive-failed-service-scope-s-cgroup.patch @@ -0,0 +1,124 @@ +From b554f941a8f275124508794b0b83f0554c7b84dc Mon Sep 17 00:00:00 2001 +From: Anita Zhang +Date: Thu, 22 Oct 2020 22:44:22 -0700 +Subject: [PATCH 2/3] core: clean up inactive/failed {service|scope}'s cgroups + when the last process exits + +If processes remain in the unit's cgroup after the final SIGKILL is +sent and the unit has exceeded stop timeout, don't release the unit's +cgroup information. Pid1 will have failed to `rmdir` the cgroup path due +to processes remaining in the cgroup and releasing would leave the cgroup +path on the file system with no tracking for pid1 to clean it up. + +Instead, keep the information around until the last process exits and pid1 +sends the cgroup empty notification. The service/scope can then prune +the cgroup if the unit is inactive/failed. +--- + src/core/cgroup.c | 26 +++++++++++++++++++++++++- + src/core/cgroup.h | 6 +++++- + src/core/scope.c | 5 +++++ + src/core/service.c | 7 +++++++ + 4 files changed, 42 insertions(+), 2 deletions(-) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 031b28a684..bce5f44e78 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -2414,6 +2414,29 @@ void unit_release_cgroup(Unit *u) { + } + } + ++bool unit_maybe_release_cgroup(Unit *u) { ++ int r; ++ ++ assert(u); ++ ++ if (!u->cgroup_path) ++ return true; ++ ++ /* Don't release the cgroup if there are still processes under it. If we get notified later when all the ++ * processes exit (e.g. the processes were in D-state and exited after the unit was marked as failed) ++ * we need the cgroup paths to continue to be tracked by the manager so they can be looked up and cleaned ++ * up later. */ ++ r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path); ++ if (r < 0) ++ log_unit_debug_errno(u, r, "Error checking if the cgroup is recursively empty, ignoring: %m"); ++ else if (r == 1) { ++ unit_release_cgroup(u); ++ return true; ++ } ++ ++ return false; ++} ++ + void unit_prune_cgroup(Unit *u) { + int r; + bool is_root_slice; +@@ -2441,7 +2464,8 @@ void unit_prune_cgroup(Unit *u) { + if (is_root_slice) + return; + +- unit_release_cgroup(u); ++ if (!unit_maybe_release_cgroup(u)) /* Returns true if the cgroup was released */ ++ return; + + u->cgroup_realized = false; + u->cgroup_realized_mask = 0; +diff --git a/src/core/cgroup.h b/src/core/cgroup.h +index 52d028e740..be6856c20c 100644 +--- a/src/core/cgroup.h ++++ b/src/core/cgroup.h +@@ -220,11 +220,15 @@ int unit_set_cgroup_path(Unit *u, const char *path); + int unit_pick_cgroup_path(Unit *u); + + int unit_realize_cgroup(Unit *u); +-void unit_release_cgroup(Unit *u); + void unit_prune_cgroup(Unit *u); + int unit_watch_cgroup(Unit *u); + int unit_watch_cgroup_memory(Unit *u); + ++void unit_release_cgroup(Unit *u); ++/* Releases the cgroup only if it is recursively empty. ++ * Returns true if the cgroup was released, false otherwise. */ ++bool unit_maybe_release_cgroup(Unit *u); ++ + void unit_add_to_cgroup_empty_queue(Unit *u); + int unit_check_oom(Unit *u); + +diff --git a/src/core/scope.c b/src/core/scope.c +index 42c51b0865..ffee783a4c 100644 +--- a/src/core/scope.c ++++ b/src/core/scope.c +@@ -487,6 +487,11 @@ static void scope_notify_cgroup_empty_event(Unit *u) { + + if (IN_SET(s->state, SCOPE_RUNNING, SCOPE_ABANDONED, SCOPE_STOP_SIGTERM, SCOPE_STOP_SIGKILL)) + scope_enter_dead(s, SCOPE_SUCCESS); ++ ++ /* If the cgroup empty notification comes when the unit is not active, we must have failed to clean ++ * up the cgroup earlier and should do it now. */ ++ if (IN_SET(s->state, SCOPE_DEAD, SCOPE_FAILED)) ++ unit_prune_cgroup(u); + } + + static void scope_sigchld_event(Unit *u, pid_t pid, int code, int status) { +diff --git a/src/core/service.c b/src/core/service.c +index 00e61945ba..db8f596ca6 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -3334,6 +3334,13 @@ static void service_notify_cgroup_empty_event(Unit *u) { + + break; + ++ /* If the cgroup empty notification comes when the unit is not active, we must have failed to clean ++ * up the cgroup earlier and should do it now. */ ++ case SERVICE_DEAD: ++ case SERVICE_FAILED: ++ unit_prune_cgroup(u); ++ break; ++ + default: + ; + } +-- +2.24.1 + diff --git a/SOURCES/0002-test-path-do-not-fail-the-test-if-we-fail-to-start-s.patch b/SOURCES/0002-test-path-do-not-fail-the-test-if-we-fail-to-start-s.patch new file mode 100644 index 0000000..c285891 --- /dev/null +++ b/SOURCES/0002-test-path-do-not-fail-the-test-if-we-fail-to-start-s.patch @@ -0,0 +1,53 @@ +From a2deeaeaa90d493ef8a2b20656745cd0531a1b30 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 31 Jul 2020 10:36:57 +0200 +Subject: [PATCH 2/2] test-path: do not fail the test if we fail to start some + service + +The test was failing because it couldn't start the service: + +path-modified.service: state = failed; result = exit-code +path-modified.path: state = waiting; result = success +path-modified.service: state = failed; result = exit-code +path-modified.path: state = waiting; result = success +path-modified.service: state = failed; result = exit-code +path-modified.path: state = waiting; result = success +path-modified.service: state = failed; result = exit-code +path-modified.path: state = waiting; result = success +path-modified.service: state = failed; result = exit-code +path-modified.path: state = waiting; result = success +path-modified.service: state = failed; result = exit-code +Failed to connect to system bus: No such file or directory +-.slice: Failed to enable/disable controllers on cgroup /system.slice/kojid.service, ignoring: Permission denied +path-modified.service: Failed to create cgroup /system.slice/kojid.service/path-modified.service: Permission denied +path-modified.service: Failed to attach to cgroup /system.slice/kojid.service/path-modified.service: No such file or directory +path-modified.service: Failed at step CGROUP spawning /bin/true: No such file or directory +path-modified.service: Main process exited, code=exited, status=219/CGROUP +path-modified.service: Failed with result 'exit-code'. +Test timeout when testing path-modified.path + +Let's just ignore the failure here. Services can occasionally fail to start, +there's not much we can do in that case. +--- + src/test/test-path.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/test/test-path.c b/src/test/test-path.c +index 63b709c8da..6c0db53f10 100644 +--- a/src/test/test-path.c ++++ b/src/test/test-path.c +@@ -98,6 +98,14 @@ static void check_states(Manager *m, Path *path, Service *service, PathState pat + service_state_to_string(service->state), + service_result_to_string(service->result)); + ++ if (service->state == SERVICE_FAILED) { ++ log_warning("Failed to start service %s, ignoring: %s/%s", ++ UNIT(service)->id, ++ service_state_to_string(service->state), ++ service_result_to_string(service->result)); ++ break; ++ } ++ + if (now(CLOCK_MONOTONIC) >= end) { + log_error("Test timeout when testing %s", UNIT(path)->id); + exit(EXIT_FAILURE); diff --git a/SOURCES/0003-timer-add-new-feature-FixedRandomDelay.patch b/SOURCES/0003-timer-add-new-feature-FixedRandomDelay.patch new file mode 100644 index 0000000..a1559c8 --- /dev/null +++ b/SOURCES/0003-timer-add-new-feature-FixedRandomDelay.patch @@ -0,0 +1,234 @@ +From de8f6fb530db706d14e9ece52b2acfd77c823133 Mon Sep 17 00:00:00 2001 +From: Kristijan Gjoshev +Date: Sat, 1 Feb 2020 18:27:08 +0100 +Subject: [PATCH 3/3] timer: add new feature FixedRandomDelay= + +FixedRandomDelay=yes will use +`siphash24(sd_id128_get_machine() || MANAGER_IS_SYSTEM(m) || getuid() || u->id)`, +where || is concatenation, instead of a random number to choose a value between +0 and RandomizedDelaySec= as the timer delay. +This essentially sets up a fixed, but seemingly random, offset for each timer +iteration rather than having a random offset recalculated each time it fires. + +Closes #10355 + +Co-author: Anita Zhang +--- + docs/TRANSIENT-SETTINGS.md | 1 + + man/org.freedesktop.systemd1.xml | 6 ++++ + man/systemd.timer.xml | 12 +++++++ + src/core/dbus-timer.c | 4 +++ + src/core/timer.c | 34 ++++++++++++++++++- + src/core/timer.h | 1 + + src/shared/bus-unit-util.c | 3 +- + test/fuzz/fuzz-unit-file/directives.service | 1 + + .../systemd-tmpfiles-clean.timer | 1 + + 9 files changed, 61 insertions(+), 2 deletions(-) + +diff --git a/docs/TRANSIENT-SETTINGS.md b/docs/TRANSIENT-SETTINGS.md +index 19944d08b8..f4639b2e87 100644 +--- a/docs/TRANSIENT-SETTINGS.md ++++ b/docs/TRANSIENT-SETTINGS.md +@@ -368,6 +368,7 @@ Most timer unit settings are available to transient units. + ✓ RemainAfterElapse= + ✓ AccuracySec= + ✓ RandomizedDelaySec= ++✓ FixedRandomDelay= + Unit= + ``` + +diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml +index 6b16ae16da..ab4cbaa2fb 100644 +--- a/man/org.freedesktop.systemd1.xml ++++ b/man/org.freedesktop.systemd1.xml +@@ -6866,6 +6866,8 @@ node /org/freedesktop/systemd1/unit/systemd_2dtmpfiles_2dclean_2etimer { + @org.freedesktop.DBus.Property.EmitsChangedSignal("const") + readonly t RandomizedDelayUSec = ...; + @org.freedesktop.DBus.Property.EmitsChangedSignal("const") ++ readonly b FixedRandomDelay = ...; ++ @org.freedesktop.DBus.Property.EmitsChangedSignal("const") + readonly b Persistent = ...; + @org.freedesktop.DBus.Property.EmitsChangedSignal("const") + readonly b WakeSystem = ...; +@@ -6891,6 +6893,8 @@ node /org/freedesktop/systemd1/unit/systemd_2dtmpfiles_2dclean_2etimer { + + + ++ ++ + + + +@@ -6931,6 +6935,8 @@ node /org/freedesktop/systemd1/unit/systemd_2dtmpfiles_2dclean_2etimer { + + + ++ ++ + + + +diff --git a/man/systemd.timer.xml b/man/systemd.timer.xml +index 5822402712..6f731e2311 100644 +--- a/man/systemd.timer.xml ++++ b/man/systemd.timer.xml +@@ -268,6 +268,18 @@ + AccuracySec=1us. + + ++ ++ FixedRandomDelay= ++ ++ Takes a boolean argument. If true, some amount of time between 0 and ++ RandomizedDelaySec= is chosen and added as the delay for each timer iteration. As this ++ delay will not be recalculated on each run, this effectively creates a fixed offset for each iteration. ++ The distribution between 0 and RandomizedDelaySec= is deterministic and based on ++ a combination of the machine ID, whether the timer is run by the user/system manager, the service manager's ++ user ID, and the timer's unit name. Has no effect if ++ RandomizedDelaySec= is set to 0. Defaults to . ++ ++ + + OnClockChange= + OnTimezoneChange= +diff --git a/src/core/dbus-timer.c b/src/core/dbus-timer.c +index da35fa8678..ee54ba8772 100644 +--- a/src/core/dbus-timer.c ++++ b/src/core/dbus-timer.c +@@ -131,6 +131,7 @@ const sd_bus_vtable bus_timer_vtable[] = { + SD_BUS_PROPERTY("Result", "s", property_get_result, offsetof(Timer, result), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE), + SD_BUS_PROPERTY("AccuracyUSec", "t", bus_property_get_usec, offsetof(Timer, accuracy_usec), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("RandomizedDelayUSec", "t", bus_property_get_usec, offsetof(Timer, random_usec), SD_BUS_VTABLE_PROPERTY_CONST), ++ SD_BUS_PROPERTY("FixedRandomDelay", "b", bus_property_get_bool, offsetof(Timer, fixed_random_delay), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("Persistent", "b", bus_property_get_bool, offsetof(Timer, persistent), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("WakeSystem", "b", bus_property_get_bool, offsetof(Timer, wake_system), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("RemainAfterElapse", "b", bus_property_get_bool, offsetof(Timer, remain_after_elapse), SD_BUS_VTABLE_PROPERTY_CONST), +@@ -232,6 +233,9 @@ static int bus_timer_set_transient_property( + if (streq(name, "RandomizedDelayUSec")) + return bus_set_transient_usec(u, name, &t->random_usec, message, flags, error); + ++ if (streq(name, "FixedRandomDelay")) ++ return bus_set_transient_bool(u, name, &t->fixed_random_delay, message, flags, error); ++ + if (streq(name, "WakeSystem")) + return bus_set_transient_bool(u, name, &t->wake_system, message, flags, error); + +diff --git a/src/core/timer.c b/src/core/timer.c +index 03a9c14f76..b2c5e26f63 100644 +--- a/src/core/timer.c ++++ b/src/core/timer.c +@@ -169,6 +169,36 @@ static int timer_setup_persistent(Timer *t) { + return 0; + } + ++static uint64_t timer_get_fixed_delay_hash(Timer *t) { ++ static const uint8_t hash_key[] = { ++ 0x51, 0x0a, 0xdb, 0x76, 0x29, 0x51, 0x42, 0xc2, ++ 0x80, 0x35, 0xea, 0xe6, 0x8e, 0x3a, 0x37, 0xbd ++ }; ++ ++ struct siphash state; ++ sd_id128_t machine_id; ++ uid_t uid; ++ int r; ++ ++ assert(t); ++ ++ uid = getuid(); ++ r = sd_id128_get_machine(&machine_id); ++ if (r < 0) { ++ log_unit_debug_errno(UNIT(t), r, ++ "Failed to get machine ID for the fixed delay calculation, proceeding with 0: %m"); ++ machine_id = SD_ID128_NULL; ++ } ++ ++ siphash24_init(&state, hash_key); ++ siphash24_compress(&machine_id, sizeof(sd_id128_t), &state); ++ siphash24_compress_boolean(MANAGER_IS_SYSTEM(UNIT(t)->manager), &state); ++ siphash24_compress(&uid, sizeof(uid_t), &state); ++ siphash24_compress_string(UNIT(t)->id, &state); ++ ++ return siphash24_finalize(&state); ++} ++ + static int timer_load(Unit *u) { + Timer *t = TIMER(u); + int r; +@@ -215,6 +245,7 @@ static void timer_dump(Unit *u, FILE *f, const char *prefix) { + "%sWakeSystem: %s\n" + "%sAccuracy: %s\n" + "%sRemainAfterElapse: %s\n" ++ "%sFixedRandomDelay: %s\n" + "%sOnClockChange: %s\n" + "%sOnTimeZoneChange: %s\n", + prefix, timer_state_to_string(t->state), +@@ -224,6 +255,7 @@ static void timer_dump(Unit *u, FILE *f, const char *prefix) { + prefix, yes_no(t->wake_system), + prefix, format_timespan(buf, sizeof(buf), t->accuracy_usec, 1), + prefix, yes_no(t->remain_after_elapse), ++ prefix, yes_no(t->fixed_random_delay), + prefix, yes_no(t->on_clock_change), + prefix, yes_no(t->on_timezone_change)); + +@@ -332,7 +364,7 @@ static void add_random(Timer *t, usec_t *v) { + if (*v == USEC_INFINITY) + return; + +- add = random_u64() % t->random_usec; ++ add = (t->fixed_random_delay ? timer_get_fixed_delay_hash(t) : random_u64()) % t->random_usec; + + if (*v + add < *v) /* overflow */ + *v = (usec_t) -2; /* Highest possible value, that is not USEC_INFINITY */ +diff --git a/src/core/timer.h b/src/core/timer.h +index ab66a201ad..ce4046a210 100644 +--- a/src/core/timer.h ++++ b/src/core/timer.h +@@ -59,6 +59,7 @@ struct Timer { + bool remain_after_elapse; + bool on_clock_change; + bool on_timezone_change; ++ bool fixed_random_delay; + + char *stamp_path; + }; +diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c +index f2652ed9a5..68de4a2ed1 100644 +--- a/src/shared/bus-unit-util.c ++++ b/src/shared/bus-unit-util.c +@@ -1779,7 +1779,8 @@ static int bus_append_timer_property(sd_bus_message *m, const char *field, const + "RemainAfterElapse", + "Persistent", + "OnTimezoneChange", +- "OnClockChange")) ++ "OnClockChange", ++ "FixedRandomDelay")) + return bus_append_parse_boolean(m, field, eq); + + if (STR_IN_SET(field, "AccuracySec", +diff --git a/test/fuzz/fuzz-unit-file/directives.service b/test/fuzz/fuzz-unit-file/directives.service +index dbff9ab2cc..95304ea0c6 100644 +--- a/test/fuzz/fuzz-unit-file/directives.service ++++ b/test/fuzz/fuzz-unit-file/directives.service +@@ -175,6 +175,7 @@ PipeSize= + Priority= + PropagatesReloadTo= + RandomizedDelaySec= ++FixedRandomDelay= + RebootArgument= + ReceiveBuffer= + RefuseManualStart= +diff --git a/test/fuzz/fuzz-unit-file/systemd-tmpfiles-clean.timer b/test/fuzz/fuzz-unit-file/systemd-tmpfiles-clean.timer +index 7db361cd69..64b8808adc 100644 +--- a/test/fuzz/fuzz-unit-file/systemd-tmpfiles-clean.timer ++++ b/test/fuzz/fuzz-unit-file/systemd-tmpfiles-clean.timer +@@ -32,6 +32,7 @@ OnCalendar=Fri 2012-11-23 11:12:13 + Persistent=true + AccuracySec=24h + RandomizedDelaySec=234234234 ++FixedRandomDelay=true + + Persistent=no + Unit=foo.service +-- +2.24.1 + diff --git a/SOURCES/16803_fix_asserts_conditions.patch b/SOURCES/16803_fix_asserts_conditions.patch new file mode 100644 index 0000000..817ec45 --- /dev/null +++ b/SOURCES/16803_fix_asserts_conditions.patch @@ -0,0 +1,553 @@ +From 625a164069aff9efb61dcc5916c572f53c2a7ab0 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 20 Aug 2020 13:43:00 +0200 +Subject: [PATCH 1/3] analyze: rework condition testing + +Let's drop the private table and just use the generic concepts we have +in place already that make the same information available. + +Fixes: #16781 +--- + src/analyze/analyze-condition.c | 105 +++++++++----------------------- + 1 file changed, 28 insertions(+), 77 deletions(-) + +diff --git a/src/analyze/analyze-condition.c b/src/analyze/analyze-condition.c +index 52ad382637f..13f75e813a2 100644 +--- a/src/analyze/analyze-condition.c ++++ b/src/analyze/analyze-condition.c +@@ -8,83 +8,27 @@ + #include "load-fragment.h" + #include "service.h" + +-typedef struct condition_definition { +- const char *name; +- ConfigParserCallback parser; +- ConditionType type; +-} condition_definition; +- +-static const condition_definition condition_definitions[] = { +- { "ConditionPathExists", config_parse_unit_condition_path, CONDITION_PATH_EXISTS }, +- { "ConditionPathExistsGlob", config_parse_unit_condition_path, CONDITION_PATH_EXISTS_GLOB }, +- { "ConditionPathIsDirectory", config_parse_unit_condition_path, CONDITION_PATH_IS_DIRECTORY }, +- { "ConditionPathIsSymbolicLink", config_parse_unit_condition_path, CONDITION_PATH_IS_SYMBOLIC_LINK }, +- { "ConditionPathIsMountPoint", config_parse_unit_condition_path, CONDITION_PATH_IS_MOUNT_POINT }, +- { "ConditionPathIsReadWrite", config_parse_unit_condition_path, CONDITION_PATH_IS_READ_WRITE }, +- { "ConditionPathIsEncrypted", config_parse_unit_condition_path, CONDITION_PATH_IS_ENCRYPTED }, +- { "ConditionDirectoryNotEmpty", config_parse_unit_condition_path, CONDITION_DIRECTORY_NOT_EMPTY }, +- { "ConditionFileNotEmpty", config_parse_unit_condition_path, CONDITION_FILE_NOT_EMPTY }, +- { "ConditionFileIsExecutable", config_parse_unit_condition_path, CONDITION_FILE_IS_EXECUTABLE }, +- { "ConditionNeedsUpdate", config_parse_unit_condition_path, CONDITION_NEEDS_UPDATE }, +- { "ConditionFirstBoot", config_parse_unit_condition_string, CONDITION_FIRST_BOOT }, +- { "ConditionKernelCommandLine", config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE }, +- { "ConditionKernelVersion", config_parse_unit_condition_string, CONDITION_KERNEL_VERSION }, +- { "ConditionArchitecture", config_parse_unit_condition_string, CONDITION_ARCHITECTURE }, +- { "ConditionVirtualization", config_parse_unit_condition_string, CONDITION_VIRTUALIZATION }, +- { "ConditionSecurity", config_parse_unit_condition_string, CONDITION_SECURITY }, +- { "ConditionCapability", config_parse_unit_condition_string, CONDITION_CAPABILITY }, +- { "ConditionHost", config_parse_unit_condition_string, CONDITION_HOST }, +- { "ConditionACPower", config_parse_unit_condition_string, CONDITION_AC_POWER }, +- { "ConditionUser", config_parse_unit_condition_string, CONDITION_USER }, +- { "ConditionGroup", config_parse_unit_condition_string, CONDITION_GROUP }, +- { "ConditionControlGroupController", config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER }, +- +- { "AssertPathExists", config_parse_unit_condition_path, CONDITION_PATH_EXISTS }, +- { "AssertPathExistsGlob", config_parse_unit_condition_path, CONDITION_PATH_EXISTS_GLOB }, +- { "AssertPathIsDirectory", config_parse_unit_condition_path, CONDITION_PATH_IS_DIRECTORY }, +- { "AssertPathIsSymbolicLink", config_parse_unit_condition_path, CONDITION_PATH_IS_SYMBOLIC_LINK }, +- { "AssertPathIsMountPoint", config_parse_unit_condition_path, CONDITION_PATH_IS_MOUNT_POINT }, +- { "AssertPathIsReadWrite", config_parse_unit_condition_path, CONDITION_PATH_IS_READ_WRITE }, +- { "AssertPathIsEncrypted", config_parse_unit_condition_path, CONDITION_PATH_IS_ENCRYPTED }, +- { "AssertDirectoryNotEmpty", config_parse_unit_condition_path, CONDITION_DIRECTORY_NOT_EMPTY }, +- { "AssertFileNotEmpty", config_parse_unit_condition_path, CONDITION_FILE_NOT_EMPTY }, +- { "AssertFileIsExecutable", config_parse_unit_condition_path, CONDITION_FILE_IS_EXECUTABLE }, +- { "AssertNeedsUpdate", config_parse_unit_condition_path, CONDITION_NEEDS_UPDATE }, +- { "AssertFirstBoot", config_parse_unit_condition_string, CONDITION_FIRST_BOOT }, +- { "AssertKernelCommandLine", config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE }, +- { "AssertKernelVersion", config_parse_unit_condition_string, CONDITION_KERNEL_VERSION }, +- { "AssertArchitecture", config_parse_unit_condition_string, CONDITION_ARCHITECTURE }, +- { "AssertVirtualization", config_parse_unit_condition_string, CONDITION_VIRTUALIZATION }, +- { "AssertSecurity", config_parse_unit_condition_string, CONDITION_SECURITY }, +- { "AssertCapability", config_parse_unit_condition_string, CONDITION_CAPABILITY }, +- { "AssertHost", config_parse_unit_condition_string, CONDITION_HOST }, +- { "AssertACPower", config_parse_unit_condition_string, CONDITION_AC_POWER }, +- { "AssertUser", config_parse_unit_condition_string, CONDITION_USER }, +- { "AssertGroup", config_parse_unit_condition_string, CONDITION_GROUP }, +- { "AssertControlGroupController", config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER }, +- +- /* deprecated, but we should still parse them */ +- { "ConditionNull", config_parse_unit_condition_null, 0 }, +- { "AssertNull", config_parse_unit_condition_null, 0 }, +-}; +- + static int parse_condition(Unit *u, const char *line) { +- const char *p; +- Condition **target; +- +- if ((p = startswith(line, "Condition"))) +- target = &u->conditions; +- else if ((p = startswith(line, "Assert"))) +- target = &u->asserts; +- else +- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot parse \"%s\".", line); +- +- for (size_t i = 0; i < ELEMENTSOF(condition_definitions); i++) { +- const condition_definition *c = &condition_definitions[i]; +- +- p = startswith(line, c->name); +- if (!p) +- continue; ++ assert(u); ++ assert(line); ++ ++ for (ConditionType t = 0; t < _CONDITION_TYPE_MAX; t++) { ++ ConfigParserCallback callback; ++ Condition **target; ++ const char *p, *name; ++ ++ name = condition_type_to_string(t); ++ p = startswith(line, name); ++ if (p) ++ target = &u->conditions; ++ else { ++ name = assert_type_to_string(t); ++ p = startswith(line, name); ++ if (!p) ++ continue; ++ ++ target = &u->asserts; ++ } + + p += strspn(p, WHITESPACE); + +@@ -94,7 +38,14 @@ static int parse_condition(Unit *u, const char *line) { + + p += strspn(p, WHITESPACE); + +- return c->parser(NULL, "(stdin)", 0, NULL, 0, c->name, c->type, p, target, u); ++ if (t == CONDITION_NULL) /* deprecated, but we should still parse this for now */ ++ callback = config_parse_unit_condition_null; ++ else if (condition_takes_path(t)) ++ callback = config_parse_unit_condition_path; ++ else ++ callback = config_parse_unit_condition_string; ++ ++ return callback(NULL, "(cmdline)", 0, NULL, 0, name, t, p, target, u); + } + + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot parse \"%s\".", line); + +From 4f55a5b0bf1e68e4595120d8ac4b518654355fc3 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 20 Aug 2020 13:44:12 +0200 +Subject: [PATCH 2/3] core: add missing conditions/asserts to unit file parsing + +--- + src/core/load-fragment-gperf.gperf.m4 | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 +index b9e7769e4e3..1e6bd6483c2 100644 +--- a/src/core/load-fragment-gperf.gperf.m4 ++++ b/src/core/load-fragment-gperf.gperf.m4 +@@ -272,22 +272,26 @@ Unit.ConditionPathIsDirectory, config_parse_unit_condition_path, CONDITION_P + Unit.ConditionPathIsSymbolicLink,config_parse_unit_condition_path, CONDITION_PATH_IS_SYMBOLIC_LINK,offsetof(Unit, conditions) + Unit.ConditionPathIsMountPoint, config_parse_unit_condition_path, CONDITION_PATH_IS_MOUNT_POINT, offsetof(Unit, conditions) + Unit.ConditionPathIsReadWrite, config_parse_unit_condition_path, CONDITION_PATH_IS_READ_WRITE, offsetof(Unit, conditions) ++Unit.ConditionPathIsEncrypted, config_parse_unit_condition_path, CONDITION_PATH_IS_ENCRYPTED, offsetof(Unit, conditions) + Unit.ConditionDirectoryNotEmpty, config_parse_unit_condition_path, CONDITION_DIRECTORY_NOT_EMPTY, offsetof(Unit, conditions) + Unit.ConditionFileNotEmpty, config_parse_unit_condition_path, CONDITION_FILE_NOT_EMPTY, offsetof(Unit, conditions) + Unit.ConditionFileIsExecutable, config_parse_unit_condition_path, CONDITION_FILE_IS_EXECUTABLE, offsetof(Unit, conditions) + Unit.ConditionNeedsUpdate, config_parse_unit_condition_path, CONDITION_NEEDS_UPDATE, offsetof(Unit, conditions) + Unit.ConditionFirstBoot, config_parse_unit_condition_string, CONDITION_FIRST_BOOT, offsetof(Unit, conditions) +-Unit.ConditionKernelCommandLine, config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE, offsetof(Unit, conditions) +-Unit.ConditionKernelVersion, config_parse_unit_condition_string, CONDITION_KERNEL_VERSION, offsetof(Unit, conditions) + Unit.ConditionArchitecture, config_parse_unit_condition_string, CONDITION_ARCHITECTURE, offsetof(Unit, conditions) + Unit.ConditionVirtualization, config_parse_unit_condition_string, CONDITION_VIRTUALIZATION, offsetof(Unit, conditions) ++Unit.ConditionHost, config_parse_unit_condition_string, CONDITION_HOST, offsetof(Unit, conditions) ++Unit.ConditionKernelCommandLine, config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE, offsetof(Unit, conditions) ++Unit.ConditionKernelVersion, config_parse_unit_condition_string, CONDITION_KERNEL_VERSION, offsetof(Unit, conditions) + Unit.ConditionSecurity, config_parse_unit_condition_string, CONDITION_SECURITY, offsetof(Unit, conditions) + Unit.ConditionCapability, config_parse_unit_condition_string, CONDITION_CAPABILITY, offsetof(Unit, conditions) +-Unit.ConditionHost, config_parse_unit_condition_string, CONDITION_HOST, offsetof(Unit, conditions) + Unit.ConditionACPower, config_parse_unit_condition_string, CONDITION_AC_POWER, offsetof(Unit, conditions) ++Unit.ConditionMemory, config_parse_unit_condition_string, CONDITION_MEMORY, offsetof(Unit, conditions) ++Unit.ConditionCPUs, config_parse_unit_condition_string, CONDITION_CPUS, offsetof(Unit, conditions) ++Unit.ConditionEnvironment, config_parse_unit_condition_string, CONDITION_ENVIRONMENT, offsetof(Unit, conditions) + Unit.ConditionUser, config_parse_unit_condition_string, CONDITION_USER, offsetof(Unit, conditions) + Unit.ConditionGroup, config_parse_unit_condition_string, CONDITION_GROUP, offsetof(Unit, conditions) +-Unit.ConditionControlGroupController, config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER, offsetof(Unit, conditions) ++Unit.ConditionControlGroupController, config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER, offsetof(Unit, conditions) + Unit.ConditionNull, config_parse_unit_condition_null, 0, offsetof(Unit, conditions) + Unit.AssertPathExists, config_parse_unit_condition_path, CONDITION_PATH_EXISTS, offsetof(Unit, asserts) + Unit.AssertPathExistsGlob, config_parse_unit_condition_path, CONDITION_PATH_EXISTS_GLOB, offsetof(Unit, asserts) +@@ -295,22 +299,26 @@ Unit.AssertPathIsDirectory, config_parse_unit_condition_path, CONDITION_P + Unit.AssertPathIsSymbolicLink, config_parse_unit_condition_path, CONDITION_PATH_IS_SYMBOLIC_LINK,offsetof(Unit, asserts) + Unit.AssertPathIsMountPoint, config_parse_unit_condition_path, CONDITION_PATH_IS_MOUNT_POINT, offsetof(Unit, asserts) + Unit.AssertPathIsReadWrite, config_parse_unit_condition_path, CONDITION_PATH_IS_READ_WRITE, offsetof(Unit, asserts) ++Unit.AssertPathIsEncrypted, config_parse_unit_condition_path, CONDITION_PATH_IS_ENCRYPTED, offsetof(Unit, asserts) + Unit.AssertDirectoryNotEmpty, config_parse_unit_condition_path, CONDITION_DIRECTORY_NOT_EMPTY, offsetof(Unit, asserts) + Unit.AssertFileNotEmpty, config_parse_unit_condition_path, CONDITION_FILE_NOT_EMPTY, offsetof(Unit, asserts) + Unit.AssertFileIsExecutable, config_parse_unit_condition_path, CONDITION_FILE_IS_EXECUTABLE, offsetof(Unit, asserts) + Unit.AssertNeedsUpdate, config_parse_unit_condition_path, CONDITION_NEEDS_UPDATE, offsetof(Unit, asserts) + Unit.AssertFirstBoot, config_parse_unit_condition_string, CONDITION_FIRST_BOOT, offsetof(Unit, asserts) +-Unit.AssertKernelCommandLine, config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE, offsetof(Unit, asserts) +-Unit.AssertKernelVersion, config_parse_unit_condition_string, CONDITION_KERNEL_VERSION, offsetof(Unit, asserts) + Unit.AssertArchitecture, config_parse_unit_condition_string, CONDITION_ARCHITECTURE, offsetof(Unit, asserts) + Unit.AssertVirtualization, config_parse_unit_condition_string, CONDITION_VIRTUALIZATION, offsetof(Unit, asserts) ++Unit.AssertHost, config_parse_unit_condition_string, CONDITION_HOST, offsetof(Unit, asserts) ++Unit.AssertKernelCommandLine, config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE, offsetof(Unit, asserts) ++Unit.AssertKernelVersion, config_parse_unit_condition_string, CONDITION_KERNEL_VERSION, offsetof(Unit, asserts) + Unit.AssertSecurity, config_parse_unit_condition_string, CONDITION_SECURITY, offsetof(Unit, asserts) + Unit.AssertCapability, config_parse_unit_condition_string, CONDITION_CAPABILITY, offsetof(Unit, asserts) +-Unit.AssertHost, config_parse_unit_condition_string, CONDITION_HOST, offsetof(Unit, asserts) + Unit.AssertACPower, config_parse_unit_condition_string, CONDITION_AC_POWER, offsetof(Unit, asserts) ++Unit.AssertMemory, config_parse_unit_condition_string, CONDITION_MEMORY, offsetof(Unit, asserts) ++Unit.AssertCPUs, config_parse_unit_condition_string, CONDITION_CPUS, offsetof(Unit, asserts) ++Unit.AssertEnvironment, config_parse_unit_condition_string, CONDITION_ENVIRONMENT, offsetof(Unit, asserts) + Unit.AssertUser, config_parse_unit_condition_string, CONDITION_USER, offsetof(Unit, asserts) + Unit.AssertGroup, config_parse_unit_condition_string, CONDITION_GROUP, offsetof(Unit, asserts) +-Unit.AssertControlGroupController, config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER, offsetof(Unit, asserts) ++Unit.AssertControlGroupController, config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER, offsetof(Unit, asserts) + Unit.AssertNull, config_parse_unit_condition_null, 0, offsetof(Unit, asserts) + Unit.CollectMode, config_parse_collect_mode, 0, offsetof(Unit, collect_mode) + m4_dnl + +From 476cfe626dac41bb9879116c701333caa2ccec24 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 20 Aug 2020 14:01:25 +0200 +Subject: [PATCH 3/3] core: remove support for ConditionNull= + +The concept is flawed, and mostly useless. Let's finally remove it. + +It has been deprecated since 90a2ec10f2d43a8530aae856013518eb567c4039 (6 +years ago) and we started to warn since +55dadc5c57ef1379dbc984938d124508a454be55 (1.5 years ago). + +Let's get rid of it altogether. +--- + man/systemd.unit.xml | 3 - + src/analyze/analyze-condition.c | 4 +- + src/core/dbus-unit.c | 22 +++----- + src/core/load-fragment-gperf.gperf.m4 | 2 - + src/core/load-fragment.c | 55 ------------------- + src/core/load-fragment.h | 1 - + src/shared/condition.c | 21 +------ + src/shared/condition.h | 2 - + src/test/test-condition.c | 15 ----- + .../fuzz-unit-file/systemd-machined.service | 3 - + 10 files changed, 11 insertions(+), 117 deletions(-) + +diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml +index 7ef6080237e..50f35aaa3cc 100644 +--- a/man/systemd.unit.xml ++++ b/man/systemd.unit.xml +@@ -1092,9 +1092,6 @@ + Except for ConditionPathIsSymbolicLink=, all path checks follow symlinks. + + +- +- + + ConditionArchitecture= + +diff --git a/src/analyze/analyze-condition.c b/src/analyze/analyze-condition.c +index 13f75e813a2..e1365e18056 100644 +--- a/src/analyze/analyze-condition.c ++++ b/src/analyze/analyze-condition.c +@@ -38,9 +38,7 @@ static int parse_condition(Unit *u, const char *line) { + + p += strspn(p, WHITESPACE); + +- if (t == CONDITION_NULL) /* deprecated, but we should still parse this for now */ +- callback = config_parse_unit_condition_null; +- else if (condition_takes_path(t)) ++ if (condition_takes_path(t)) + callback = config_parse_unit_condition_path; + else + callback = config_parse_unit_condition_string; +diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c +index 9e9d3b101e5..e799771c220 100644 +--- a/src/core/dbus-unit.c ++++ b/src/core/dbus-unit.c +@@ -1974,14 +1974,11 @@ static int bus_set_transient_conditions( + if (t < 0) + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid condition type: %s", type_name); + +- if (t != CONDITION_NULL) { +- if (isempty(param)) +- return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Condition parameter in %s is empty", type_name); ++ if (isempty(param)) ++ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Condition parameter in %s is empty", type_name); + +- if (condition_takes_path(t) && !path_is_absolute(param)) +- return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Path in condition %s is not absolute: %s", type_name, param); +- } else +- param = NULL; ++ if (condition_takes_path(t) && !path_is_absolute(param)) ++ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Path in condition %s is not absolute: %s", type_name, param); + + if (!UNIT_WRITE_FLAGS_NOOP(flags)) { + Condition *c; +@@ -1992,14 +1989,9 @@ static int bus_set_transient_conditions( + + LIST_PREPEND(conditions, *list, c); + +- if (t != CONDITION_NULL) +- unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, +- "%s=%s%s%s", type_name, +- trigger ? "|" : "", negate ? "!" : "", param); +- else +- unit_write_settingf(u, flags, name, +- "%s=%s%s", type_name, +- trigger ? "|" : "", yes_no(!negate)); ++ unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, ++ "%s=%s%s%s", type_name, ++ trigger ? "|" : "", negate ? "!" : "", param); + } + + empty = false; +diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 +index 1e6bd6483c2..a191de62af3 100644 +--- a/src/core/load-fragment-gperf.gperf.m4 ++++ b/src/core/load-fragment-gperf.gperf.m4 +@@ -292,7 +292,6 @@ Unit.ConditionEnvironment, config_parse_unit_condition_string, CONDITION_E + Unit.ConditionUser, config_parse_unit_condition_string, CONDITION_USER, offsetof(Unit, conditions) + Unit.ConditionGroup, config_parse_unit_condition_string, CONDITION_GROUP, offsetof(Unit, conditions) + Unit.ConditionControlGroupController, config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER, offsetof(Unit, conditions) +-Unit.ConditionNull, config_parse_unit_condition_null, 0, offsetof(Unit, conditions) + Unit.AssertPathExists, config_parse_unit_condition_path, CONDITION_PATH_EXISTS, offsetof(Unit, asserts) + Unit.AssertPathExistsGlob, config_parse_unit_condition_path, CONDITION_PATH_EXISTS_GLOB, offsetof(Unit, asserts) + Unit.AssertPathIsDirectory, config_parse_unit_condition_path, CONDITION_PATH_IS_DIRECTORY, offsetof(Unit, asserts) +@@ -319,7 +318,6 @@ Unit.AssertEnvironment, config_parse_unit_condition_string, CONDITION_E + Unit.AssertUser, config_parse_unit_condition_string, CONDITION_USER, offsetof(Unit, asserts) + Unit.AssertGroup, config_parse_unit_condition_string, CONDITION_GROUP, offsetof(Unit, asserts) + Unit.AssertControlGroupController, config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER, offsetof(Unit, asserts) +-Unit.AssertNull, config_parse_unit_condition_null, 0, offsetof(Unit, asserts) + Unit.CollectMode, config_parse_collect_mode, 0, offsetof(Unit, collect_mode) + m4_dnl + Service.PIDFile, config_parse_pid_file, 0, offsetof(Service, pid_file) +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index 266382c84c7..cfd04f3b49f 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -2999,60 +2999,6 @@ int config_parse_unit_condition_string( + return 0; + } + +-int config_parse_unit_condition_null( +- const char *unit, +- const char *filename, +- unsigned line, +- const char *section, +- unsigned section_line, +- const char *lvalue, +- int ltype, +- const char *rvalue, +- void *data, +- void *userdata) { +- +- Condition **list = data, *c; +- bool trigger, negate; +- int b; +- +- assert(filename); +- assert(lvalue); +- assert(rvalue); +- assert(data); +- +- log_syntax(unit, LOG_WARNING, filename, line, 0, "%s= is deprecated, please do not use.", lvalue); +- +- if (isempty(rvalue)) { +- /* Empty assignment resets the list */ +- *list = condition_free_list(*list); +- return 0; +- } +- +- trigger = rvalue[0] == '|'; +- if (trigger) +- rvalue++; +- +- negate = rvalue[0] == '!'; +- if (negate) +- rvalue++; +- +- b = parse_boolean(rvalue); +- if (b < 0) { +- log_syntax(unit, LOG_ERR, filename, line, b, "Failed to parse boolean value in condition, ignoring: %s", rvalue); +- return 0; +- } +- +- if (!b) +- negate = !negate; +- +- c = condition_new(CONDITION_NULL, NULL, trigger, negate); +- if (!c) +- return log_oom(); +- +- LIST_PREPEND(conditions, *list, c); +- return 0; +-} +- + int config_parse_unit_requires_mounts_for( + const char *unit, + const char *filename, +@@ -5266,7 +5212,6 @@ void unit_dump_config_items(FILE *f) { + { config_parse_ip_tos, "TOS" }, + { config_parse_unit_condition_path, "CONDITION" }, + { config_parse_unit_condition_string, "CONDITION" }, +- { config_parse_unit_condition_null, "CONDITION" }, + { config_parse_unit_slice, "SLICE" }, + { config_parse_documentation, "URL" }, + { config_parse_service_timeout, "SECONDS" }, +diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h +index 2672db5ace2..cee5717d0fb 100644 +--- a/src/core/load-fragment.h ++++ b/src/core/load-fragment.h +@@ -58,7 +58,6 @@ CONFIG_PARSER_PROTOTYPE(config_parse_unit_env_file); + CONFIG_PARSER_PROTOTYPE(config_parse_ip_tos); + CONFIG_PARSER_PROTOTYPE(config_parse_unit_condition_path); + CONFIG_PARSER_PROTOTYPE(config_parse_unit_condition_string); +-CONFIG_PARSER_PROTOTYPE(config_parse_unit_condition_null); + CONFIG_PARSER_PROTOTYPE(config_parse_kill_mode); + CONFIG_PARSER_PROTOTYPE(config_parse_notify_access); + CONFIG_PARSER_PROTOTYPE(config_parse_emergency_action); +diff --git a/src/shared/condition.c b/src/shared/condition.c +index bf3b5fa1622..1f6105622a5 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -52,7 +52,7 @@ Condition* condition_new(ConditionType type, const char *parameter, bool trigger + + assert(type >= 0); + assert(type < _CONDITION_TYPE_MAX); +- assert((!parameter) == (type == CONDITION_NULL)); ++ assert(parameter); + + c = new(Condition, 1); + if (!c) +@@ -776,15 +776,6 @@ static int condition_test_file_is_executable(Condition *c, char **env) { + (st.st_mode & 0111)); + } + +-static int condition_test_null(Condition *c, char **env) { +- assert(c); +- assert(c->type == CONDITION_NULL); +- +- /* Note that during parsing we already evaluate the string and +- * store it in c->negate */ +- return true; +-} +- + int condition_test(Condition *c, char **env) { + + static int (*const condition_tests[_CONDITION_TYPE_MAX])(Condition *c, char **env) = { +@@ -811,7 +802,6 @@ int condition_test(Condition *c, char **env) { + [CONDITION_USER] = condition_test_user, + [CONDITION_GROUP] = condition_test_group, + [CONDITION_CONTROL_GROUP_CONTROLLER] = condition_test_control_group_controller, +- [CONDITION_NULL] = condition_test_null, + [CONDITION_CPUS] = condition_test_cpus, + [CONDITION_MEMORY] = condition_test_memory, + [CONDITION_ENVIRONMENT] = condition_test_environment, +@@ -859,23 +849,20 @@ bool condition_test_list( + r = condition_test(c, env); + + if (logger) { +- const char *p = c->type == CONDITION_NULL ? "true" : c->parameter; +- assert(p); +- + if (r < 0) + logger(userdata, LOG_WARNING, r, PROJECT_FILE, __LINE__, __func__, + "Couldn't determine result for %s=%s%s%s, assuming failed: %m", + to_string(c->type), + c->trigger ? "|" : "", + c->negate ? "!" : "", +- p); ++ c->parameter); + else + logger(userdata, LOG_DEBUG, 0, PROJECT_FILE, __LINE__, __func__, + "%s=%s%s%s %s.", + to_string(c->type), + c->trigger ? "|" : "", + c->negate ? "!" : "", +- p, ++ c->parameter, + condition_result_to_string(c->result)); + } + +@@ -937,7 +924,6 @@ static const char* const condition_type_table[_CONDITION_TYPE_MAX] = { + [CONDITION_USER] = "ConditionUser", + [CONDITION_GROUP] = "ConditionGroup", + [CONDITION_CONTROL_GROUP_CONTROLLER] = "ConditionControlGroupController", +- [CONDITION_NULL] = "ConditionNull", + [CONDITION_CPUS] = "ConditionCPUs", + [CONDITION_MEMORY] = "ConditionMemory", + [CONDITION_ENVIRONMENT] = "ConditionEnvironment", +@@ -969,7 +955,6 @@ static const char* const assert_type_table[_CONDITION_TYPE_MAX] = { + [CONDITION_USER] = "AssertUser", + [CONDITION_GROUP] = "AssertGroup", + [CONDITION_CONTROL_GROUP_CONTROLLER] = "AssertControlGroupController", +- [CONDITION_NULL] = "AssertNull", + [CONDITION_CPUS] = "AssertCPUs", + [CONDITION_MEMORY] = "AssertMemory", + [CONDITION_ENVIRONMENT] = "AssertEnvironment", +diff --git a/src/shared/condition.h b/src/shared/condition.h +index fea74d228d8..e5ad43f945b 100644 +--- a/src/shared/condition.h ++++ b/src/shared/condition.h +@@ -34,8 +34,6 @@ typedef enum ConditionType { + CONDITION_FILE_NOT_EMPTY, + CONDITION_FILE_IS_EXECUTABLE, + +- CONDITION_NULL, +- + CONDITION_USER, + CONDITION_GROUP, + +diff --git a/src/test/test-condition.c b/src/test/test-condition.c +index ddf2e669c03..d209c1304c8 100644 +--- a/src/test/test-condition.c ++++ b/src/test/test-condition.c +@@ -438,20 +438,6 @@ static void test_condition_test_kernel_version(void) { + condition_free(condition); + } + +-static void test_condition_test_null(void) { +- Condition *condition; +- +- condition = condition_new(CONDITION_NULL, NULL, false, false); +- assert_se(condition); +- assert_se(condition_test(condition, environ) > 0); +- condition_free(condition); +- +- condition = condition_new(CONDITION_NULL, NULL, false, true); +- assert_se(condition); +- assert_se(condition_test(condition, environ) == 0); +- condition_free(condition); +-} +- + static void test_condition_test_security(void) { + Condition *condition; + +@@ -868,7 +854,6 @@ int main(int argc, char *argv[]) { + test_condition_test_architecture(); + test_condition_test_kernel_command_line(); + test_condition_test_kernel_version(); +- test_condition_test_null(); + test_condition_test_security(); + print_securities(); + test_condition_test_virtualization(); +diff --git a/test/fuzz/fuzz-unit-file/systemd-machined.service b/test/fuzz/fuzz-unit-file/systemd-machined.service +index 70b627c5f40..79ee9861d8e 100644 +--- a/test/fuzz/fuzz-unit-file/systemd-machined.service ++++ b/test/fuzz/fuzz-unit-file/systemd-machined.service +@@ -15,9 +15,6 @@ Documentation=https://www.freedesktop.org/wiki/Software/systemd/machined + Wants=machine.slice + After=machine.slice + RequiresMountsFor=/var/lib/machines +-ConditionNull=true +-ConditionNull= +-ConditionNull=|!false + OnFailureIsolate=false + FailureActionExitStatus=222 + FailureActionExitStatus= diff --git a/SOURCES/16838_16857_improve_path_search.patch b/SOURCES/16838_16857_improve_path_search.patch new file mode 100644 index 0000000..2120465 --- /dev/null +++ b/SOURCES/16838_16857_improve_path_search.patch @@ -0,0 +1,108 @@ +From 3335de91437bc983c95cfab86489ceb3a0b0a6aa Mon Sep 17 00:00:00 2001 +From: Chris Down +Date: Tue, 25 Aug 2020 21:59:11 +0100 +Subject: [PATCH 1/2] path: Skip directories when finalising $PATH search + +Imagine $PATH /a:/b. There is an echo command at /b/echo. Under this +configuration, this works fine: + + % systemd-run --user --scope echo . + Running scope as unit: run-rfe98e0574b424d63a641644af511ff30.scope + . + +However, if I do `mkdir /a/echo`, this happens: + + % systemd-run --user --scope echo . + Running scope as unit: run-rcbe9369537ed47f282ee12ce9f692046.scope + Failed to execute: Permission denied + +We check whether the resulting file is executable for the performing +user, but of course, most directories are anyway, since that's needed to +list within it. As such, another is_dir() check is needed prior to +considering the search result final. + +Another approach might be to check S_ISREG, but there may be more gnarly +edge cases there than just eliminating this obviously pathological +example, so let's just do this for now. +--- + src/basic/path-util.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/basic/path-util.c b/src/basic/path-util.c +index c4e022b3a1..d3b4978239 100644 +--- a/src/basic/path-util.c ++++ b/src/basic/path-util.c +@@ -637,6 +637,9 @@ int find_binary(const char *name, char **ret) { + if (!j) + return -ENOMEM; + ++ if (is_dir(j, true)) ++ continue; ++ + if (access(j, X_OK) >= 0) { + /* Found it! */ + +-- +2.26.2 + + +From 2f94890f37c13dcd680a63876ed6d34f8e66d0a3 Mon Sep 17 00:00:00 2001 +From: Chris Down +Date: Wed, 26 Aug 2020 18:49:27 +0100 +Subject: [PATCH 2/2] path: Improve $PATH search directory case + +Previously: + +1. last_error wouldn't be updated with errors from is_dir; +2. We'd always issue a stat(), even for binaries without execute; +3. We used stat() instead of access(), which is cheaper. + +This change avoids all of those, by only checking inside X_OK-positive +case whether access() works on the path with an extra slash appended. +Thanks to Lennart for the suggestion. +--- + src/basic/path-util.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/src/basic/path-util.c b/src/basic/path-util.c +index d3b4978239..7b0863f749 100644 +--- a/src/basic/path-util.c ++++ b/src/basic/path-util.c +@@ -637,16 +637,27 @@ int find_binary(const char *name, char **ret) { + if (!j) + return -ENOMEM; + +- if (is_dir(j, true)) +- continue; +- + if (access(j, X_OK) >= 0) { +- /* Found it! */ ++ _cleanup_free_ char *with_dash; + +- if (ret) +- *ret = path_simplify(TAKE_PTR(j), false); ++ with_dash = strjoin(j, "/"); ++ if (!with_dash) ++ return -ENOMEM; + +- return 0; ++ /* If this passes, it must be a directory, and so should be skipped. */ ++ if (access(with_dash, X_OK) >= 0) ++ continue; ++ ++ /** ++ * We can't just `continue` inverting this case, since we need to update last_error. ++ */ ++ if (errno == ENOTDIR) { ++ /* Found it! */ ++ if (ret) ++ *ret = path_simplify(TAKE_PTR(j), false); ++ ++ return 0; ++ } + } + + /* PATH entries which we don't have access to are ignored, as per tradition. */ +-- +2.26.2 + diff --git a/SOURCES/16940_cleanup_socket_econn_handling.patch b/SOURCES/16940_cleanup_socket_econn_handling.patch new file mode 100644 index 0000000..3de1ab0 --- /dev/null +++ b/SOURCES/16940_cleanup_socket_econn_handling.patch @@ -0,0 +1,317 @@ +From 056799e2e147d678e156c5a1fce15b04762f1313 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 1 Sep 2020 23:50:01 +0200 +Subject: [PATCH 1/3] core/socket: we may get ENOTCONN from + socket_instantiate_service() + +This means that the connection was aborted before we even got to figure out +what the service name will be. Let's treat this as a non-event and close the +connection fd without any further messages. + +Code last changed in 934ef6a5. +Reported-by: Thiago Macieira + +With the patch: +systemd[1]: foobar.socket: Incoming traffic +systemd[1]: foobar.socket: Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring. +... + +Also, when we get ENOMEM, don't give the hint about missing unit. +--- + src/core/socket.c | 35 ++++++++++++++++++++++++----------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +diff --git a/src/core/socket.c b/src/core/socket.c +index ebf5ce3b16..f880040331 100644 +--- a/src/core/socket.c ++++ b/src/core/socket.c +@@ -18,6 +18,7 @@ + #include "dbus-socket.h" + #include "dbus-unit.h" + #include "def.h" ++#include "errno-list.h" + #include "exit-status.h" + #include "fd-util.h" + #include "format-util.h" +@@ -1418,11 +1419,12 @@ int socket_load_service_unit(Socket *s, int cfd, Unit **ret) { + + if (cfd >= 0) { + r = instance_from_socket(cfd, s->n_accepted, &instance); +- if (r == -ENOTCONN) +- /* ENOTCONN is legitimate if TCP RST was received. +- * This connection is over, but the socket unit lives on. */ ++ if (ERRNO_IS_DISCONNECT(r)) ++ /* ENOTCONN is legitimate if TCP RST was received. Other socket families might return ++ * different errors. This connection is over, but the socket unit lives on. */ + return log_unit_debug_errno(UNIT(s), r, +- "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring."); ++ "Got %s on incoming socket, assuming aborted connection attempt, ignoring.", ++ errno_to_name(r)); + if (r < 0) + return r; + } +@@ -2359,8 +2361,8 @@ static void socket_enter_running(Socket *s, int cfd) { + + if (!pending) { + if (!UNIT_ISSET(s->service)) { +- log_unit_error(UNIT(s), "Service to activate vanished, refusing activation."); +- r = -ENOENT; ++ r = log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOENT), ++ "Service to activate vanished, refusing activation."); + goto fail; + } + +@@ -2382,8 +2384,10 @@ static void socket_enter_running(Socket *s, int cfd) { + + if (s->max_connections_per_source > 0) { + r = socket_acquire_peer(s, cfd, &p); +- if (r < 0) +- goto refuse; ++ if (ERRNO_IS_DISCONNECT(r)) ++ goto notconn; ++ if (r < 0) /* We didn't have enough resources to acquire peer information, let's fail. */ ++ goto fail; + if (r > 0 && p->n_ref > s->max_connections_per_source) { + _cleanup_free_ char *t = NULL; + +@@ -2397,6 +2401,8 @@ static void socket_enter_running(Socket *s, int cfd) { + } + + r = socket_instantiate_service(s, cfd); ++ if (ERRNO_IS_DISCONNECT(r)) ++ goto notconn; + if (r < 0) + goto fail; + +@@ -2406,6 +2412,8 @@ static void socket_enter_running(Socket *s, int cfd) { + s->n_accepted++; + + r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net); ++ if (ERRNO_IS_DISCONNECT(r)) ++ goto notconn; + if (r < 0) + goto fail; + +@@ -2430,13 +2438,18 @@ static void socket_enter_running(Socket *s, int cfd) { + + refuse: + s->n_refused++; ++notconn: + safe_close(cfd); + return; + + fail: +- log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s", +- cfd >= 0 ? "template" : "non-template", +- bus_error_message(&error, r)); ++ if (ERRNO_IS_RESOURCE(r)) ++ log_unit_warning(UNIT(s), "Failed to queue service startup job: %s", ++ bus_error_message(&error, r)); ++ else ++ log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s", ++ cfd >= 0 ? "template" : "non-template", ++ bus_error_message(&error, r)); + + socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES); + safe_close(cfd); +-- +2.26.2 + + +From 86f9af3eb8bea0bea86bb027cb341e6b13beecb5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 2 Sep 2020 18:04:10 +0200 +Subject: [PATCH 2/3] core/socket: fold socket_instantiate_service() into + socket_enter_running() + +socket_instantiate_service() was doing unit_ref_set(), and the caller was +immediately doing unit_ref_unset(). After we get rid of this, it doesn't seem +worth it to have two functions. +--- + src/core/socket.c | 39 ++++++++++----------------------------- + 1 file changed, 10 insertions(+), 29 deletions(-) + +diff --git a/src/core/socket.c b/src/core/socket.c +index f880040331..5e128d9fef 100644 +--- a/src/core/socket.c ++++ b/src/core/socket.c +@@ -206,27 +206,6 @@ static int socket_arm_timer(Socket *s, usec_t usec) { + return 0; + } + +-static int socket_instantiate_service(Socket *s, int cfd) { +- Unit *service; +- int r; +- +- assert(s); +- assert(cfd >= 0); +- +- /* This fills in s->service if it isn't filled in yet. For Accept=yes sockets we create the next +- * connection service here. For Accept=no this is mostly a NOP since the service is figured out at +- * load time anyway. */ +- +- r = socket_load_service_unit(s, cfd, &service); +- if (r < 0) +- return r; +- +- unit_ref_set(&s->service, UNIT(s), service); +- +- return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, service, +- false, UNIT_DEPENDENCY_IMPLICIT); +-} +- + static bool have_non_accept_socket(Socket *s) { + SocketPort *p; + +@@ -2374,7 +2353,7 @@ static void socket_enter_running(Socket *s, int cfd) { + socket_set_state(s, SOCKET_RUNNING); + } else { + _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL; +- Service *service; ++ Unit *service; + + if (s->n_connections >= s->max_connections) { + log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.", +@@ -2400,18 +2379,20 @@ static void socket_enter_running(Socket *s, int cfd) { + } + } + +- r = socket_instantiate_service(s, cfd); ++ r = socket_load_service_unit(s, cfd, &service); + if (ERRNO_IS_DISCONNECT(r)) + goto notconn; + if (r < 0) + goto fail; + +- service = SERVICE(UNIT_DEREF(s->service)); +- unit_ref_unset(&s->service); ++ r = unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, service, ++ false, UNIT_DEPENDENCY_IMPLICIT); ++ if (r < 0) ++ goto fail; + + s->n_accepted++; + +- r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net); ++ r = service_set_socket_fd(SERVICE(service), cfd, s, s->selinux_context_from_net); + if (ERRNO_IS_DISCONNECT(r)) + goto notconn; + if (r < 0) +@@ -2420,13 +2401,13 @@ static void socket_enter_running(Socket *s, int cfd) { + TAKE_FD(cfd); /* We passed ownership of the fd to the service now. Forget it here. */ + s->n_connections++; + +- service->peer = TAKE_PTR(p); /* Pass ownership of the peer reference */ ++ SERVICE(service)->peer = TAKE_PTR(p); /* Pass ownership of the peer reference */ + +- r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, NULL, &error, NULL); ++ r = manager_add_job(UNIT(s)->manager, JOB_START, service, JOB_REPLACE, NULL, &error, NULL); + if (r < 0) { + /* We failed to activate the new service, but it still exists. Let's make sure the + * service closes and forgets the connection fd again, immediately. */ +- service_close_socket_fd(service); ++ service_close_socket_fd(SERVICE(service)); + goto fail; + } + +-- +2.26.2 + + +From b7e9403a4c6220478980555ef40905d030b307f5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 2 Sep 2020 18:17:14 +0200 +Subject: [PATCH 3/3] core/socket: use _cleanup_ to close the connection fd + +Removing the gotos would lead to a lot of duplicated code, so I left them +as they were. +--- + src/core/socket.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/src/core/socket.c b/src/core/socket.c +index 5e128d9fef..a77a297cf5 100644 +--- a/src/core/socket.c ++++ b/src/core/socket.c +@@ -2296,13 +2296,14 @@ static void flush_ports(Socket *s) { + } + } + +-static void socket_enter_running(Socket *s, int cfd) { ++static void socket_enter_running(Socket *s, int cfd_in) { ++ /* Note that this call takes possession of the connection fd passed. It either has to assign it ++ * somewhere or close it. */ ++ _cleanup_close_ int cfd = cfd_in; ++ + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + int r; + +- /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or +- * close it. */ +- + assert(s); + + /* We don't take connections anymore if we are supposed to shut down anyway */ +@@ -2312,9 +2313,8 @@ static void socket_enter_running(Socket *s, int cfd) { + + if (cfd >= 0) + goto refuse; +- else +- flush_ports(s); + ++ flush_ports(s); + return; + } + +@@ -2364,7 +2364,7 @@ static void socket_enter_running(Socket *s, int cfd) { + if (s->max_connections_per_source > 0) { + r = socket_acquire_peer(s, cfd, &p); + if (ERRNO_IS_DISCONNECT(r)) +- goto notconn; ++ return; + if (r < 0) /* We didn't have enough resources to acquire peer information, let's fail. */ + goto fail; + if (r > 0 && p->n_ref > s->max_connections_per_source) { +@@ -2381,7 +2381,7 @@ static void socket_enter_running(Socket *s, int cfd) { + + r = socket_load_service_unit(s, cfd, &service); + if (ERRNO_IS_DISCONNECT(r)) +- goto notconn; ++ return; + if (r < 0) + goto fail; + +@@ -2394,7 +2394,7 @@ static void socket_enter_running(Socket *s, int cfd) { + + r = service_set_socket_fd(SERVICE(service), cfd, s, s->selinux_context_from_net); + if (ERRNO_IS_DISCONNECT(r)) +- goto notconn; ++ return; + if (r < 0) + goto fail; + +@@ -2415,12 +2415,11 @@ static void socket_enter_running(Socket *s, int cfd) { + unit_add_to_dbus_queue(UNIT(s)); + } + ++ TAKE_FD(cfd); + return; + + refuse: + s->n_refused++; +-notconn: +- safe_close(cfd); + return; + + fail: +@@ -2433,7 +2432,6 @@ fail: + bus_error_message(&error, r)); + + socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES); +- safe_close(cfd); + } + + static void socket_run_next(Socket *s) { +-- +2.26.2 + diff --git a/SOURCES/17031_propagate_start_limit_hit.patch b/SOURCES/17031_propagate_start_limit_hit.patch new file mode 100644 index 0000000..4490100 --- /dev/null +++ b/SOURCES/17031_propagate_start_limit_hit.patch @@ -0,0 +1,233 @@ +From 7a481a17ad01c7be526829a835f7da3d6b71577f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 11 Sep 2020 19:49:33 +0200 +Subject: [PATCH 1/3] core: propagate triggered unit in more load states + +In 4c2ef3276735ad9f7fccf33f5bdcbe7d8751e7ec we enabled propagating +triggered unit state to the triggering unit for service units in more +load states, so that we don't accidentally stop tracking state +correctly. + +Do the same for our other triggering unit states: automounts, paths, and +timers. + +Also, make this an assertion rather than a simple test. After all it +should never happen that we get called for half-loaded units or units of +the wrong type. The load routines should already have made this +impossible. +--- + src/core/automount.c | 4 ++-- + src/core/path.c | 7 +++---- + src/core/socket.c | 9 ++------- + src/core/timer.c | 4 ++-- + src/core/transaction.c | 2 +- + src/core/unit.h | 4 ++++ + 6 files changed, 14 insertions(+), 16 deletions(-) + +diff --git a/src/core/automount.c b/src/core/automount.c +index 1f05198766..73f0fb8c71 100644 +--- a/src/core/automount.c ++++ b/src/core/automount.c +@@ -507,8 +507,8 @@ static void automount_trigger_notify(Unit *u, Unit *other) { + assert(other); + + /* Filter out invocations with bogus state */ +- if (other->load_state != UNIT_LOADED || other->type != UNIT_MOUNT) +- return; ++ assert(UNIT_IS_LOAD_COMPLETE(other->load_state)); ++ assert(other->type == UNIT_MOUNT); + + /* Don't propagate state changes from the mount if we are already down */ + if (!IN_SET(a->state, AUTOMOUNT_WAITING, AUTOMOUNT_RUNNING)) +diff --git a/src/core/path.c b/src/core/path.c +index 1c3c28e341..8ffec72ede 100644 +--- a/src/core/path.c ++++ b/src/core/path.c +@@ -748,11 +748,10 @@ static void path_trigger_notify(Unit *u, Unit *other) { + assert(u); + assert(other); + +- /* Invoked whenever the unit we trigger changes state or gains +- * or loses a job */ ++ /* Invoked whenever the unit we trigger changes state or gains or loses a job */ + +- if (other->load_state != UNIT_LOADED) +- return; ++ /* Filter out invocations with bogus state */ ++ assert(UNIT_IS_LOAD_COMPLETE(other->load_state)); + + if (p->state == PATH_RUNNING && + UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(other))) { +diff --git a/src/core/socket.c b/src/core/socket.c +index 127195c9fe..ebf5ce3b16 100644 +--- a/src/core/socket.c ++++ b/src/core/socket.c +@@ -3274,13 +3274,8 @@ static void socket_trigger_notify(Unit *u, Unit *other) { + assert(other); + + /* Filter out invocations with bogus state */ +- if (!IN_SET(other->load_state, +- UNIT_LOADED, +- UNIT_NOT_FOUND, +- UNIT_BAD_SETTING, +- UNIT_ERROR, +- UNIT_MASKED) || other->type != UNIT_SERVICE) +- return; ++ assert(UNIT_IS_LOAD_COMPLETE(other->load_state)); ++ assert(other->type == UNIT_SERVICE); + + /* Don't propagate state changes from the service if we are already down */ + if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING)) +diff --git a/src/core/timer.c b/src/core/timer.c +index 03a9c14f76..94388f0727 100644 +--- a/src/core/timer.c ++++ b/src/core/timer.c +@@ -746,8 +746,8 @@ static void timer_trigger_notify(Unit *u, Unit *other) { + assert(u); + assert(other); + +- if (other->load_state != UNIT_LOADED) +- return; ++ /* Filter out invocations with bogus state */ ++ assert(UNIT_IS_LOAD_COMPLETE(other->load_state)); + + /* Reenable all timers that depend on unit state */ + LIST_FOREACH(value, v, t->values) +diff --git a/src/core/transaction.c b/src/core/transaction.c +index 0fa419787e..befac19788 100644 +--- a/src/core/transaction.c ++++ b/src/core/transaction.c +@@ -949,7 +949,7 @@ int transaction_add_job_and_dependencies( + + /* Safety check that the unit is a valid state, i.e. not in UNIT_STUB or UNIT_MERGED which should only be set + * temporarily. */ +- if (!IN_SET(unit->load_state, UNIT_LOADED, UNIT_ERROR, UNIT_NOT_FOUND, UNIT_BAD_SETTING, UNIT_MASKED)) ++ if (!UNIT_IS_LOAD_COMPLETE(unit->load_state)) + return sd_bus_error_setf(e, BUS_ERROR_LOAD_FAILED, "Unit %s is not loaded properly.", unit->id); + + if (type != JOB_STOP) { +diff --git a/src/core/unit.h b/src/core/unit.h +index 4130cd50a9..ae2ce74243 100644 +--- a/src/core/unit.h ++++ b/src/core/unit.h +@@ -49,6 +49,10 @@ static inline bool UNIT_IS_INACTIVE_OR_FAILED(UnitActiveState t) { + return IN_SET(t, UNIT_INACTIVE, UNIT_FAILED); + } + ++static inline bool UNIT_IS_LOAD_COMPLETE(UnitLoadState t) { ++ return t >= 0 && t < _UNIT_LOAD_STATE_MAX && t != UNIT_STUB && t != UNIT_MERGED; ++} ++ + /* Stores the 'reason' a dependency was created as a bit mask, i.e. due to which configuration source it came to be. We + * use this so that we can selectively flush out parts of dependencies again. Note that the same dependency might be + * created as a result of multiple "reasons", hence the bitmask. */ +-- +2.26.2 + + +From 6b083e21c2bfdba79d43d5d56f02dc795dae9368 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 11 Sep 2020 19:57:09 +0200 +Subject: [PATCH 2/3] core: propagate unit start limit hit state to triggering + path unit + +We already do this for socket and automount units, do it for path units +too: if the triggered service keeps hitting the start limit, then fail +the triggering unit too, so that we don#t busy loop forever. + +(Note that this leaves only timer units out in the cold for this kind of +protection, but it shouldn't matter there, as they are naturally +protected against busy loops: they are scheduled by time anyway). + +Fixes: #16669 +--- + src/core/path.c | 15 +++++++++++++++ + src/core/path.h | 1 + + 2 files changed, 16 insertions(+) + +diff --git a/src/core/path.c b/src/core/path.c +index 8ffec72ede..4f4e7100cf 100644 +--- a/src/core/path.c ++++ b/src/core/path.c +@@ -753,6 +753,20 @@ static void path_trigger_notify(Unit *u, Unit *other) { + /* Filter out invocations with bogus state */ + assert(UNIT_IS_LOAD_COMPLETE(other->load_state)); + ++ /* Don't propagate state changes from the triggered unit if we are already down */ ++ if (!IN_SET(p->state, PATH_WAITING, PATH_RUNNING)) ++ return; ++ ++ /* Propagate start limit hit state */ ++ if (other->start_limit_hit) { ++ path_enter_dead(p, PATH_FAILURE_UNIT_START_LIMIT_HIT); ++ return; ++ } ++ ++ /* Don't propagate anything if there's still a job queued */ ++ if (other->job) ++ return; ++ + if (p->state == PATH_RUNNING && + UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(other))) { + log_unit_debug(UNIT(p), "Got notified about unit deactivation."); +@@ -789,6 +803,7 @@ static const char* const path_result_table[_PATH_RESULT_MAX] = { + [PATH_SUCCESS] = "success", + [PATH_FAILURE_RESOURCES] = "resources", + [PATH_FAILURE_START_LIMIT_HIT] = "start-limit-hit", ++ [PATH_FAILURE_UNIT_START_LIMIT_HIT] = "unit-start-limit-hit", + }; + + DEFINE_STRING_TABLE_LOOKUP(path_result, PathResult); +diff --git a/src/core/path.h b/src/core/path.h +index 9e2836535a..4043650fe0 100644 +--- a/src/core/path.h ++++ b/src/core/path.h +@@ -45,6 +45,7 @@ typedef enum PathResult { + PATH_SUCCESS, + PATH_FAILURE_RESOURCES, + PATH_FAILURE_START_LIMIT_HIT, ++ PATH_FAILURE_UNIT_START_LIMIT_HIT, + _PATH_RESULT_MAX, + _PATH_RESULT_INVALID = -1 + } PathResult; +-- +2.26.2 + + +From 32c556c612ff38b09fe7d14d1840aceb2d76360d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 14 Sep 2020 12:59:38 +0200 +Subject: [PATCH 3/3] unit-def: drop pointless 0 initialization of first enum + value + +This is implied in C and we generally don't bother with this, so don't +bother with this here either. +--- + src/basic/unit-def.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/basic/unit-def.h b/src/basic/unit-def.h +index 53419ecd8a..1fab6c78ab 100644 +--- a/src/basic/unit-def.h ++++ b/src/basic/unit-def.h +@@ -9,7 +9,7 @@ + * when other criteria (cpu weight, nice level) are identical. + * In this case service units have the highest priority. */ + typedef enum UnitType { +- UNIT_SERVICE = 0, ++ UNIT_SERVICE, + UNIT_MOUNT, + UNIT_SWAP, + UNIT_SOCKET, +@@ -25,7 +25,7 @@ typedef enum UnitType { + } UnitType; + + typedef enum UnitLoadState { +- UNIT_STUB = 0, ++ UNIT_STUB, + UNIT_LOADED, + UNIT_NOT_FOUND, /* error condition #1: unit file not found */ + UNIT_BAD_SETTING, /* error condition #2: we couldn't parse some essential unit file setting */ +-- +2.26.2 + diff --git a/SOURCES/17082_nspawn_tty_tweaks.patch b/SOURCES/17082_nspawn_tty_tweaks.patch new file mode 100644 index 0000000..adee19a --- /dev/null +++ b/SOURCES/17082_nspawn_tty_tweaks.patch @@ -0,0 +1,316 @@ +From 0ead15331dc9414e7d4b3f0b96ed1908ceaf8f8b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 16 Sep 2020 22:11:48 +0200 +Subject: [PATCH 1/5] nspawn: check return of setsid() + +Let's verify that everything works the way we expect it to work, hence +check setsid() return code. +--- + src/nspawn/nspawn-stub-pid1.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn-stub-pid1.c b/src/nspawn/nspawn-stub-pid1.c +index d86dd23185..f785a3b248 100644 +--- a/src/nspawn/nspawn-stub-pid1.c ++++ b/src/nspawn/nspawn-stub-pid1.c +@@ -66,7 +66,10 @@ int stub_pid1(sd_id128_t uuid) { + if (pid == 0) { + /* Return in the child */ + assert_se(sigprocmask(SIG_SETMASK, &oldmask, NULL) >= 0); +- setsid(); ++ ++ if (setsid() < 0) ++ return log_error_errno(errno, "Failed to become session leader in payload process: %m"); ++ + return 0; + } + +-- +2.26.2 + + +From b4fa908fbdcbcf01c96e983460689800b8bb76af Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 16 Sep 2020 22:12:29 +0200 +Subject: [PATCH 2/5] nspawn: print log notice when we are invoked from a tty + but in "pipe" mode + +If people do this then things are weird, and they should probably use +--console=interactive (i.e. the default) instead. + +Prompted-by: #17070 +--- + src/nspawn/nspawn.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 3b9493f232..efc541f512 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -272,9 +272,15 @@ static int handle_arg_console(const char *arg) { + arg_console_mode = CONSOLE_READ_ONLY; + else if (streq(arg, "passive")) + arg_console_mode = CONSOLE_PASSIVE; +- else if (streq(arg, "pipe")) ++ else if (streq(arg, "pipe")) { ++ if (isatty(STDIN_FILENO) > 0 && isatty(STDOUT_FILENO) > 0) ++ log_full(arg_quiet ? LOG_DEBUG : LOG_NOTICE, ++ "Console mode 'pipe' selected, but standard input/output are connected to an interactive TTY. " ++ "Most likely you want to use 'interactive' console mode for proper interactivity and shell job control. " ++ "Proceeding anyway."); ++ + arg_console_mode = CONSOLE_PIPE; +- else ++ } else + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown console mode: %s", optarg); + + arg_settings_mask |= SETTING_CONSOLE_MODE; +-- +2.26.2 + + +From 19db1706dadcec4f4c44f9abf8dc33a336f93326 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 16 Sep 2020 22:16:10 +0200 +Subject: [PATCH 3/5] nspawn: fix fd leak on failure path + +--- + src/nspawn/nspawn.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index efc541f512..15dbdbe738 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -2178,7 +2178,7 @@ static int setup_pts(const char *dest) { + } + + static int setup_stdio_as_dev_console(void) { +- int terminal; ++ _cleanup_close_ int terminal = -1; + int r; + + terminal = open_terminal("/dev/console", O_RDWR); +@@ -2193,6 +2193,7 @@ static int setup_stdio_as_dev_console(void) { + + /* invalidates 'terminal' on success and failure */ + r = rearrange_stdio(terminal, terminal, terminal); ++ TAKE_FD(terminal); + if (r < 0) + return log_error_errno(r, "Failed to move console to stdin/stdout/stderr: %m"); + +-- +2.26.2 + + +From d297a871ef720227af845fe8b0f1e0fe7560b433 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 16 Sep 2020 22:34:43 +0200 +Subject: [PATCH 4/5] nspawn: don't become TTY controller just to undo it later + again + +Instead of first becoming a controlling process of the payload pty +as side effect of opening it (without O_NOCTTY), and then possibly +dropping it again, let's do it cleanly an reverse the logic: let's open +the pty without becoming its controller first. Only after everything +went the way we wanted it to go become the controller explicitly. + +This has the benefit that the PID 1 stub process we run (as effect of +--as-pid2) doesn't have to lose the tty explicitly, but can just +continue running with things. And we explicitly make the tty controlling +right before invoking actual payload. + +In order to make sure everything works as expected validate that the +stub PID 1 in the container really has no conrolling tty by issuing the +TIOCNOTTY tty and expecting ENOTTY, and log about it. + +This shouldn't change behaviour much, it just makes thins a bit cleaner, +in particular as we'll not trigger SIGHUP on ourselves (since we are +controller and session leader) due to TIOCNOTTY which we then have to +explicitly ignore. +--- + src/nspawn/nspawn-stub-pid1.c | 12 ++++++------ + src/nspawn/nspawn.c | 16 +++++++++++++--- + 2 files changed, 19 insertions(+), 9 deletions(-) + +diff --git a/src/nspawn/nspawn-stub-pid1.c b/src/nspawn/nspawn-stub-pid1.c +index f785a3b248..60d7439fb1 100644 +--- a/src/nspawn/nspawn-stub-pid1.c ++++ b/src/nspawn/nspawn-stub-pid1.c +@@ -53,12 +53,6 @@ int stub_pid1(sd_id128_t uuid) { + assert_se(sigfillset(&fullmask) >= 0); + assert_se(sigprocmask(SIG_BLOCK, &fullmask, &oldmask) >= 0); + +- /* Surrender the terminal this stub may control so that child processes can have a controlling terminal +- * without resorting to setsid hacks. */ +- r = ioctl(STDIN_FILENO, TIOCNOTTY); +- if (r < 0 && errno != ENOTTY) +- return log_error_errno(errno, "Failed to surrender controlling terminal: %m"); +- + pid = fork(); + if (pid < 0) + return log_error_errno(errno, "Failed to fork child pid: %m"); +@@ -79,6 +73,12 @@ int stub_pid1(sd_id128_t uuid) { + (void) close_all_fds(NULL, 0); + log_open(); + ++ if (ioctl(STDIN_FILENO, TIOCNOTTY) < 0) { ++ if (errno != ENOTTY) ++ log_warning_errno(errno, "Unexpected error from TIOCNOTTY ioctl in init stub process, ignoring: %m"); ++ } else ++ log_warning("Expected TIOCNOTTY to fail, but it succeeded in init stub process, ignoring."); ++ + /* Flush out /proc/self/environ, so that we don't leak the environment from the host into the container. Also, + * set $container= and $container_uuid= so that clients in the container that query it from /proc/1/environ + * find them set. */ +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 15dbdbe738..783147f122 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -11,10 +11,12 @@ + #endif + #include + #include ++#include + #include + #include + #include + #include ++#include + #include + + #include "sd-bus.h" +@@ -2181,7 +2183,9 @@ static int setup_stdio_as_dev_console(void) { + _cleanup_close_ int terminal = -1; + int r; + +- terminal = open_terminal("/dev/console", O_RDWR); ++ /* We open the TTY in O_NOCTTY mode, so that we do not become controller yet. We'll do that later ++ * explicitly, if we are configured to. */ ++ terminal = open_terminal("/dev/console", O_RDWR|O_NOCTTY); + if (terminal < 0) + return log_error_errno(terminal, "Failed to open console: %m"); + +@@ -3213,8 +3217,7 @@ static int inner_child( + * wait until the parent is ready with the + * setup, too... */ + if (!barrier_place_and_sync(barrier)) /* #5 */ +- return log_error_errno(SYNTHETIC_ERRNO(ESRCH), +- "Parent died too early"); ++ return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Parent died too early"); + + if (arg_chdir) + if (chdir(arg_chdir) < 0) +@@ -3226,6 +3229,13 @@ static int inner_child( + return r; + } + ++ if (arg_console_mode != CONSOLE_PIPE) { ++ /* So far our pty wasn't controlled by any process. Finally, it's time to change that, if we ++ * are configured for that. Acquire it as controlling tty. */ ++ if (ioctl(STDIN_FILENO, TIOCSCTTY) < 0) ++ return log_error_errno(errno, "Failed to acquire controlling TTY: %m"); ++ } ++ + log_debug("Inner child completed, invoking payload."); + + /* Now, explicitly close the log, so that we then can close all remaining fds. Closing the log explicitly first +-- +2.26.2 + + +From 196b94c2db3f0b763480e98df98f288bcd044a6e Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 17 Sep 2020 16:26:14 +0200 +Subject: [PATCH 5/5] nspawn: add --console=autopipe mode + +By default we'll run a container in --console=interactive and +--console=read-only mode depending if we are invoked on a tty or not so +that the container always gets a /dev/console allocated, i.e is always +suitable to run a full init system /as those typically expect a +/dev/console to exist). + +With the new --console=autopipe mode we do something similar, but +slightly different: when not invoked on a tty we'll use --console=pipe. +This means, if you invoke some tool in a container with this you'll get +full inetractivity if you invoke it on a tty but things will also be +very nicely pipeable. OTOH you cannot invoke a full init system like +this, because you might or might not become a /dev/console this way... + +Prompted-by: #17070 + +(I named this "autopipe" rather than "auto" or so, since the default +mode probably should be named "auto" one day if we add a name for it, +and this is so similar to "auto" except that it uses pipes in the +non-tty case). +--- + man/systemd-nspawn.xml | 21 ++++++++++++--------- + src/nspawn/nspawn.c | 12 +++++++++--- + 2 files changed, 21 insertions(+), 12 deletions(-) + +diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml +index 69558ac85c..b2c2a5006c 100644 +--- a/man/systemd-nspawn.xml ++++ b/man/systemd-nspawn.xml +@@ -1370,15 +1370,18 @@ + + Configures how to set up standard input, output and error output for the container + payload, as well as the /dev/console device for the container. Takes one of +- , , , or +- . If , a pseudo-TTY is allocated and made available +- as /dev/console in the container. It is then bi-directionally connected to the +- standard input and output passed to systemd-nspawn. is +- similar but only the output of the container is propagated and no input from the caller is read. If +- , a pseudo TTY is allocated, but it is not connected anywhere. Finally, in +- mode no pseudo TTY is allocated, but the standard input, output and error +- output file descriptors passed to systemd-nspawn are passed on — as they are — to +- the container payload, see the following paragraph. Defaults to if ++ , , , ++ or . If , a pseudo-TTY is ++ allocated and made available as /dev/console in the container. It is then ++ bi-directionally connected to the standard input and output passed to ++ systemd-nspawn. is similar but only the output of the ++ container is propagated and no input from the caller is read. If , a pseudo ++ TTY is allocated, but it is not connected anywhere. In mode no pseudo TTY is ++ allocated, but the standard input, output and error output file descriptors passed to ++ systemd-nspawn are passed on — as they are — to the container payload, see the ++ following paragraph. Finally, mode operates like ++ when systemd-nspawn is invoked on a terminal, and ++ like otherwise. Defaults to if + systemd-nspawn is invoked from a terminal, and + otherwise. + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 783147f122..8837371232 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -261,10 +261,11 @@ STATIC_DESTRUCTOR_REGISTER(arg_sysctl, strv_freep); + + static int handle_arg_console(const char *arg) { + if (streq(arg, "help")) { +- puts("interactive\n" +- "read-only\n" ++ puts("autopipe\n" ++ "interactive\n" + "passive\n" +- "pipe"); ++ "pipe\n" ++ "read-only"); + return 0; + } + +@@ -282,6 +283,11 @@ static int handle_arg_console(const char *arg) { + "Proceeding anyway."); + + arg_console_mode = CONSOLE_PIPE; ++ } else if (streq(arg, "autopipe")) { ++ if (isatty(STDIN_FILENO) > 0 && isatty(STDOUT_FILENO) > 0) ++ arg_console_mode = CONSOLE_INTERACTIVE; ++ else ++ arg_console_mode = CONSOLE_PIPE; + } else + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown console mode: %s", optarg); + +-- +2.26.2 + diff --git a/SOURCES/20-grubby.install b/SOURCES/20-grubby.install new file mode 100755 index 0000000..e059125 --- /dev/null +++ b/SOURCES/20-grubby.install @@ -0,0 +1,51 @@ +#!/bin/bash + +if [[ ! -x /sbin/new-kernel-pkg ]]; then + exit 0 +fi + +COMMAND="$1" +KERNEL_VERSION="$2" +BOOT_DIR_ABS="$3" +KERNEL_IMAGE="$4" + +KERNEL_DIR="${KERNEL_IMAGE%/*}" +[[ "$KERNEL_VERSION" == *\+* ]] && flavor=-"${KERNEL_VERSION##*+}" +case "$COMMAND" in + add) + if [[ "${KERNEL_DIR}" != "/boot" ]]; then + for i in \ + "$KERNEL_IMAGE" \ + "$KERNEL_DIR"/System.map \ + "$KERNEL_DIR"/config \ + "$KERNEL_DIR"/zImage.stub \ + "$KERNEL_DIR"/dtb \ + ; do + [[ -e "$i" ]] || continue + cp -aT "$i" "/boot/${i##*/}-${KERNEL_VERSION}" + command -v restorecon &>/dev/null && \ + restorecon -R "/boot/${i##*/}-${KERNEL_VERSION}" + done + # hmac is .vmlinuz-.hmac so needs a special treatment + i="$KERNEL_DIR/.${KERNEL_IMAGE##*/}.hmac" + if [[ -e "$i" ]]; then + cp -a "$i" "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac" + command -v restorecon &>/dev/null && \ + restorecon "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac" + fi + fi + /sbin/new-kernel-pkg --package "kernel${flavor}" --install "$KERNEL_VERSION" || exit $? + /sbin/new-kernel-pkg --package "kernel${flavor}" --mkinitrd --dracut --depmod --update "$KERNEL_VERSION" || exit $? + /sbin/new-kernel-pkg --package "kernel${flavor}" --rpmposttrans "$KERNEL_VERSION" || exit $? + ;; + remove) + /sbin/new-kernel-pkg --package "kernel${flavor+-$flavor}" --rminitrd --rmmoddep --remove "$KERNEL_VERSION" || exit $? + ;; + *) + ;; +esac + +# skip other installation plugins, if we can't find a boot loader spec conforming setup +if ! [[ -d /boot/loader/entries || -L /boot/loader/entries ]]; then + exit 77 +fi diff --git a/SOURCES/20-yama-ptrace.conf b/SOURCES/20-yama-ptrace.conf new file mode 100644 index 0000000..4fbaf97 --- /dev/null +++ b/SOURCES/20-yama-ptrace.conf @@ -0,0 +1,42 @@ +# The ptrace system call is used for interprocess services, +# communication and introspection (like synchronisation, signaling, +# debugging, tracing and profiling) of processes. +# +# Usage of ptrace is restricted by normal user permissions. Normal +# unprivileged processes cannot use ptrace on processes that they +# cannot send signals to or processes that are running set-uid or +# set-gid. Nevertheless, processes running under the same uid will +# usually be able to ptrace one another. +# +# Fedora enables the Yama security mechanism which restricts ptrace +# even further. Sysctl setting kernel.yama.ptrace_scope can have one +# of the following values: +# +# 0 - Normal ptrace security permissions. +# 1 - Restricted ptrace. Only child processes plus normal permissions. +# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE. +# 3 - No attach. No process may call ptrace at all. Irrevocable. +# +# For more information see Documentation/security/Yama.txt in the +# kernel sources. +# +# The default is 1., which allows tracing of child processes, but +# forbids tracing of arbitrary processes. This allows programs like +# gdb or strace to work when the most common way of having the +# debugger start the debuggee is used: +# gdb /path/to/program ... +# Attaching to already running programs is NOT allowed: +# gdb -p ... +# This default setting is suitable for the common case, because it +# reduces the risk that one hacked process can be used to attack other +# processes. (For example, a hacked firefox process in a user session +# will not be able to ptrace the keyring process and extract passwords +# stored only in memory.) +# +# Developers and administrators might want to disable those protections +# to be able to attach debuggers to existing processes. Use +# sysctl kernel.yama.ptrace_scope=0 +# for change the setting temporarily, or copy this file to +# /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots. + +kernel.yama.ptrace_scope = 0 diff --git a/SOURCES/FB--Add-FusionIO-device--dev-fio-persistante-storage-udev-rule.patch b/SOURCES/FB--Add-FusionIO-device--dev-fio-persistante-storage-udev-rule.patch new file mode 100644 index 0000000..3bfe4ef --- /dev/null +++ b/SOURCES/FB--Add-FusionIO-device--dev-fio-persistante-storage-udev-rule.patch @@ -0,0 +1,13 @@ +diff --git a/rules.d/60-persistent-storage.rules b/rules.d/60-persistent-storage.rules +index 1d8880e..46ea568 100644 +--- a/rules.d/60-persistent-storage.rules ++++ b/rules.d/60-persistent-storage.rules +@@ -7,7 +7,7 @@ ACTION=="remove", GOTO="persistent_storage_end" + ENV{UDEV_DISABLE_PERSISTENT_STORAGE_RULES_FLAG}=="1", GOTO="persistent_storage_end" + + SUBSYSTEM!="block", GOTO="persistent_storage_end" +-KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*|ubd*|ubi*|scm*|pmem*|nbd*|zd*", GOTO="persistent_storage_end" ++KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|fio*|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*|ubd*|ubi*|scm*|pmem*|nbd*|zd*", GOTO="persistent_storage_end" + + # ignore partitions that span the entire disk + TEST=="whole_disk", GOTO="persistent_storage_end" diff --git a/SOURCES/macros.sysusers b/SOURCES/macros.sysusers new file mode 100644 index 0000000..d8d8c1d --- /dev/null +++ b/SOURCES/macros.sysusers @@ -0,0 +1,10 @@ +# RPM macros for packages creating system accounts +# +# Turn a sysusers.d file into macros specified by +# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation + +%sysusers_requires_compat Requires(pre): shadow-utils + +%sysusers_create_compat() \ +%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \ +%{nil} diff --git a/SOURCES/purge-nobody-user b/SOURCES/purge-nobody-user new file mode 100755 index 0000000..66404fe --- /dev/null +++ b/SOURCES/purge-nobody-user @@ -0,0 +1,101 @@ +#!/bin/bash -eu + +if [ $UID -ne 0 ]; then + echo "WARNING: This script needs to run as root to be effective" + exit 1 +fi + +export SYSTEMD_NSS_BYPASS_SYNTHETIC=1 + +if [ "${1:-}" = "--ignore-journal" ]; then + shift + ignore_journal=1 +else + ignore_journal=0 +fi + +echo "Checking processes..." +if ps h -u 99 | grep .; then + echo "ERROR: ps reports processes with UID 99!" + exit 2 +fi +echo "... not found" + +echo "Checking UTMP..." +if w -h 199 | grep . ; then + echo "ERROR: w reports UID 99 as active!" + exit 2 +fi +if w -h nobody | grep . ; then + echo "ERROR: w reports user nobody as active!" + exit 2 +fi +echo "... not found" + +echo "Checking the journal..." +if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then + echo "ERROR: journalctl reports messages from UID 99 in current boot!" + exit 2 +fi +echo "... not found" + +echo "Looking for files in /etc, /run, /tmp, and /var..." +if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then + echo "ERROR: found files belonging to UID 99" + exit 2 +fi +echo "... not found" + +echo "Checking if nobody is defined correctly..." +if getent passwd nobody | + grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin'; +then + echo "OK, nothing to do." + exit 0 +else + echo "NOTICE: User nobody is not defined correctly" +fi + +echo "Checking if nfsnobody or something else is using the uid..." +if getent passwd 65534 | grep . ; then + echo "NOTICE: will have to remove this user" +else + echo "... not found" +fi + +if [ "${1:-}" = "-x" ]; then + if getent passwd nobody >/dev/null; then + # this will remove both the user and the group. + ( set -x + userdel nobody + ) + fi + + if getent passwd 65534 >/dev/null; then + # Make sure the uid is unused. This should free gid too. + name="$(getent passwd 65534 | cut -d: -f1)" + ( set -x + userdel "$name" + ) + fi + + if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then + echo "Sleeping, so sss can catch up" + sleep 3 + fi + + if getent group 65534; then + # Make sure the gid is unused, even if uid wasn't. + name="$(getent group 65534 | cut -d: -f1)" + ( set -x + groupdel "$name" + ) + fi + + # systemd-sysusers uses the same gid and uid + ( set -x + systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin' + ) +else + echo "Pass '-x' to perform changes" +fi diff --git a/SOURCES/split-files.py b/SOURCES/split-files.py new file mode 100644 index 0000000..f3e3aa6 --- /dev/null +++ b/SOURCES/split-files.py @@ -0,0 +1,128 @@ +import re, sys, os, collections + +buildroot = sys.argv[1] +known_files = sys.stdin.read().splitlines() +known_files = {line.split()[-1]:line for line in known_files} + +def files(root): + os.chdir(root) + todo = collections.deque(['.']) + while todo: + n = todo.pop() + files = os.scandir(n) + for file in files: + yield file + if file.is_dir() and not file.is_symlink(): + todo.append(file) + +o_libs = open('.file-list-libs', 'w') +o_udev = open('.file-list-udev', 'w') +o_pam = open('.file-list-pam', 'w') +o_rpm_macros = open('.file-list-rpm-macros', 'w') +o_devel = open('.file-list-devel', 'w') +o_container = open('.file-list-container', 'w') +o_remote = open('.file-list-remote', 'w') +o_tests = open('.file-list-tests', 'w') +o_rest = open('.file-list-rest', 'w') +for file in files(buildroot): + n = file.path[1:] + if re.match(r'''/usr/(share|include)$| + /usr/share/man(/man.|)$| + /usr/share/zsh(/site-functions|)$| + /usr/share/dbus-1$| + /usr/share/dbus-1/system.d$| + /usr/share/dbus-1/(system-|)services$| + /usr/share/polkit-1(/actions|/rules.d|)$| + /usr/share/pkgconfig$| + /usr/share/bash-completion(/completions|)$| + /usr(/lib|/lib64|/bin|/sbin|)$| + /usr/lib.*/(security|pkgconfig)$| + /usr/lib/rpm(/macros.d|)$| + /usr/lib/firewalld(/services|)$| + /usr/share/(locale|licenses|doc)| # no $ + /etc(/pam\.d|/xdg|/X11|/X11/xinit|/X11.*\.d|)$| + /etc/(dnf|dnf/protected.d)$| + /usr/(src|lib/debug)| # no $ + /run$| + /var(/cache|/log|/lib|/run|)$ + ''', n, re.X): + continue + if '/security/pam_' in n or '/man8/pam_' in n: + o = o_pam + elif '/rpm/' in n: + o = o_rpm_macros + elif re.search(r'/lib.*\.pc|/man3/|/usr/include|(? + + systemd-journal-gatewayd + Journal Gateway Service + + diff --git a/SOURCES/systemd-journal-remote.xml b/SOURCES/systemd-journal-remote.xml new file mode 100644 index 0000000..e115a12 --- /dev/null +++ b/SOURCES/systemd-journal-remote.xml @@ -0,0 +1,6 @@ + + + systemd-journal-remote + Journal Remote Sink + + diff --git a/SOURCES/systemd-udev-trigger-no-reload.conf b/SOURCES/systemd-udev-trigger-no-reload.conf new file mode 100644 index 0000000..c879427 --- /dev/null +++ b/SOURCES/systemd-udev-trigger-no-reload.conf @@ -0,0 +1,3 @@ +[Unit] +# https://bugzilla.redhat.com/show_bug.cgi?id=1378974#c17 +RefuseManualStop=true diff --git a/SOURCES/systemd-user b/SOURCES/systemd-user new file mode 100644 index 0000000..2725df9 --- /dev/null +++ b/SOURCES/systemd-user @@ -0,0 +1,10 @@ +# This file is part of systemd. +# +# Used by systemd --user instances. + +account include system-auth + +session required pam_selinux.so close +session required pam_selinux.so nottys open +session required pam_loginuid.so +session include system-auth diff --git a/SOURCES/sysusers.attr b/SOURCES/sysusers.attr new file mode 100644 index 0000000..367c137 --- /dev/null +++ b/SOURCES/sysusers.attr @@ -0,0 +1,2 @@ +%__sysusers_provides %{_rpmconfigdir}/sysusers.prov +%__sysusers_path ^%{_sysusersdir}/.*\\.conf$ diff --git a/SOURCES/sysusers.generate-pre.sh b/SOURCES/sysusers.generate-pre.sh new file mode 100755 index 0000000..6c481c3 --- /dev/null +++ b/SOURCES/sysusers.generate-pre.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +# This script turns sysuser.d files into scriptlets mandated by Fedora +# packaging guidelines. The general idea is to define users using the +# declarative syntax but to turn this into traditional scriptlets. + +user() { + user="$1" + uid="$2" + desc="$3" + group="$4" + home="$5" + shell="$6" + +[ "$desc" = '-' ] && desc= +[ "$home" = '-' -o "$home" = '' ] && home=/ +[ "$shell" = '-' -o "$shell" = '' ] && shell=/sbin/nologin + +if [ "$uid" = '-' -o "$uid" = '' ]; then + cat </dev/null || \\ + useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user' +EOF +else + cat </dev/null ; then + if ! getent passwd '$uid' >/dev/null ; then + useradd -r -u '$uid' -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user' + else + useradd -r -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user' + fi +fi + +EOF +fi +} + +group() { + group="$1" + gid="$2" +if [ "$gid" = '-' ]; then + cat </dev/null || groupadd -r '$group' +EOF +else + cat </dev/null || groupadd -f -g '$gid' -r '$group' +EOF +fi +} + +parse() { + while read line || [ "$line" ]; do + [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue + line="${line## *}" + [ -z "$line" ] && continue + eval arr=( $line ) + case "${arr[0]}" in + ('u') + group "${arr[1]}" "${arr[2]}" + user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}" + # TODO: user:group support + ;; + ('g') + group "${arr[1]}" "${arr[2]}" + ;; + ('m') + group "${arr[2]}" "-" + user "${arr[1]}" "-" "" "${arr[2]}" + ;; + esac + done +} + +for fn in "$@"; do + [ -e "$fn" ] || continue + echo "# generated from $(basename $fn)" + parse < "$fn" +done diff --git a/SOURCES/sysusers.prov b/SOURCES/sysusers.prov new file mode 100755 index 0000000..a6eda5d --- /dev/null +++ b/SOURCES/sysusers.prov @@ -0,0 +1,28 @@ +#!/bin/bash + +parse() { + while read line; do + [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue + line="${line## *}" + [ -z "$line" ] && continue + set -- $line + case "$1" in + ('u') + echo "user($2)" + echo "group($2)" + # TODO: user:group support + ;; + ('g') + echo "group($2)" + ;; + ('m') + echo "user($2)" + echo "group($3)" + ;; + esac + done +} + +while read fn; do + parse < "$fn" +done diff --git a/SOURCES/triggers.systemd b/SOURCES/triggers.systemd new file mode 100644 index 0000000..7a7e792 --- /dev/null +++ b/SOURCES/triggers.systemd @@ -0,0 +1,111 @@ +# -*- Mode: rpm-spec; indent-tabs-mode: nil -*- */ +# SPDX-License-Identifier: LGPL-2.1+ +# +# This file is part of systemd. +# +# Copyright 2015 Zbigniew Jędrzejewski-Szmek +# Copyright 2018 Neal Gompa +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# systemd is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with systemd; If not, see . + +# The contents of this are an example to be copied into systemd.spec. +# +# Minimum rpm version supported: 4.13.0 + +%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system +# This script will run after any package is initially installed or +# upgraded. We care about the case where a package is initially +# installed, because other cases are covered by the *un scriptlets, +# so sometimes we will reload needlessly. +if test -d /run/systemd/system; then + %{_bindir}/systemctl daemon-reload +fi + +%transfiletriggerun -- /usr/lib/systemd/system /etc/systemd/system +# On removal, we need to run daemon-reload after any units have been +# removed. %transfiletriggerpostun would be ideal, but it does not get +# executed for some reason. +# On upgrade, we need to run daemon-reload after any new unit files +# have been installed, but before %postun scripts in packages get +# executed. %transfiletriggerun gets the right list of files +# but it is invoked too early (before changes happen). +# %filetriggerpostun happens at the right time, but it fires for +# every package. +# To execute the reload at the right time, we create a state +# file in %transfiletriggerun and execute the daemon-reload in +# the first %filetriggerpostun. + +if test -d "/run/systemd/system"; then + mkdir -p "%{_localstatedir}/lib/rpm-state/systemd" + touch "%{_localstatedir}/lib/rpm-state/systemd/needs-reload" +fi + +%filetriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system +if test -f "%{_localstatedir}/lib/rpm-state/systemd/needs-reload"; then + rm -rf "%{_localstatedir}/lib/rpm-state/systemd" + %{_bindir}/systemctl daemon-reload +fi + +%transfiletriggerin -P 100700 -- /usr/lib/sysusers.d +# This script will process files installed in /usr/lib/sysusers.d to create +# specified users automatically. The priority is set such that it +# will run before the tmpfiles file trigger. +if test -d /run/systemd/system; then + %{_bindir}/systemd-sysusers || : +fi + +%transfiletriggerin -P 100500 -- /usr/lib/tmpfiles.d +# This script will process files installed in /usr/lib/tmpfiles.d to create +# tmpfiles automatically. The priority is set such that it will run +# after the sysusers file trigger, but before any other triggers. +if test -d /run/systemd/system; then + %{_bindir}/systemd-tmpfiles --create || : +fi + +%transfiletriggerin udev -- /usr/lib/udev/hwdb.d +# This script will automatically invoke hwdb update if files have been +# installed or updated in /usr/lib/udev/hwdb.d. +if test -d /run/systemd/system; then + %{_bindir}/systemd-hwdb update || : +fi + +%transfiletriggerin -- /usr/lib/systemd/catalog +# This script will automatically invoke journal catalog update if files +# have been installed or updated in /usr/lib/systemd/catalog. +if test -d /run/systemd/system; then + %{_bindir}/journalctl --update-catalog || : +fi + +%transfiletriggerin udev -- /usr/lib/udev/rules.d +# This script will automatically update udev with new rules if files +# have been installed or updated in /usr/lib/udev/rules.d. +if test -e /run/udev/control; then + %{_bindir}/udevadm control --reload || : +fi + +%transfiletriggerin -- /usr/lib/sysctl.d +# This script will automatically apply sysctl rules if files have been +# installed or updated in /usr/lib/sysctl.d. +if test -d /run/systemd/system; then + /usr/lib/systemd/systemd-sysctl || : +fi + +%transfiletriggerin -- /usr/lib/binfmt.d +# This script will automatically apply binfmt rules if files have been +# installed or updated in /usr/lib/binfmt.d. +if test -d /run/systemd/system; then + # systemd-binfmt might fail if binfmt_misc kernel module is not loaded + # during install + /usr/lib/systemd/systemd-binfmt || : +fi diff --git a/SOURCES/yum-protect-systemd.conf b/SOURCES/yum-protect-systemd.conf new file mode 100644 index 0000000..39426d7 --- /dev/null +++ b/SOURCES/yum-protect-systemd.conf @@ -0,0 +1,2 @@ +systemd +systemd-udev diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec new file mode 100644 index 0000000..cc0805b --- /dev/null +++ b/SPECS/systemd.spec @@ -0,0 +1,3138 @@ +# Meson settings +%global _vpath_srcdir . +%global _vpath_builddir %{_target_platform} +%global __global_cflags %{optflags} +%global __global_cxxflags %{optflags} +%global __global_fflags %{optflags} -I%_fmoddir +%global __global_fcflags %{optflags} -I%_fmoddir +%global __global_ldflags -Wl,-z,relro %{_hardened_ldflags} + +%define _python_bytecompile_errors_terminate_build 0 + +#global commit 7f56c26d1041e686efa72b339250a98fb6ee8f00 +%{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})} + +%global stable 1 + +# We ship a .pc file but don't want to have a dep on pkg-config. We +# strip the automatically generated dep here and instead co-own the +# directory. +%global __requires_exclude pkg-config + +%global pkgdir %{_prefix}/lib/systemd +%global system_unit_dir %{pkgdir}/system +%global user_unit_dir %{pkgdir}/user + +%if 0%{?facebook} +%if 0%{?el7} +### The version of meson and redhat-rpm-config is not in sync in C7. +### Copied from the 'redhat-rpm-config-123-1' version of /usr/lib/rpm/redhat/macros +### to support the building of systemd via meson that uses the +### set_build_flags macro. +%global _ld_symbols_flags %{?_strict_symbol_defs_build:-Wl,-z,defs} + +#============================================================================== +# ---- compiler flags. + +# C compiler flags. This is traditionally called CFLAGS in makefiles. +# Historically also available as %%{optflags}, and %%build sets the +# environment variable RPM_OPT_FLAGS to this value. +%global build_cflags %{optflags} + +# C++ compiler flags. This is traditionally called CXXFLAGS in makefiles. +%global build_cxxflags %{optflags} + +# Fortran compiler flags. Makefiles use both FFLAGS and FCFLAGS as +# the corresponding variable names. +%global build_fflags %{optflags} -I%{_fmoddir} + +# Link editor flags. This is usually called LDFLAGS in makefiles. +# (Some makefiles use LFLAGS instead.) The default value assumes that +# the flags, while intended for ld, are still passed through the gcc +# compiler driver. At the beginning of %%build, the environment +# variable RPM_LD_FLAGS to this value. +%global build_ldflags -Wl,-z,relro %{_ld_symbols_flags} %{_hardened_ldflags} + +# Expands to shell code to seot the compiler/linker environment +# variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, LDFLAGS if they have +# not been set already. RPM_OPT_FLAGS and RPM_LD_FLAGS have already +# been set implicitly at the start of the %%build section. +%global set_build_flags \ + CFLAGS="${CFLAGS:-%{build_cflags}}" ; export CFLAGS ; \ + CXXFLAGS="${CXXFLAGS:-%{build_cxxflags}}" ; export CXXFLAGS ; \ + FFLAGS="${FFLAGS:-%{build_fflags}}" ; export FFLAGS ; \ + FCFLAGS="${FCFLAGS:-%{build_fflags}}" ; export FCFLAGS ; \ + LDFLAGS="${LDFLAGS:-%{build_ldflags}}" ; export LDFLAGS; + +### Copied from the rpm-4.14.2-36 version of /usr/lib/rpm/platform/x86_64-linux/macros +### to support the building of systemd via meson that uses the +### _smp_build_ncpus macro +%global _smp_build_ncpus %([ -z "$RPM_BUILD_NCPUS" ] \\\ + && RPM_BUILD_NCPUS="`/usr/bin/getconf _NPROCESSORS_ONLN`"; \\\ + ncpus_max=%{?_smp_ncpus_max}; \\\ + if [ -n "$ncpus_max" ] && [ "$ncpus_max" -gt 0 ] && [ "$RPM_BUILD_NCPUS" -gt "$ncpus_max" ]; then RPM_BUILD_NCPUS="$ncpus_max"; fi; \\\ + echo "$RPM_BUILD_NCPUS";) + +%global _smp_mflags -j%{_smp_build_ncpus} +%endif +%endif + +# Bootstrap may be needed to break intercircular dependencies with +# cryptsetup, e.g. when re-building cryptsetup on a json-c SONAME-bump. +%bcond_with bootstrap +%bcond_without tests + +Name: systemd +Url: https://www.freedesktop.org/wiki/Software/systemd +Version: 246.1 +Release: 1.fb6 +# For a breakdown of the licensing, see README +License: LGPLv2+ and MIT and GPLv2+ +Summary: System and Service Manager + +%global github_version %(c=%{version}; echo ${c}|tr '~' '-') + +# download tarballs with "spectool -g systemd.spec" +%if %{defined commit} +Source0: https://github.com/systemd/systemd%{?stable:-stable}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz +%else +%if 0%{?stable} +Source0: https://github.com/systemd/systemd-stable/archive/v%{github_version}/%{name}-%{github_version}.tar.gz +%else +Source0: https://github.com/systemd/systemd/archive/v%{github_version}/%{name}-%{github_version}.tar.gz +%endif +%endif +# This file must be available before %%prep. +# It is generated during systemd build and can be found in build/src/core/. +Source1: triggers.systemd +Source2: split-files.py +Source3: purge-nobody-user + +# Prevent accidental removal of the systemd package +Source4: yum-protect-systemd.conf + +Source9: 20-yama-ptrace.conf +Source10: systemd-udev-trigger-no-reload.conf +Source11: 20-grubby.install +Source12: systemd-user + +Source21: macros.sysusers +Source22: sysusers.attr +Source23: sysusers.prov +Source24: sysusers.generate-pre.sh + +%if 0 +GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable +i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip +GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[67]* hwdb/parse_hwdb.py > hwdb.patch +%endif + +Patch0002: 0001-Revert-test-path-increase-timeout.patch +Patch0003: 0002-test-path-do-not-fail-the-test-if-we-fail-to-start-s.patch + +Patch0004: 0001-test-acl-util-output-more-debug-info.patch +Patch0005: 0001-Do-not-assert-in-test_add_acls_for_user.patch + +Patch1001: FB--Add-FusionIO-device--dev-fio-persistante-storage-udev-rule.patch + +Patch1002: 16838_16857_improve_path_search.patch +Patch1003: 16940_cleanup_socket_econn_handling.patch +Patch1004: 17031_propagate_start_limit_hit.patch +Patch1005: 17082_nspawn_tty_tweaks.patch + +Patch1006: 0001-bpf-pid1-Pin-reference-to-BPF-programs-for-post-cold.patch +Patch1007: 0002-core-clean-up-inactive-failed-service-scope-s-cgroup.patch +Patch1008: 0003-timer-add-new-feature-FixedRandomDelay.patch + +Patch1009: 16803_fix_asserts_conditions.patch + +%ifarch %{ix86} x86_64 aarch64 +%global have_gnu_efi 1 +%endif + +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: coreutils +BuildRequires: libcap-devel +BuildRequires: libmount-devel +BuildRequires: libfdisk-devel +BuildRequires: libpwquality-devel +BuildRequires: pam-devel +BuildRequires: libselinux-devel +BuildRequires: audit-libs-devel +%if %{without bootstrap} +BuildRequires: cryptsetup-devel +%endif +BuildRequires: dbus-devel +# /usr/bin/getfacl is needed by test-acl-util +BuildRequires: acl +BuildRequires: libacl-devel +BuildRequires: gobject-introspection-devel +BuildRequires: libblkid-devel +BuildRequires: xz-devel +BuildRequires: xz +BuildRequires: lz4-devel +BuildRequires: lz4 +BuildRequires: bzip2-devel +BuildRequires: libzstd-devel +BuildRequires: libidn2-devel +BuildRequires: libcurl-devel +BuildRequires: kmod-devel +BuildRequires: elfutils-devel +BuildRequires: openssl-devel +BuildRequires: libgcrypt-devel +BuildRequires: libgpg-error-devel +BuildRequires: gnutls-devel +BuildRequires: qrencode-devel +BuildRequires: libmicrohttpd-devel +BuildRequires: libxkbcommon-devel +BuildRequires: iptables-devel +BuildRequires: libxslt +BuildRequires: docbook-style-xsl +BuildRequires: pkgconfig +BuildRequires: gperf +BuildRequires: gawk +BuildRequires: tree +BuildRequires: hostname +%if 0%{?el7} +BuildRequires: python34-devel +BuildRequires: python34-lxml +%else +BuildRequires: python3-devel +BuildRequires: python3-lxml +%endif +BuildRequires: python3 +%global __python3 /usr/bin/python3 +%if 0%{?have_gnu_efi} +BuildRequires: gnu-efi gnu-efi-devel +%endif +BuildRequires: libseccomp-devel +BuildRequires: meson >= 0.43 +BuildRequires: gettext +# We use RUNNING_ON_VALGRIND in tests, so the headers need to be available +BuildRequires: valgrind-devel +BuildRequires: pkgconfig(bash-completion) + +Requires(post): coreutils +Requires(post): sed +Requires(post): acl +Requires(post): grep +# systemd-machine-id-setup requires libssl +Requires(post): openssl-libs +Requires(pre): coreutils +Requires(pre): /usr/bin/getent +Requires(pre): /usr/sbin/groupadd +Requires: dbus >= 1.9.18 +Requires: %{name}-pam = %{version}-%{release} +Requires: %{name}-rpm-macros = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} +Recommends: diffutils +Requires: util-linux +Recommends: libxkbcommon%{?_isa} +Provides: /bin/systemctl +Provides: /sbin/shutdown +Provides: syslog +Provides: systemd-units = %{version}-%{release} +Obsoletes: system-setup-keyboard < 0.9 +Provides: system-setup-keyboard = 0.9 +# systemd-sysv-convert was removed in f20: https://fedorahosted.org/fpc/ticket/308 +Obsoletes: systemd-sysv < 206 +# self-obsoletes so that dnf will install new subpackages on upgrade (#1260394) +Obsoletes: %{name} < 229-5 +Provides: systemd-sysv = 206 +%if 0%{?fedora} +Conflicts: fedora-release < 23-0.12 +%endif +Obsoletes: timedatex < 0.6-3 +Provides: timedatex = 0.6-3 + +%description +systemd is a system and service manager that runs as PID 1 and starts +the rest of the system. It provides aggressive parallelization +capabilities, uses socket and D-Bus activation for starting services, +offers on-demand starting of daemons, keeps track of processes using +Linux control groups, maintains mount and automount points, and +implements an elaborate transactional dependency-based service control +logic. systemd supports SysV and LSB init scripts and works as a +replacement for sysvinit. Other parts of this package are a logging daemon, +utilities to control basic system configuration like the hostname, +date, locale, maintain a list of logged-in users, system accounts, +runtime directories and settings, and daemons to manage simple network +configuration, network time synchronization, log forwarding, and name +resolution. +%if 0%{?stable} +This package was built from the %{version}-stable branch of systemd. +%endif + +%package libs +Summary: systemd libraries +License: LGPLv2+ and MIT +Obsoletes: libudev < 183 +Obsoletes: systemd < 185-4 +Conflicts: systemd < 185-4 +Obsoletes: systemd-compat-libs < 230 +Obsoletes: nss-myhostname < 0.4 +Provides: nss-myhostname = 0.4 +Provides: nss-myhostname%{_isa} = 0.4 +Requires(post): coreutils +Requires(post): sed +Requires(post): grep +Requires(post): /usr/bin/getent + +%description libs +Libraries for systemd and udev. + +%package pam +Summary: systemd PAM module +Requires: %{name} = %{version}-%{release} + +%description pam +Systemd PAM module registers the session with systemd-logind. + +%package rpm-macros +Summary: Macros that define paths and scriptlets related to systemd +BuildArch: noarch + +%description rpm-macros +Just the definitions of rpm macros. + +See +https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd +for information how to use those macros. + +%package devel +Summary: Development headers for systemd +License: LGPLv2+ and MIT +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: libudev-devel = %{version} +Provides: libudev-devel%{_isa} = %{version} +Obsoletes: libudev-devel < 183 +# Fake dependency to make sure systemd-pam is pulled into multilib (#1414153) +Requires: %{name}-pam = %{version}-%{release} + +%description devel +Development headers and auxiliary files for developing applications linking +to libudev or libsystemd. + +%package udev +Summary: Rule-based device node and kernel event manager +License: LGPLv2+ + +Requires: systemd%{?_isa} = %{version}-%{release} +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires(post): grep +Requires: kmod >= 18-4 +%if 0%{?facebook} +# obsolete parent package so that dnf will install new subpackage on upgrade (#1260394) +Obsoletes: %{name} < 229-5 +%else +# https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1 +Obsoletes: systemd < 245.6-1 +%endif +Provides: udev = %{version} +Provides: udev%{_isa} = %{version} +Obsoletes: udev < 183 +# https://bugzilla.redhat.com/show_bug.cgi?id=1377733#c9 +Suggests: systemd-bootchart +# https://bugzilla.redhat.com/show_bug.cgi?id=1408878 +Requires: kbd + +# https://bugzilla.redhat.com/show_bug.cgi?id=1753381 +Provides: u2f-hidraw-policy = 1.0.2-40 +Obsoletes: u2f-hidraw-policy < 1.0.2-40 + +%description udev +This package contains systemd-udev and the rules and hardware database +needed to manage device nodes. This package is necessary on physical +machines and in virtual machines, but not in containers. + +%package container +# Name is the same as in Debian +Summary: Tools for containers and VMs +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +# obsolete parent package so that dnf will install new subpackage on upgrade (#1260394) +Obsoletes: %{name} < 229-5 +License: LGPLv2+ + +%description container +Systemd tools to spawn and manage containers and virtual machines. + +This package contains systemd-nspawn, machinectl, systemd-machined, +and systemd-importd. + +%package journal-remote +# Name is the same as in Debian +Summary: Tools to send journal events over the network +Requires: %{name}%{?_isa} = %{version}-%{release} +License: LGPLv2+ +Requires(pre): /usr/bin/getent +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Provides: %{name}-journal-gateway = %{version}-%{release} +Provides: %{name}-journal-gateway%{_isa} = %{version}-%{release} +Obsoletes: %{name}-journal-gateway < 227-7 + +%description journal-remote +Programs to forward journal entries over the network, using encrypted HTTP, +and to write journal files from serialized journal contents. + +This package contains systemd-journal-gatewayd, +systemd-journal-remote, and systemd-journal-upload. + +%package tests +Summary: Internal unit tests for systemd +Requires: %{name}%{?_isa} = %{version}-%{release} +License: LGPLv2+ + +%description tests +"Installed tests" that are usually run as part of the build system. +They can be useful to test systemd internals. + +%prep +%autosetup -n %{?commit:%{name}%{?stable:-stable}-%{commit}}%{!?commit:%{name}%{?stable:-stable}-%{github_version}} -p1 + +%build +%define ntpvendor %(source /etc/os-release; echo ${ID}) +%{!?ntpvendor: echo 'NTP vendor zone is not set!'; exit 1} + +CONFIGURE_OPTS=( + -Dsysvinit-path=/etc/rc.d/init.d + -Drc-local=/etc/rc.d/rc.local + -Dntp-servers='0.%{ntpvendor}.pool.ntp.org 1.%{ntpvendor}.pool.ntp.org 2.%{ntpvendor}.pool.ntp.org 3.%{ntpvendor}.pool.ntp.org' + -Duser-path=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin + -Dservice-watchdog= + -Ddev-kvm-mode=0666 + -Dkmod=true + -Dxkbcommon=true + -Dblkid=true + -Dfdisk=true + -Dseccomp=true + -Dima=true + -Dselinux=true + -Dapparmor=false + -Dpolkit=true + -Dxz=true + -Dzlib=true + -Dbzip2=true + -Dlz4=true + -Dzstd=true + -Dpam=true + -Dacl=true + -Dsmack=true + -Dgcrypt=true + -Daudit=true + -Delfutils=true +%if %{without bootstrap} + -Dlibcryptsetup=true +%else + -Dlibcryptsetup=false +%endif + -Delfutils=true + -Dpwquality=true + -Dqrencode=true + -Dgnutls=true + -Dmicrohttpd=true + -Dlibidn2=true + -Dlibiptc=true + -Dlibcurl=true + -Defi=true + -Dgnu-efi=%{?have_gnu_efi:true}%{?!have_gnu_efi:false} + -Dtpm=true + -Dhwdb=true + -Dsysusers=true + -Ddefault-kill-user-processes=false + -Dtests=unsafe + -Dinstall-tests=true + -Dtty-gid=5 + -Dusers-gid=100 + -Dnobody-user=nobody + -Dnobody-group=nobody + -Dsplit-usr=false + -Dsplit-bin=true + -Db_lto=true + -Db_ndebug=false + -Dman=true + -Dversion-tag=v%{version}-%{release} + -Ddocdir=%{_pkgdocdir} +) + +%if 0%{?facebook} +%if 0%{?el7} +%global _hierarchy legacy +%else +%global _hierarchy unified +%endif +CONFIGURE_OPTS+=( + -Dntp-servers='1.ntp.vip.facebook.com 2.ntp.vip.facebook.com 3.ntp.vip.facebook.com 4.ntp.vip.facebook.com' + -Ddns-servers='10.127.255.51 10.191.255.51 2401:db00:eef0:a53:: 2401:db00:eef0:b53::' + -Dsupport-url='https://www.facebook.com/groups/prodos.users/' + -Ddefault-hierarchy=%{_hierarchy} + -Dcontainer-uid-base-min=10485760 + -Dp11kit=false + -Duserdb=false + -Dhomed=false + -Drepart=false +) +%endif + +export LANG=en_US.UTF-8 +export LC_ALL=en_US.UTF-8 +%meson "${CONFIGURE_OPTS[@]}" +%meson_build + +%install +export LANG=en_US.UTF-8 +export LC_ALL=en_US.UTF-8 +%meson_install + +# udev links +mkdir -p %{buildroot}/%{_sbindir} +ln -sf ../bin/udevadm %{buildroot}%{_sbindir}/udevadm + +# Compatiblity and documentation files +touch %{buildroot}/etc/crypttab +chmod 600 %{buildroot}/etc/crypttab + +# /etc/sysctl.conf compat +ln -s ../sysctl.conf %{buildroot}/etc/sysctl.d/99-sysctl.conf + +# Make sure these directories are properly owned +mkdir -p %{buildroot}%{system_unit_dir}/basic.target.wants +mkdir -p %{buildroot}%{system_unit_dir}/default.target.wants +mkdir -p %{buildroot}%{system_unit_dir}/dbus.target.wants +mkdir -p %{buildroot}%{system_unit_dir}/syslog.target.wants +mkdir -p %{buildroot}/run +mkdir -p %{buildroot}%{_localstatedir}/log +touch %{buildroot}/run/utmp +touch %{buildroot}%{_localstatedir}/log/{w,b}tmp + +# Make sure the user generators dir exists too +mkdir -p %{buildroot}%{pkgdir}/system-generators +mkdir -p %{buildroot}%{pkgdir}/user-generators + +# Create new-style configuration files so that we can ghost-own them +touch %{buildroot}%{_sysconfdir}/hostname +touch %{buildroot}%{_sysconfdir}/vconsole.conf +touch %{buildroot}%{_sysconfdir}/locale.conf +touch %{buildroot}%{_sysconfdir}/machine-id +touch %{buildroot}%{_sysconfdir}/machine-info +touch %{buildroot}%{_sysconfdir}/localtime +mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d +touch %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/00-keyboard.conf + +# Make sure the shutdown/sleep drop-in dirs exist +mkdir -p %{buildroot}%{pkgdir}/system-shutdown/ +mkdir -p %{buildroot}%{pkgdir}/system-sleep/ + +# Make sure directories in /var exist +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/coredump +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/catalog +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/backlight +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/rfkill +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/linger +mkdir -p %{buildroot}%{_localstatedir}/lib/private +mkdir -p %{buildroot}%{_localstatedir}/log/private +mkdir -p %{buildroot}%{_localstatedir}/cache/private +mkdir -p %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/timesync +ln -s ../private/systemd/journal-upload %{buildroot}%{_localstatedir}/lib/systemd/journal-upload +mkdir -p %{buildroot}%{_localstatedir}/log/journal +touch %{buildroot}%{_localstatedir}/lib/systemd/catalog/database +touch %{buildroot}%{_sysconfdir}/udev/hwdb.bin +touch %{buildroot}%{_localstatedir}/lib/systemd/random-seed +touch %{buildroot}%{_localstatedir}/lib/systemd/timesync/clock +touch %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload/state + +# Install yum protection fragment +install -Dm0644 %{SOURCE4} %{buildroot}/etc/dnf/protected.d/systemd.conf + +# Restore systemd-user pam config from before "removal of Fedora-specific bits" +install -Dm0644 -t %{buildroot}/etc/pam.d/ %{SOURCE12} + +# Install additional docs +# https://bugzilla.redhat.com/show_bug.cgi?id=1234951 +install -Dm0644 -t %{buildroot}%{_pkgdocdir}/ %{SOURCE9} + +# https://bugzilla.redhat.com/show_bug.cgi?id=1378974 +mkdir -p %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d/ +install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d/ %{SOURCE10} + +# A temporary work-around for https://bugzilla.redhat.com/show_bug.cgi?id=1663040 +mkdir -p %{buildroot}%{system_unit_dir}/systemd-hostnamed.service.d/ +cat >%{buildroot}%{system_unit_dir}/systemd-hostnamed.service.d/disable-privatedevices.conf </dev/null || groupadd -r -g 11 cdrom &>/dev/null || : +getent group utmp &>/dev/null || groupadd -r -g 22 utmp &>/dev/null || : +getent group tape &>/dev/null || groupadd -r -g 33 tape &>/dev/null || : +getent group dialout &>/dev/null || groupadd -r -g 18 dialout &>/dev/null || : +getent group input &>/dev/null || groupadd -r input &>/dev/null || : +getent group kvm &>/dev/null || groupadd -r -g 36 kvm &>/dev/null || : +getent group render &>/dev/null || groupadd -r render &>/dev/null || : +getent group systemd-journal &>/dev/null || groupadd -r -g 190 systemd-journal 2>&1 || : + +getent group systemd-coredump &>/dev/null || groupadd -r systemd-coredump 2>&1 || : +getent passwd systemd-coredump &>/dev/null || useradd -r -l -g systemd-coredump -d / -s /sbin/nologin -c "systemd Core Dumper" systemd-coredump &>/dev/null || : + +getent group systemd-network &>/dev/null || groupadd -r -g 192 systemd-network 2>&1 || : +getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-network -d / -s /sbin/nologin -c "systemd Network Management" systemd-network &>/dev/null || : + +getent group systemd-resolve &>/dev/null || groupadd -r -g 193 systemd-resolve 2>&1 || : +getent passwd systemd-resolve &>/dev/null || useradd -r -u 193 -l -g systemd-resolve -d / -s /sbin/nologin -c "systemd Resolver" systemd-resolve &>/dev/null || : + +%post +systemd-machine-id-setup &>/dev/null || : + +systemctl daemon-reexec &>/dev/null || { + # systemd v239 had bug #9553 in D-Bus authentication of the private socket, + # which was later fixed in v240 by #9625. + # + # The end result is that a `systemctl daemon-reexec` call as root will fail + # when upgrading from systemd v239, which means the system will not start + # running the new version of systemd after this post install script runs. + # + # To work around this issue, let's fall back to using a `kill -TERM 1` to + # re-execute the daemon when the `systemctl daemon-reexec` call fails. + # + # In order to prevent issues when the reason why the daemon-reexec failed is + # not the aforementioned bug, let's only use this fallback when: + # - we're upgrading this RPM package; and + # - we confirm that systemd is running as PID1 on this system. + if [ $1 -gt 1 ] && [ -d /run/systemd/system ] ; then + kill -TERM 1 &>/dev/null || : + fi +} + +journalctl --update-catalog &>/dev/null || : +systemd-tmpfiles --create &>/dev/null || : + +# create /var/log/journal only on initial installation, +# and only if it's writable (it won't be in rpm-ostree). +if [ $1 -eq 1 ] && [ -w %{_localstatedir} ]; then + mkdir -p %{_localstatedir}/log/journal +fi + +# Make sure new journal files will be owned by the "systemd-journal" group +machine_id=$(cat /etc/machine-id 2>/dev/null) +chgrp systemd-journal /{run,var}/log/journal/{,${machine_id}} &>/dev/null || : +chmod g+s /{run,var}/log/journal/{,${machine_id}} &>/dev/null || : + +# Apply ACL to the journal directory +setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/dev/null || : + +# We reset the enablement of all services upon initial installation +# https://bugzilla.redhat.com/show_bug.cgi?id=1118740#c23 +# This will fix up enablement of any preset services that got installed +# before systemd due to rpm ordering problems: +# https://bugzilla.redhat.com/show_bug.cgi?id=1647172. +# We also do this for user units, see +# https://fedoraproject.org/wiki/Changes/Systemd_presets_for_user_units. +if [ $1 -eq 1 ] ; then + systemctl preset-all &>/dev/null || : + systemctl --global preset-all &>/dev/null || : +fi + +%preun +if [ $1 -eq 0 ] ; then + systemctl disable --quiet \ + remote-fs.target \ + getty@.service \ + serial-getty@.service \ + console-getty.service \ + debug-shell.service \ + systemd-networkd.service \ + systemd-networkd-wait-online.service \ + systemd-resolved.service \ + systemd-homed.service \ + >/dev/null || : +fi + +%triggerun -- systemd < 246.1-1 +# This is for upgrades from previous versions before systemd-resolved became the default. +systemctl --no-reload preset systemd-resolved.service &>/dev/null || : + +if systemctl is-enabled systemd-resolved.service &>/dev/null; then + grep -q 'Generated by NetworkManager' /etc/resolv.conf 2>/dev/null && \ + echo -e '/etc/resolv.conf was generated by NetworkManager.\nRemoving it to let systemd-resolved manage this file.' && \ + mv -v /etc/resolv.conf /etc/resolv.conf.orig-with-nm || : + + systemctl start systemd-resolved.service &>/dev/null || : +fi + +%post libs +%{?ldconfig} + +function mod_nss() { + if [ -f "$1" ] ; then + # Add nss-systemd to passwd and group + grep -E -q '^(passwd|group):.* systemd' "$1" || + sed -i.bak -r -e ' + s/^(passwd|group):(.*)/\1:\2 systemd/ + ' "$1" &>/dev/null || : + + # Add nss-resolve to hosts + grep -E -q '^hosts:.* resolve' "$1" || + sed -i.bak -r -e ' + s/^(hosts):(.*) files( mdns4_minimal .NOTFOUND=return.)? dns myhostname/\1:\2 resolve [!UNAVAIL=return] myhostname files\3 dns/ + ' "$1" &>/dev/null || : + fi +} + +FILE="$(readlink /etc/nsswitch.conf || echo /etc/nsswitch.conf)" +if [ "$FILE" = "/etc/authselect/nsswitch.conf" ] && authselect check &>/dev/null; then + mod_nss "/etc/authselect/user-nsswitch.conf" + authselect apply-changes &> /dev/null || : +else + mod_nss "$FILE" + # also apply the same changes to user-nsswitch.conf to affect + # possible future authselect configuration + mod_nss "/etc/authselect/user-nsswitch.conf" +fi + +# check if nobody or nfsnobody is defined +export SYSTEMD_NSS_BYPASS_SYNTHETIC=1 +if getent passwd nfsnobody &>/dev/null; then + test -f /etc/systemd/dont-synthesize-nobody || { + echo 'Detected system with nfsnobody defined, creating /etc/systemd/dont-synthesize-nobody' + mkdir -p /etc/systemd || : + : >/etc/systemd/dont-synthesize-nobody || : + } +elif getent passwd nobody 2>/dev/null | grep -v 'nobody:[x*]:65534:65534:.*:/:/sbin/nologin' &>/dev/null; then + test -f /etc/systemd/dont-synthesize-nobody || { + echo 'Detected system with incompatible nobody defined, creating /etc/systemd/dont-synthesize-nobody' + mkdir -p /etc/systemd || : + : >/etc/systemd/dont-synthesize-nobody || : + } +fi + +%{?ldconfig:%postun libs -p %ldconfig} + +%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-timesyncd.service + +%pre udev +getent group systemd-timesync &>/dev/null || groupadd -r systemd-timesync 2>&1 || : +getent passwd systemd-timesync &>/dev/null || useradd -r -l -g systemd-timesync -d / -s /sbin/nologin -c "systemd Time Synchronization" systemd-timesync &>/dev/null || : + +%post udev +# Move old stuff around in /var/lib +mv %{_localstatedir}/lib/random-seed %{_localstatedir}/lib/systemd/random-seed &>/dev/null +mv %{_localstatedir}/lib/backlight %{_localstatedir}/lib/systemd/backlight &>/dev/null +if [ -L %{_localstatedir}/lib/systemd/timesync ]; then + rm %{_localstatedir}/lib/systemd/timesync + mv %{_localstatedir}/lib/private/systemd/timesync %{_localstatedir}/lib/systemd/timesync +fi +if [ -f %{_localstatedir}/lib/systemd/clock ] ; then + mkdir -p %{_localstatedir}/lib/systemd/timesync + mv %{_localstatedir}/lib/systemd/clock %{_localstatedir}/lib/systemd/timesync/. +fi + +udevadm hwdb --update &>/dev/null +%systemd_post %udev_services +/usr/lib/systemd/systemd-random-seed save 2>&1 + +# Replace obsolete keymaps +# https://bugzilla.redhat.com/show_bug.cgi?id=1151958 +grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null && + sed -i.rpm.bak -r 's/^KEYMAP="?fi-latin[19]"?/KEYMAP="fi"/' /etc/vconsole.conf || : + +%preun udev +%systemd_preun %udev_services + +%postun udev +# Only restart systemd-udev, to run the upgraded dameon. +# Others are either oneshot services, or sockets, and restarting them causes issues (#1378974) +%systemd_postun_with_restart systemd-udevd.service + +%pre journal-remote +getent group systemd-journal-remote &>/dev/null || groupadd -r systemd-journal-remote 2>&1 || : +getent passwd systemd-journal-remote &>/dev/null || useradd -r -l -g systemd-journal-remote -d %{_localstatedir}/log/journal/remote -s /sbin/nologin -c "Journal Remote" systemd-journal-remote &>/dev/null || : + +%post journal-remote +%systemd_post systemd-journal-gatewayd.socket systemd-journal-gatewayd.service +%systemd_post systemd-journal-remote.socket systemd-journal-remote.service +%systemd_post systemd-journal-upload.service + +%preun journal-remote +%systemd_preun systemd-journal-gatewayd.socket systemd-journal-gatewayd.service +%systemd_preun systemd-journal-remote.socket systemd-journal-remote.service +%systemd_preun systemd-journal-upload.service +if [ $1 -eq 1 ] ; then + if [ -f %{_localstatedir}/lib/systemd/journal-upload/state -a ! -L %{_localstatedir}/lib/systemd/journal-upload ] ; then + mkdir -p %{_localstatedir}/lib/private/systemd/journal-upload + mv %{_localstatedir}/lib/systemd/journal-upload/state %{_localstatedir}/lib/private/systemd/journal-upload/. + rmdir %{_localstatedir}/lib/systemd/journal-upload || : + fi +fi + +%postun journal-remote +%systemd_postun_with_restart systemd-journal-gatewayd.service +%systemd_postun_with_restart systemd-journal-remote.service +%systemd_postun_with_restart systemd-journal-upload.service + +%global _docdir_fmt %{name} + +%files -f %{name}.lang -f .file-list-rest +%doc %{_pkgdocdir} +%exclude %{_pkgdocdir}/LICENSE.* +%license LICENSE.GPL2 LICENSE.LGPL2.1 +%ghost %dir %attr(0755,-,-) /etc/systemd/system/basic.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/bluetooth.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/default.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/getty.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/graphical.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/local-fs.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/machines.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/multi-user.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/network-online.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/printer.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/remote-fs.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/sockets.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/sysinit.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/system-update.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/timers.target.wants +%ghost %dir %attr(0755,-,-) /var/lib/rpm-state/systemd + +%files libs -f .file-list-libs +%license LICENSE.LGPL2.1 + +%files pam -f .file-list-pam + +%files rpm-macros -f .file-list-rpm-macros + +%files devel -f .file-list-devel + +%files udev -f .file-list-udev + +%files container -f .file-list-container + +%files journal-remote -f .file-list-remote + +%files tests -f .file-list-tests + +%changelog +* Mon Jan 25 2021 Anita Zhang - 246.1-1.fb6 +- Backport PR #16803 to fix ConditionEnvironment= + +* Thu Nov 19 2020 Chris Down - 246.1-1.fb5 +- Updated version of PR #17495 to fix program leak + +* Thu Nov 19 2020 Chris Down - 246.1-1.fb4 +- Backport PR #17495 to fix BPF program lifecycle +- Backport PR #17422 to clean up cgroups more reliably after exit +- Backport PR #17497 to add FixedRandomDelay= support + +* Fri Sep 18 2020 Anita Zhang - 246.1-1.fb3 +- Backport PR #16838 and #16857 to improve $PATH handling +- Backport PR #16940 to fix ECONN handling in sockets +- Backport PR #17031 to fix rate limiting on units in restart loop +- Backport PR #17082 to get nspawn TTY tweaks + +* Tue Aug 18 2020 Anita Zhang - 246.1-1.fb2 +- Gate "Obsoletes: systemd < 245.6-1" out due to dependency issues on Facebook + systems + +* Mon Aug 17 2020 Anita Zhang - 246.1-1.fb1 +- Facebook rebuild +- Don't compile in systemd-repart (needs libfdisk >= 2.33 and C8 has 2.32) +- Remove unused systemd-journal-remote.xml and systemd-journal-gatewayd.xml + files since we never used firewalld + +* Fri Aug 7 2020 Zbigniew Jędrzejewski-Szmek - 246.1-1 +- A few minor bugfixes +- Remove /etc/resolv.conf on upgrades (if managed by NetworkManager), so + that systemd-resolved can take over the management of the symlink. + +* Thu Jul 30 2020 Zbigniew Jędrzejewski-Szmek - 246-1 +- Update to released version. Only some minor bugfixes since the pre-release. + +* Sun Jul 26 2020 Zbigniew Jędrzejewski-Szmek - 246~rc2-2 +- Make /tmp be 50% of RAM again (#1856514) +- Re-run 'systemctl preset systemd-resolved' on upgrades. + /etc/resolv.conf is not modified, by a hint is emitted if it is + managed by NetworkManager. + +* Fri Jul 24 2020 Zbigniew Jędrzejewski-Szmek - 246~rc2-1 +- New pre-release with incremental fixes + (#1856037, #1858845, #1856122, #1857783) +- Enable systemd-resolved (with DNSSEC disabled by default, and LLMNR + and mDNS support in resolve-only mode by default). + See https://fedoraproject.org/wiki/Changes/systemd-resolved. + +* Thu Jul 9 2020 Zbigniew Jędrzejewski-Szmek - 246~rc1-1 +- New upstream release, see + https://raw.githubusercontent.com/systemd/systemd/v246-rc1/NEWS. + + This release includes many new unit settings, related inter alia to + cgroupsv2 freezer support and cpu affinity, encryption and verification. + systemd-networkd has a ton of new functionality and many other tools gained + smaller enhancements. systemd-homed gained FIDO2 support. + + Documentation has been significantly improved: sd-bus and sd-hwdb + libraries are now fully documented; man pages have been added for + the D-BUS APIs of systemd daemons and various new interfaces. + + Closes #1392925, #1790972, #1197886, #1525593. + +* Wed Jun 24 2020 Bastien Nocera - 245.6-3 +- Set fallback-hostname to fedora so that unset hostnames are still + recognisable (#1392925) + +* Fri Jun 5 2020 Anita Zhang - 245.5-2.fb3 +- Backport 156a5fd to mitigate CVE-2020-13776 + +* Thu Jun 4 2020 Anita Zhang - 245.5-2.fb2 +- Revert c7d26ac which is causing SMI count to go up leading to increased + microstalls during Chef runs + +* Tue Jun 2 2020 Zbigniew Jędrzejewski-Szmek - 245.6-2 +- Add self-obsoletes to fix upgrades from F31 + +* Sun May 31 2020 Zbigniew Jędrzejewski-Szmek - 245.6-1 +- Update to latest stable version (some documentation updates, minor + memory correctness issues) (#1815605, #1827467, #1842067) + +* Thu Apr 30 2020 Anita Zhang - 245.5-2.fb1 +- Facebook rebuild +- Don't compile in systemd-homed, systemd-userdb, and p11kit +- Backport PR #15544 and #15551 (drops FB rlimit_memlock patch) + +* Tue Apr 21 2020 Björn Esser - 245.5-2 +- Add explicit BuildRequires: acl +- Bootstrapping for json-c SONAME bump + +* Fri Apr 17 2020 Zbigniew Jędrzejewski-Szmek - 245.5-1 +- Update to latest stable version (#1819313, #1815412, #1800875) + +* Thu Apr 16 2020 Björn Esser - 245.4-2 +- Add bootstrap option to break circular deps on cryptsetup + +* Wed Apr 1 2020 Zbigniew Jędrzejewski-Szmek - 245.4-1 +- Update to latest stable version (#1814454) + +* Thu Mar 26 2020 Zbigniew Jędrzejewski-Szmek - 245.3-1 +- Update to latest stable version (no issue that got reported in bugzilla) + +* Wed Mar 18 2020 Zbigniew Jędrzejewski-Szmek - 245.2-1 +- Update to latest stable version (a few bug fixes for random things) (#1798776) + +* Wed Mar 18 2020 Andrew Gallagher - 244-2.fb4 +- Bump HIGH_RLIMIT_MEMLOCK to 512M + +* Fri Mar 6 2020 Zbigniew Jędrzejewski-Szmek - 245-1 +- Update to latest version (#1807485) + +* Wed Feb 26 2020 Zbigniew Jędrzejewski-Szmek - 245~rc2-1 +- Modify the downstream udev rule to use bfq to only apply to disks (#1803500) +- "Upgrade" dependency on kbd package from Recommends to Requires (#1408878) +- Move systemd-bless-boot.service and systemd-boot-system-token.service to + systemd-udev subpackage (#1807462) +- Move a bunch of other services to systemd-udev: + systemd-pstore.service, all fsck-related functionality, + systemd-volatile-root.service, systemd-verity-setup.service, and a few + other related files. +- Fix daemon-reload rule to not kill non-systemd pid1 (#1803240) +- Fix namespace-related failure when starting systemd-homed (#1807465) and + group lookup failure in nss_systemd (#1809147) +- Drop autogenerated BOOT_IMAGE= parameter from stored kernel command lines + (#1716164) +- Don't require /proc to be mounted for systemd-sysusers to work (#1807768) + +* Fri Feb 21 2020 Filipe Brandenburger - 245~rc1-4 +- Update daemon-reexec fallback to check whether the system is booted with + systemd as PID 1 and check whether we're upgrading before using kill -TERM + on PID 1 (#1803240) + +* Thu Feb 20 2020 Filipe Brandenburger - 244-2.fb3 +- Only kill -TERM 1 when systemd is actually running. + +* Tue Feb 18 2020 Adam Williamson - 245~rc1-3 +- Revert 097537f0 to fix plymouth etc. running when they shouldn't (#1803293) + +* Fri Feb 7 2020 Zbigniew Jędrzejewski-Szmek - 245~rc1-2 +- Add default 'disable *' preset for user units (#1792474, #1468501), + see https://fedoraproject.org/wiki/Changes/Systemd_presets_for_user_units. +- Add macro to generate "compat" scriptlets based off sysusers.d format + and autogenerate user() and group() virtual provides (#1792462), + see https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format. +- Revert patch to udev rules causing regression with usb hubs (#1800820). + +* Thu Feb 6 2020 Anita Zhang - 244-2.fb2 +- Backport PR#14815 (Permissive syscall filtering in dbus-execute) + +* Wed Feb 5 2020 Zbigniew Jędrzejewski-Szmek - 245~rc1-1 +- New upstream release, see + https://raw.githubusercontent.com/systemd/systemd/v245-rc1/NEWS. + + This release includes completely new functionality: systemd-repart, + systemd-homed, user reconds in json, and multi-instantiable + journald, and a partial rework of internal communcation to use + varlink, and bunch of more incremental changes. + + The "predictable" interface name naming scheme is changed, + net.naming-scheme= can be used to undo the change. The change applies + to container interface names on the host. + +- Fixes #1774242, #1787089, #1798414/CVE-2020-1712. + +* Fri Jan 31 2020 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jan 9 2020 Anita Zhang - 244-2.fb1 +- Facebook rebuild +- Backport PR#13823 (PrivateUsers=true for unprivileged user managers) +- Backport PR#14441 (Fix type.d drop-in ordering) + +* Sat Dec 21 2019 - 244.1-2 +- Disable service watchdogs (for systemd units) + +* Sun Dec 15 2019 - 244.1-1 +- Update to latest stable batch (systemd-networkd fixups, better + support for seccomp on s390x, minor cleanups to documentation). +- Drop patch to revert addition of NoNewPrivileges to systemd units + +* Fri Nov 29 2019 Zbigniew Jędrzejewski-Szmek - 244-1 +- Update to latest version. Just minor bugs fixed since the pre-release. + +* Fri Nov 22 2019 Zbigniew Jędrzejewski-Szmek - 244~rc1-1 +- Update to latest pre-release version, + see https://github.com/systemd/systemd/blob/master/NEWS#L3. + Biggest items: cgroups v2 cpuset controller, fido_id builtin in udev, + systemd-networkd does not create a default route for link local addressing, + systemd-networkd supports dynamic reconfiguration and a bunch of new settings. + Network files support matching on WLAN SSID and BSSID. +- Better error messages when preset/enable/disable are used with a glob (#1763488) +- u2f-hidraw-policy package is obsoleted (#1753381) + +* Tue Nov 19 2019 Zbigniew Jędrzejewski-Szmek - 243.4 +- Latest bugfix release. Systemd-stable snapshots will now be numbered. +- Fix broken PrivateDevices filter on big-endian, s390x in particular (#1769148) +- systemd-modules-load.service should only warn, not fail, on error (#1254340) +- Fix incorrect certificate validation with DNS over TLS (#1771725, #1771726, + CVE-2018-21029) +- Fix regression with crypttab keys with colons +- Various memleaks and minor memory access issues, warning adjustments + +* Thu Oct 31 2019 Davide Cavalca - 243-2.fb3 +- Backport PR#13754 (allow restart for oneshot units) +- Misc specfiles fixes to support building on el8 as well +- Default el8 builds to the unified hierarchy + +* Fri Oct 18 2019 Adam Williamson - 243-4.gitef67743 +- Backport PR #13792 to fix nomodeset+BIOS CanGraphical bug (#1728240) + +* Thu Oct 10 2019 Zbigniew Jędrzejewski-Szmek - 243-3.gitef67743 +- Various minor documentation and error message cleanups +- Do not use cgroup v1 hierarchy in nspawn on groups v2 (#1756143) + +* Wed Oct 2 2019 Davide Cavalca - 243-2.fb2 +- Backport PR#13689 (a bunch of protection-related fixes) + +* Fri Sep 27 2019 Davide Cavalca - 243-2.fb1 +- Facebook rebuild +- drop "use bfq as the default scheduler" patch +- backport PR#13369 (ExecXYZEx= bus hook ups) +- disable udev-test.pl for now due to flakiness + +* Sat Sep 21 2019 Zbigniew Jędrzejewski-Szmek - 243-2.gitfab6f01 +- Backport a bunch of patches (memory access issues, improvements to error + reporting and handling in networkd, some misleading man page contents #1751363) +- Fix permissions on static nodes (#1740664) +- Make systemd-networks follow the RFC for DHPCv6 and radv timeouts +- Fix one crash in systemd-resolved (#1703598) +- Make journal catalog creation reproducible (avoid unordered hashmap use) +- Mark the accelerometer in HP laptops as part of the laptop base +- Fix relabeling of directories with relabel-extra.d/ +- Fix potential stuck noop jobs in pid1 +- Obsolete timedatex package (#1735584) + +* Tue Sep 3 2019 Zbigniew Jędrzejewski-Szmek - 243-1 +- Update to latest release +- Emission of Session property-changed notifications from logind is fixed + (this was breaking the switching of sessions to and from gnome). +- Security issue: unprivileged users were allowed to change DNS + servers configured in systemd-resolved. Now proper polkit authorization + is required. + +* Mon Aug 26 2019 Adam Williamson - 243~rc2-2 +- Backport PR #13406 to solve PATH ordering issue (#1744059) + +* Thu Aug 22 2019 Zbigniew Jędrzejewski-Szmek - 243~rc2-1 +- Update to latest pre-release. Fixes #1740113, #1717712. +- The default scheduler for disks is set to BFQ (1738828) +- The default cgroup hierarchy is set to unified (cgroups v2) (#1732114). + Use systemd.unified-cgroup-hierarchy=0 on the kernel command line to revert. + See https://fedoraproject.org/wiki/Changes/CGroupsV2. + +* Wed Aug 07 2019 Adam Williamson - 243~rc1-2 +- Backport PR #1737362 so we own /etc/systemd/system again (#1737362) + +* Wed Aug 7 2019 Anita Zhang - 242-2.fb4 +- Backport PR#12933 (core: ExecCondition= for services) +- Backport PR#13096 (Preparatory work for the unit loading rework) +- Backport PR#13119 (Rework unit loading to take into account all aliases) + +* Tue Jul 30 2019 Zbigniew Jędrzejewski-Szmek - 243~rc1-1 +- Update to latest version (#1715699, #1696373, #1711065, #1718192) + +* Sat Jul 27 2019 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sat Jul 20 2019 Zbigniew Jędrzejewski-Szmek - 242-6.git9d34e79 +- Ignore bad rdrand output on AMD CPUs (#1729268) +- A bunch of backported patches from upstream: documentation, memory + access fixups, command output tweaks (#1708996) + +* Thu Jul 18 2019 Anita Zhang - 242-2.fb3 +- Backport PR#12346 (make sure accept_flush() doesn't hang on EOPNOTSUPP) +- Backport PR#12979 (add SystemCallErrorNumber=EPERM to systemd-portabled.service) + +* Tue Jun 25 2019 Björn Esser - 242-5.git7a6d834 +- Rebuilt (libqrencode.so.4) + +* Tue Jun 25 2019 Miro Hrončok - 242-4.git7a6d834 +- Rebuilt for iptables update (libip4tc.so.2) + +* Thu Jun 20 2019 Anita Zhang - 242-2.fb2 +- Backport PR#11778 (ExecStartXYZEx= dbus support) +- Backport PR#12729 (nspawn: don't hard fail when setting capabilities) +- Backport PR#12745 (IPAddressXYZ="any" for users with CAP_NET_ADMIN) + +* Fri Apr 26 2019 Zbigniew Jędrzejewski-Szmek - 242-3.git7a6d834 +- Add symbol to mark vtable format changes (anything using sd_add_object_vtable + or sd_add_fallback_vtable needs to be rebuilt) +- Fix wireguard ListenPort handling in systemd-networkd +- Fix hang in flush_accept (#1702358) +- Fix handling of RUN keys in udevd +- Some documentation and shell completion updates and minor fixes + +* Thu Apr 25 2019 Davide Cavalca - 242-2.fb1 +- Facebook rebuild +- Backport PR#12336 (support DisableControllers= for transient units) + +* Tue Apr 16 2019 Adam Williamson - 242-2 +- Rebuild with Meson fix for #1699099 + +* Thu Apr 11 2019 Zbigniew Jędrzejewski-Szmek - 242-1 +- Update to latest release +- Make scriptlet failure non-fatal + +* Tue Apr 9 2019 Zbigniew Jędrzejewski-Szmek - 242~rc4-1 +- Update to latest prerelease + +* Thu Apr 4 2019 Zbigniew Jędrzejewski-Szmek - 242~rc3-1 +- Update to latest prerelease + +* Wed Apr 3 2019 Zbigniew Jędrzejewski-Szmek - 242~rc2-1 +- Update to the latest prerelease. +- The bug reported on latest update that systemd-resolved and systemd-networkd are + re-enabled after upgrade is fixed. + +* Fri Mar 29 2019 Zbigniew Jędrzejewski-Szmek - 241-4.gitcbf14c9 +- Backport various patches from the v241..v242 range: + kernel-install will not create the boot loader entry automatically (#1648907), + various bash completion improvements (#1183769), + memory leaks and such (#1685286). + +* Fri Mar 22 2019 Davide Cavalca - 241-1.fb2 +- Backport PR#11754 (sd-bus fixes for CVE-2019-6454) +- Backport PR#12078 (nspawn fix) + +* Thu Mar 14 2019 Zbigniew Jędrzejewski-Szmek - 241-3.gitc1f8ff8 +- Declare hyperv and framebuffer devices master-of-seat again (#1683197) + +* Wed Feb 27 2019 Davide Cavalca - 241-1.fb1 +- Facebook rebuild +- Rebase fio udev patch (this will likely be dropped in the next release) +- Drop the mock testing patches, not needed anymore +- Ignore errors for Python bytecompiling due to run-unit-tests.py +- Fix the run-unit-tests.py shebang to use python36 +- Backport PR#11831 (missing include) and PR#11836 (test-chown-rec fix) + +* Wed Feb 20 2019 Zbigniew Jędrzejewski-Szmek - 241-2.gita09c170 +- Prevent buffer overread in systemd-udevd +- Properly validate dbus paths received over dbus (#1678394, CVE-2019-6454) + +* Sat Feb 9 2019 Zbigniew Jędrzejewski-Szmek - 241~rc2-2 +- Turn LTO back on + +* Tue Feb 5 2019 Zbigniew Jędrzejewski-Szmek - 241~rc2-1 +- Update to latest release -rc2 + +* Sun Feb 03 2019 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sun Jan 27 2019 Yu Watanabe - 241~rc1-2 +- Backport a patch for kernel-install + +* Sat Jan 26 2019 Zbigniew Jędrzejewski-Szmek - 241~rc1-1 +- Update to latest release -rc1 + +* Tue Jan 15 2019 Zbigniew Jędrzejewski-Szmek - 240-6.gitf02b547 +- Add a work-around for #1663040 + +* Mon Jan 14 2019 Björn Esser +- Rebuilt for libcrypt.so.2 (#1666033) + +* Fri Jan 11 2019 Zbigniew Jędrzejewski-Szmek - 240-4.gitf02b547 +- Add a work-around for selinux issue on live images (#1663040) + +* Fri Jan 11 2019 Zbigniew Jędrzejewski-Szmek - 240-3.gitf02b547 +- systemd-journald and systemd-journal-remote reject entries which + contain too many fields (CVE-2018-16865, #1664973) and set limits on the + process' command line length (CVE-2018-16864, #1664972) +- $DBUS_SESSION_BUS_ADDRESS is again exported by pam_systemd (#1662857) +- A fix for systemd-udevd crash (#1662303) + +* Sat Dec 22 2018 Zbigniew Jędrzejewski-Szmek - 240-2 +- Add two more patches that revert recent udev changes + +* Fri Dec 21 2018 Zbigniew Jędrzejewski-Szmek - 240-1 +- Update to latest release + See https://github.com/systemd/systemd/blob/master/NEWS for the list of changes. + +* Mon Dec 17 2018 Zbigniew Jędrzejewski-Szmek - 239-10.git9f3aed1 +- Hibernation checks for resume= are rescinded (#1645870) +- Various patches: + - memory issues in logind, networkd, journald (#1653068), sd-device, etc. + - Adaptations for newer meson, lz4, kernel + - Fixes for misleading bugs in documentation +- net.ipv4.conf.all.rp_filter is changed from 1 to 2 + +* Mon Dec 10 2018 Davide Cavalca - 239-1.fb6 +- Backport PR#10411 and PR#10493 (systemd-analyze timespan command) +- Rebase our PR#10507 and PR#10567 backports onto the version merged upstream +- Backport PR#10757 (cgroup2 BPF devices fixes) +- Backport PR#10876 (cgroup_subtree_mask propagation fix) + +* Thu Nov 29 2018 Zbigniew Jędrzejewski-Szmek +- Adjust scriptlets to modify /etc/authselect/user-nsswitch.conf + (see https://github.com/pbrezina/authselect/issues/77) +- Drop old scriptlets for nsswitch.conf modifications for nss-mymachines and nss-resolve + +* Sun Nov 18 2018 Alejandro Domínguez Muñoz +- Remove link creation for rsyslog.service + +* Thu Nov 8 2018 Adam Williamson - 239-9.git9f3aed1 +- Go back to using systemctl preset-all in %%post (#1647172, #1118740) + +* Mon Nov 5 2018 Adam Williamson - 239-8.git9f3aed1 +- Requires(post) openssl-libs to fix live image build machine-id issue + See: https://pagure.io/dusty/failed-composes/issue/960 + +* Mon Nov 5 2018 Yu Watanabe +- Set proper attributes to private directories + +* Fri Nov 2 2018 Davide Cavalca - 239-1.fb5 +- Backport PR#10507 (don't require CPU controller for CPU accounting) +- Backport PR#10567 (DisableControllers= directive) + +* Fri Nov 2 2018 Zbigniew Jędrzejewski-Szmek - 239-7.git9f3aed1 +- Split out the rpm macros into systemd-rpm-macros subpackage (#1645298) + +* Sun Oct 28 2018 Zbigniew Jędrzejewski-Szmek - 239-6.git9f3aed1 +- Fix a local vulnerability from a race condition in chown-recursive (CVE-2018-15687, #1639076) +- Fix a local vulnerability from invalid handling of long lines in state deserialization (CVE-2018-15686, #1639071) +- Fix a remote vulnerability in DHCPv6 in systemd-networkd (CVE-2018-15688, #1639067) +- The DHCP server is started only when link is UP +- DHCPv6 prefix delegation is improved +- Downgrade logging of various messages and add loging in other places +- Many many fixes in error handling and minor memory leaks and such +- Fix typos and omissions in documentation +- Typo in %%_environmnentdir rpm macro is fixed (with backwards compatiblity preserved) +- Matching by MACAddress= in systemd-networkd is fixed +- Creation of user runtime directories is improved, and the user + manager is only stopped after 10 s after the user logs out (#1642460 and other bugs) +- systemd units systemd-timesyncd, systemd-resolved, systemd-networkd are switched back to use DynamicUser=0 +- Aliases are now resolved when loading modules from pid1. This is a (redundant) fix for a brief kernel regression. +- "systemctl --wait start" exits immediately if no valid units are named +- zram devices are not considered as candidates for hibernation +- ECN is not requested for both in- and out-going connections (the sysctl overide for net.ipv4.tcp_ecn is removed) +- Various smaller improvements to unit ordering and dependencies +- generators are now called with the manager's environment +- Handling of invalid (intentionally corrupt) dbus messages is improved, fixing potential local DOS avenues +- The target of symlinks links in .wants/ and .requires/ is now ignored. This fixes an issue where + the unit file would sometimes be loaded from such a symlink, leading to non-deterministic unit contents. +- Filtering of kernel threads is improved. This fixes an issues with newer kernels where hybrid kernel/user + threads are used by bpfilter. +- "noresume" can be used on the kernel command line to force normal boot even if a hibernation images is present +- Hibernation is not advertised if resume= is not present on the kernenl command line +- Hibernation/Suspend/... modes can be disabled using AllowSuspend=, + AllowHibernation=, AllowSuspendThenHibernate=, AllowHybridSleep= +- LOGO= and DOCUMENTATION_URL= are documented for the os-release file +- The hashmap mempool is now only used internally in systemd, and is disabled for external users of the systemd libraries +- Additional state is serialized/deserialized when logind is restarted, fixing the handling of user objects +- Catalog entries for the journal are improved (#1639482) +- If suspend fails, the post-suspend hooks are still called. +- Various build issues on less-common architectures are fixed + +* Fri Oct 12 2018 Davide Cavalca - 239-1.fb4 +- Backport PR#10062 (cgroup2 BPF device controller support) +- Backport PR#10203, PR#10363 (tests fixes for supplementary groups) +- Backport PR#10368 (%g, %G specifiers support) +- Add hostname to BuildRequires (it's needed by test-execute) +- Reenable test-execute now that it's finally working + +* Wed Oct 3 2018 Jan Synáček - 239-5 +- Fix meson using -Ddebug, which results in FTBFS +- Fix line_begins() to accept word matching full string (#1631840) + +* Mon Sep 10 2018 Zbigniew Jędrzejewski-Szmek - 239-4 +- Move /etc/yum/protected.d/systemd.conf to /etc/dnf/ (#1626969) + +* Fri Aug 24 2018 Davide Cavalca - 239-1.fb3 +- backport new version of guro's cgroup2 BPF device controller patch + +* Wed Jul 18 2018 Terje Rosten - 239-3 +- Ignore return value from systemd-binfmt in scriptlet (#1565425) + +* Sun Jul 15 2018 Filipe Brandenburger +- Override systemd-user PAM config in install and not prep + +* Sat Jul 14 2018 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 4 2018 Davide Cavalca - 239-1.fb2 +- backport PR#9460 (followup to PR#9410) +- backport PR#9500 (support for StandardOutput=append:) +- revert c58fd46 (part of PR#8403) to workaround a FB-specific build issue + +* Mon Jun 25 2018 Zbigniew Jędrzejewski-Szmek +- Rebuild for Python 3.7 again + +* Mon Jun 25 2018 Davide Cavalca - 239-1.fb1 +- Facebook rebuild +- backport PR#9244 and PR#9247 (new cgroup2 features) +- backport PR#9410 (gnutls detection, fix for #9403) + +* Fri Jun 22 2018 Zbigniew Jędrzejewski-Szmek - 239-1 +- Update to latest version, mostly bug fixes and new functionality, + very little breaking changes. See + https://github.com/systemd/systemd/blob/v239/NEWS for details. + +* Tue Jun 19 2018 Miro Hrončok +- Rebuilt for Python 3.7 + +* Thu May 31 2018 Davide Cavalca - 238-7.fb3 +- Update cgroup2 BPF device controller patches +- Backport PR#9148 to mitigate pid watching issue on git + +* Tue May 15 2018 Davide Cavalca - 238-7.fb2 +- Backport htejun's io.latency patch +- Backport guro's cgroup2 BPF device controller patch + +* Fri May 11 2018 Zbigniew Jędrzejewski-Szmek - 238-8.git0e0aa59 +- Backport a number of patches (documentation, hwdb updates) +- Fixes for tmpfiles 'e' entries +- systemd-networkd crashes +- XEN virtualization detection on hyper-v +- Avoid relabelling /sys/fs/cgroup if not needed (#1576240) + +* Wed Apr 18 2018 Zbigniew Jędrzejewski-Szmek - 238-7.fc28.1 +- Allow fake Delegate= setting on slices (#1568594) + +* Thu Apr 5 2018 Davide Cavalca - 238-7.fb1 +- Facebook rebuild +- Reenable tests (except test-execute which is still broken) + +* Wed Mar 28 2018 Zbigniew Jędrzejewski-Szmek - 238-7 +- Move udev transfiletriggers to the right package, fix quoting + +* Tue Mar 27 2018 Colin Walters - 238-6 +- Use shell for triggers; see https://github.com/systemd/systemd/pull/8550 + This fixes compatibility with rpm-ostree. + +* Tue Mar 20 2018 Zbigniew Jędrzejewski-Szmek - 238-5 +- Backport patch to revert inadvertent change of "predictable" interface name (#1558027) + +* Fri Mar 16 2018 Zbigniew Jędrzejewski-Szmek - 238-4 +- Do not close dbus connection during dbus reload call (#1554578) + +* Wed Mar 7 2018 Zbigniew Jędrzejewski-Szmek - 238-3 +- Revert the patches for GRUB BootLoaderSpec support +- Add patch for /etc/machine-id creation (#1552843) + +* Tue Mar 6 2018 Yu Watanabe - 238-2 +- Fix transfiletrigger script (#1551793) + +* Mon Mar 5 2018 Zbigniew Jędrzejewski-Szmek - 238-1 +- Update to latest version +- This fixes a hard-to-trigger potential vulnerability (CVE-2018-6954) +- New transfiletriggers are installed for udev hwdb and rules, the journal + catalog, sysctl.d, binfmt.d, sysusers.d, tmpfiles.d. + +* Tue Feb 27 2018 Javier Martinez Canillas - 237-7.git84c8da5 +- Add patch to install kernel images for GRUB BootLoaderSpec support + +* Mon Feb 26 2018 Davide Cavalca - 237-1.fb3 +- Backport PR#8115 to properly fix GH#8194 + +* Sat Feb 24 2018 Zbigniew Jędrzejewski-Szmek - 237-6.git84c8da5 +- Create /etc/systemd in %%post libs if necessary (#1548607) + +* Fri Feb 23 2018 Adam Williamson - 237-5.git84c8da5 +- Use : not touch to create file in -libs %%post + +* Thu Feb 22 2018 Davide Cavalca - 237-1.fb2 +- Add workaround for an issue with systemd-nspawn -u affecting mock (GH#8194) + +* Thu Feb 22 2018 Patrick Uiterwijk - 237-4.git84c8da5 +- Add coreutils dep for systemd-libs %%post +- Add patch to typecast USB IDs to avoid compile failure + +* Wed Feb 21 2018 Zbigniew Jędrzejewski-Szmek - 237-3.git84c8da5 +- Update some patches for test skipping that were updated upstream + before merging +- Add /usr/lib/systemd/purge-nobody-user — a script to check if nobody is defined + correctly and possibly replace existing mappings + +* Tue Feb 20 2018 Zbigniew Jędrzejewski-Szmek - 237-2.gitdff4849 +- Backport a bunch of patches, most notably for the journal and various + memory issues. Some minor build fixes. +- Switch to new ldconfig macros that do nothing in F28+ +- /etc/systemd/dont-synthesize-nobody is created in %%post if nfsnobody + or nobody users are defined (#1537262) + +* Mon Feb 12 2018 Davide Cavalca - 237-1.fb1 +- Facebook rebuild +- Backport configurable docdir patch from master (PR#8068) +- Ensure split-files.py is run with python36 +- Set nfs/nfsnobody as nobody users +- Add pcre2-devel dependecy for journalctl --grep +- Disable tests for now as they're failing randomly when building in mock +- Use 10485760 as container base for Facebook to avoid conflicting with LDAP +- Backport PID file symlink chain checks fix from master (PR#8133) + +* Fri Feb 9 2018 Zbigniew Jędrzejeweski-Szmek - 237-1.git78bd769 +- Update to first stable snapshot (various minor memory leaks and misaccesses, + some documentation bugs, build fixes). + +* Sun Jan 28 2018 Zbigniew Jędrzejewski-Szmek - 237-1 +- Update to latest version + +* Sun Jan 21 2018 Björn Esser - 236-4.git3e14c4c +- Add patch to include if needed + +* Sat Jan 20 2018 Björn Esser - 236-3.git3e14c4c +- Rebuilt for switch to libxcrypt + +* Thu Jan 11 2018 Zbigniew Jędrzejewski-Szmek - 236-2.git23e14c4 +- Backport a bunch of bugfixes from upstream (#1531502, #1531381, #1526621 + various memory corruptions in systemd-networkd) +- /dev/kvm is marked as a static node which fixes permissions on s390x + and ppc64 (#1532382) + +* Fri Dec 15 2017 Zbigniew Jędrzejewski-Szmek - 236-1 +- Update to latest version + +* Mon Dec 11 2017 Zbigniew Jędrzejewski-Szmek - 235-5.git4a0e928 +- Update to latest git snapshot, do not build for realz +- Switch to libidn2 again (#1449145) + +* Tue Nov 07 2017 Zbigniew Jędrzejewski-Szmek - 235-4 +- Rebuild for cryptsetup-2.0.0-0.2.fc28 + +* Wed Oct 25 2017 Zbigniew Jędrzejewski-Szmek - 235-3 +- Backport a bunch of patches, including LP#172535 + +* Wed Oct 18 2017 Zbigniew Jędrzejewski-Szmek - 235-2 +- Patches for cryptsetup _netdev + +* Mon Oct 9 2017 Davide Cavalca - 235-1.fb1 +- Facebook rebuild + +* Fri Oct 6 2017 Zbigniew Jędrzejewski-Szmek - 235-1 +- Update to latest version + +* Tue Sep 26 2017 Nathaniel McCallum - 234-8 +- Backport /etc/crypttab _netdev feature from upstream + +* Thu Sep 21 2017 Michal Sekletar - 234-7 +- Make sure to remove all device units sharing the same sysfs path (#1475570) + +* Mon Sep 18 2017 Zbigniew Jędrzejewski-Szmek - 234-6 +- Bump xslt recursion limit for libxslt-1.30 + +* Mon Sep 18 2017 Davide Cavalca - 234-5.fb2 +- backport build fix for O_TMPFILE from PR#6816 + +* Tue Aug 8 2017 Davide Cavalca - 234-5.fb1 +- new upstream release +- drop compat-libs patch in favor of separate systemd-compat-libs project +- force locale to UTF-8 to make meson happy +- disable broken test-execute +- backport nsdelegate support from PR#6294 + +* Mon Jul 31 2017 Zbigniew Jędrzejewski-Szmek - 234-5 +- Backport more patches (#1476005, hopefully #1462378) + +* Thu Jul 27 2017 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jul 17 2017 Zbigniew Jędrzejewski-Szmek - 234-3 +- Fix x-systemd.timeout=0 in /etc/fstab (#1462378) +- Minor patches (memleaks, --help fixes, seccomp on arm64) + +* Thu Jul 13 2017 Zbigniew Jędrzejewski-Szmek - 234-2 +- Create kvm group (#1431876) + +* Thu Jul 13 2017 Zbigniew Jędrzejewski-Szmek - 234-1 +- Latest release + +* Sat Jul 1 2017 Zbigniew Jędrzejewski-Szmek - 233-7.git74d8f1c +- Update to snapshot +- Build with meson again + +* Tue Jun 27 2017 Zbigniew Jędrzejewski-Szmek - 233-6 +- Fix an out-of-bounds write in systemd-resolved (CVE-2017-9445) + +* Sat Jun 17 2017 Peter Blair - 233-2.fb2 +- Apply patch from CVE-2017-9445 + +* Fri Jun 16 2017 Zbigniew Jędrzejewski-Szmek - 233-5.gitec36d05 +- Update to snapshot version, build with meson + +* Thu Jun 15 2017 Zbigniew Jędrzejewski-Szmek - 233-4 +- Backport a bunch of small fixes (memleaks, wrong format strings, + man page clarifications, shell completion) +- Fix systemd-resolved crash on crafted DNS packet (CVE-2017-9217, #1455493) +- Fix systemd-vconsole-setup.service error on systems with no VGA console (#1272686) +- Drop soft-static uid for systemd-journal-gateway +- Use ID from /etc/os-release as ntpvendor + +* Thu Apr 13 2017 Davide Cavalca - 233-2.fb1 +- New upstream release +- disable a couple of broken tests +- default to legacy hierarchy for now + +* Wed Apr 12 2017 Davide Cavalca - 231-11.fb2 +- fix lz4 depends to pick the right package + +* Mon Apr 3 2017 Davide Cavalca - 231-11.fb1 +- use facebook macro to gate Facebook-specific settings +- rebuild against new RPM backport +- update patches + +* Thu Mar 16 2017 Michal Sekletar - 233-3 +- Backport bugfixes from upstream +- Don't return error when machinectl couldn't figure out container IP addresses (#1419501) + +* Tue Mar 14 2017 Patrick White - 231-2.fb4 +- add poettering patch to fix hitting an assert (PR#4447) + +* Thu Mar 2 2017 Zbigniew Jędrzejewski-Szmek - 233-2 +- Fix installation conflict with polkit + +* Thu Mar 2 2017 Zbigniew Jędrzejewski-Szmek - 233-1 +- New upstream release (#1416201, #1405439, #1420753, many others) +- New systemd-tests subpackage with "installed tests" + +* Thu Feb 16 2017 Zbigniew Jędrzejewski-Szmek - 232-15 +- Add %%ghost %%dir entries for .wants dirs of our targets (#1422894) + +* Tue Feb 14 2017 Zbigniew Jędrzejewski-Szmek - 232-14 +- Ignore the hwdb parser test + +* Tue Feb 14 2017 Jan Synáček - 232-14 +- machinectl fails when virtual machine is running (#1419501) + +* Sat Feb 11 2017 Fedora Release Engineering - 232-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jan 31 2017 Zbigniew Jędrzejewski-Szmek - 232-12 +- Backport patch for initrd-switch-root.service getting killed (#1414904) +- Fix sd-journal-gatewayd -D, --trust, and COREDUMP_CONTAINER_CMDLINE + extraction by sd-coredump. + +* Sun Jan 29 2017 zbyszek - 232-11 +- Backport a number of patches (#1411299, #1413075, #1415745, + ##1415358, #1416588, #1408884) +- Fix various memleaks and unitialized variable access +- Shell completion enhancements +- Enable TPM logging by default (#1411156) +- Update hwdb (#1270124) + +* Thu Jan 19 2017 Adam Williamson - 232-10 +- Backport fix for boot failure in initrd-switch-root (#1414904) + +* Wed Jan 18 2017 Zbigniew Jędrzejewski-Szmek - 232-9 +- Add fake dependency on systemd-pam to systemd-devel to ensure systemd-pam + is available as multilib (#1414153) + +* Tue Jan 17 2017 Zbigniew Jędrzejewski-Szmek - 232-8 +- Fix buildsystem to check for lz4 correctly (#1404406) + +* Wed Jan 11 2017 Zbigniew Jędrzejewski-Szmek - 232-7 +- Various small tweaks to scriplets + +* Sat Jan 07 2017 Kevin Fenzi - 232-6 +- Fix scriptlets to never fail in libs post + +* Fri Jan 06 2017 Kevin Fenzi - 232-5 +- Add patch from Michal Schmidt to avoid process substitution (#1392236) + +* Sun Nov 6 2016 Zbigniew Jędrzejewski-Szmek - 232-4 +- Rebuild (#1392236) + +* Fri Nov 4 2016 Zbigniew Jędrzejewski-Szmek - 232-3 +- Make /etc/dbus-1/system.d directory non-%%ghost + +* Fri Nov 4 2016 Zbigniew Jędrzejewski-Szmek - 232-2 +- Fix kernel-install (#1391829) +- Restore previous systemd-user PAM config (#1391836) +- Move journal-upload.conf.5 from systemd main to journal-remote subpackage (#1391833) +- Fix permissions on /var/lib/systemd/journal-upload (#1262665) + +* Thu Nov 3 2016 Zbigniew Jędrzejewski-Szmek - 232-1 +- Update to latest version (#998615, #1181922, #1374371, #1390704, #1384150, #1287161) +- Add %%{_isa} to Provides on arch-full packages (#1387912) +- Create systemd-coredump user in %%pre (#1309574) +- Replace grubby patch with a short-circuiting install.d "plugin" +- Enable nss-systemd in the passwd, group lines in nsswith.conf +- Add [!UNAVAIL=return] fallback after nss-resolve in hosts line in nsswith.conf +- Move systemd-nspawn man pages to the right subpackage (#1391703) + +* Tue Oct 18 2016 Jan Synáček - 231-11 +- SPC - Cannot restart host operating from container (#1384523) + +* Sun Oct 9 2016 Zbigniew Jędrzejewski-Szmek - 231-10 +- Do not recreate /var/log/journal on upgrades (#1383066) +- Move nss-myhostname provides to systemd-libs (#1383271) + +* Fri Oct 7 2016 Zbigniew Jędrzejewski-Szmek - 231-9 +- Fix systemctl set-default (#1374371) +- Prevent systemd-udev-trigger.service from restarting (follow-up for #1378974) + +* Tue Oct 4 2016 Zbigniew Jędrzejewski-Szmek - 231-8 +- Apply fix for #1378974 + +* Mon Oct 3 2016 Zbigniew Jędrzejewski-Szmek - 231-7 +- Apply patches properly + +* Thu Sep 29 2016 Zbigniew Jędrzejewski-Szmek - 231-6 +- Better fix for (#1380286) + +* Thu Sep 29 2016 Zbigniew Jędrzejewski-Szmek - 231-5 +- Denial-of-service bug against pid1 (#1380286) + +* Thu Aug 25 2016 Zbigniew Jędrzejewski-Szmek - 231-4 +- Fix preset-all (#1363858) +- Fix issue with daemon-reload messing up graphics (#1367766) +- A few other bugfixes + +* Wed Aug 10 2016 Davide Cavalca - 231-2.fb3 +- add mpawlowski root filesystem namespace patch for #12621017 +- add htejun patch for cgroup2 cpu controller (PR#3905) +- update htejun logind patch from PR#3835 + +* Wed Aug 03 2016 Adam Williamson - 231-3 +- Revert preset-all change, it broke stuff (#1363858) + +* Thu Jul 28 2016 Davide Cavalca - 231-2.fb2 +- add /dev/fio patch from bwann for GH#3718 +- import PR#3821 updates and rebase patches on github +- add htejun logind patch for UserTasksMax (#12460186, PR#3835) + +* Wed Jul 27 2016 Davide Cavalca - 231-2.fb1 +- Facebook rebuild +- Fix test failures in mock (#7950934, PR#3821) +- drop fsck on root patch now that we have the new dracut (see PR#3822) +- Rework LTO disable patch to be conditional (#11565880, PR#3823) +- update compat-libs and rebase onto public branch + (https://github.com/davide125/systemd/tree/compat-libs) +- add back python support now that we have python34-lxml +- add back xkbcommon support as it's available in rolling os updates + +* Wed Jul 27 2016 Zbigniew Jędrzejewski-Szmek - 231-2 +- Call preset-all on initial installation (#1118740) +- Fix botched Recommends for libxkbcommon + +* Tue Jul 26 2016 Zbigniew Jędrzejewski-Szmek - 231-1 +- Update to latest version + +* Tue Jul 19 2016 Davide Cavalca - 230-2.fb2 +- fix fsck for root filesystem on firstboot after install (#11352467) + +* Wed Jun 8 2016 Zbigniew Jędrzejewski-Szmek - 230-3 +- Update to latest git snapshot (fixes for systemctl set-default, + polkit lingering policy, reversal of the framebuffer rules, + unaligned access fixes, fix for StartupBlockIOWeight-over-dbus). + Those changes are interspersed with other changes and new features + (mostly in lldp, networkd, and nspawn). Some of those new features + might not work, but I think that existing functionality should not + be broken, so it seems worthwile to update to the snapshot. + +* Thu May 26 2016 Davide Cavalca - 230-2.fb1 +- Facebook rebuild +- backport htejun PRs for cgroup2 (#3337, #3329, #3315, #3417, #3418) +- add back compat-libs + +* Sat May 21 2016 Zbigniew Jędrzejewski-Szmek - 230-2 +- Remove systemd-compat-libs on upgrade + +* Sat May 21 2016 Zbigniew Jędrzejewski-Szmek - 230-1 +- New version +- Drop compat-libs +- Require libxkbcommon explictly, since the automatic dependency will + not be generated anymore + +* Thu May 12 2016 Tejun Heo - 229-1.fb6 +- backport https://github.com/systemd/systemd/pull/3246 to fix slice overrides + +* Mon May 09 2016 Davide Cavalca - 229-1.fb5 +- update Tejun Heo patches for cgroup2 io controller support + +* Fri Apr 29 2016 Davide Cavalca - 229-1.fb4 +- add Tejun Heo test patch for cgroup2 IO controllers support (#10638181) + +* Tue Apr 26 2016 Zbigniew Jędrzejewski-Szmek - 229-15 +- Remove duplicated entries in -container %%files (#1330395) + +* Fri Apr 22 2016 Zbigniew Jędrzejewski-Szmek - 229-14 +- Move installation of udev services to udev subpackage (#1329023) + +* Mon Apr 18 2016 Zbigniew Jędrzejewski-Szmek - 229-13 +- Split out systemd-pam subpackage (#1327402) + +* Mon Apr 18 2016 Harald Hoyer - 229-12 +- move more binaries and services from the main package to subpackages + +* Mon Apr 18 2016 Harald Hoyer - 229-11 +- move more binaries and services from the main package to subpackages + +* Mon Apr 18 2016 Harald Hoyer - 229-10 +- move device dependant stuff to the udev subpackage + +* Thu Mar 24 2016 Davide Cavalca - 229-1.fb3 +- add Tejun Heo patches for cgroups v2 support (#10268183) + +* Tue Mar 22 2016 Zbigniew Jędrzejewski-Szmek - 229-9 +- Add myhostname to /etc/nsswitch.conf (#1318303) + +* Mon Mar 21 2016 Harald Hoyer - 229-8 +- fixed kernel-install for copying files for grubby +Resolves: rhbz#1299019 + +* Thu Mar 17 2016 Zbigniew Jędrzejewski-Szmek - 229-7 +- Moar patches (#1316964, #1317928) +- Move vconsole-setup and tmpfiles-setup-dev bits to systemd-udev +- Protect systemd-udev from deinstallation + +* Fri Mar 11 2016 Zbigniew Jędrzejewski-Szmek - 229-6 +- Create /etc/resolv.conf symlink from systemd-resolved (#1313085) + +* Fri Mar 4 2016 Zbigniew Jędrzejewski-Szmek - 229-5 +- Split out systemd-container subpackage (#1163412) +- Split out system-udev subpackage +- Add various bugfix patches, incl. a tentative fix for #1308771 + +* Wed Mar 02 2016 Davide Cavalca - 229-1.fb2 +- revert RPM trigger macros for #10119506 + +* Tue Mar 1 2016 Peter Robinson 229-4 +- Power64 and s390(x) now have libseccomp support +- aarch64 has gnu-efi + +* Tue Feb 23 2016 Jan Synáček - 229-3 +- Fix build failures on ppc64 (#1310800) + +* Tue Feb 16 2016 Dennis Gilmore - 229-2 +- revert: fixed kernel-install for copying files for grubby +Resolves: rhbz#1299019 +- this causes the dtb files to not get installed at all and the fdtdir +- line in extlinux.conf to not get updated correctly + +* Tue Feb 16 2016 Davide Cavalca - 229-1.fb1 +- Facebook rebuilt +- disable LTO to fix a build segfault with LTO + +* Thu Feb 11 2016 Michal Sekletar - 229-1 +- New upstream release + +* Thu Feb 11 2016 Harald Hoyer - 228-10.gite35a787 +- fixed kernel-install for copying files for grubby +Resolves: rhbz#1299019 + +* Fri Feb 05 2016 Fedora Release Engineering - 228-9.gite35a787 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 27 2016 Peter Robinson 228-8.gite35a787 +- Rebuild for binutils on aarch64 fix + +* Fri Jan 08 2016 Dan Horák - 228-7.gite35a787 +- apply the conflict with fedora-release only in Fedora + +* Thu Dec 10 2015 Jan Synáček - 228-6.gite35a787 +- Fix rawhide build failures on ppc64 (#1286249) + +* Sun Nov 29 2015 Zbigniew Jędrzejewski-Szmek - 228-6.gite35a787 +- Create /etc/systemd/network (#1286397) + +* Thu Nov 26 2015 Zbigniew Jędrzejewski-Szmek - 228-5.gite35a787 +- Do not install nss modules by default + +* Tue Nov 24 2015 Zbigniew Jędrzejewski-Szmek - 228-4.gite35a787 +- Update to latest upstream git: there is a bunch of fixes + (nss-mymachines overflow bug, networkd fixes, more completions are + properly installed), mixed with some new resolved features. +- Rework file triggers so that they always run before daemons are restarted + +* Mon Nov 23 2015 Davide Cavalca - 228-3.fb1 +- Facebook rebuilt +- disable test-namespace +- revert rpm file triggers as they don't work on el7 + +* Thu Nov 19 2015 Zbigniew Jędrzejewski-Szmek - 228-3 +- Enable rpm file triggers for daemon-reload + +* Thu Nov 19 2015 Zbigniew Jędrzejewski-Szmek - 228-2 +- Fix version number in obsoleted package name (#1283452) + +* Wed Nov 18 2015 Kay Sievers - 228-1 +- New upstream release + +* Thu Nov 12 2015 Zbigniew Jędrzejewski-Szmek - 227-7 +- Rename journal-gateway subpackage to journal-remote +- Ignore the access mode on /var/log/journal (#1048424) +- Do not assume fstab is present (#1281606) + +* Wed Nov 11 2015 Fedora Release Engineering - 227-6 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Tue Nov 10 2015 Lukáš Nykrýn - 227-5 +- Rebuild for libmicrohttpd soname bump + +* Fri Nov 06 2015 Robert Kuska - 227-4 +- Rebuilt for Python3.5 rebuild + +* Wed Nov 4 2015 Zbigniew Jędrzejewski-Szmek - 227-3 +- Fix syntax in kernel-install (#1277264) + +* Tue Nov 03 2015 Michal Schmidt - 227-2 +- Rebuild for libmicrohttpd soname bump. + +* Fri Oct 09 2015 Davide Cavalca - 227-1.fb1 +- disable tests broken on centos6 +- fix build with centos7 curl +- kernel-install: add fedora specific callouts to new-kernel-pkg + +* Wed Oct 7 2015 Kay Sievers - 227-1 +- New upstream release + +* Fri Sep 18 2015 Jan Synáček - 226-3 +- user systemd-journal-upload should be in systemd-journal group (#1262743) + +* Fri Sep 18 2015 Kay Sievers - 226-2 +- Add selinux to system-user PAM config + +* Tue Sep 8 2015 Kay Sievers - 226-1 +- New upstream release + +* Thu Aug 27 2015 Kay Sievers - 225-1 +- New upstream release + +* Fri Jul 31 2015 Kay Sievers - 224-1 +- New upstream release + +* Wed Jul 29 2015 Kay Sievers - 223-2 +- update to git snapshot + +* Wed Jul 29 2015 Kay Sievers - 223-1 +- New upstream release + +* Thu Jul 9 2015 Zbigniew Jędrzejewski-Szmek - 222-2 +- Remove python subpackages (python-systemd in now standalone) + +* Tue Jul 7 2015 Kay Sievers - 222-1 +- New upstream release + +* Mon Jul 6 2015 Kay Sievers - 221-5.git619b80a +- update to git snapshot + +* Mon Jul 6 2015 Zbigniew Jędrzejewski-Szmek - 221-4.git604f02a +- Add example file with yama config (#1234951) + +* Sun Jul 5 2015 Kay Sievers - 221-3.git604f02a +- update to git snapshot + +* Mon Jun 22 2015 Kay Sievers - 221-2 +- build systemd-boot EFI tools + +* Fri Jun 19 2015 Lennart Poettering - 221-1 +- New upstream release +- Undoes botched translation check, should be reinstated later? + +* Fri Jun 19 2015 Fedora Release Engineering - 220-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu Jun 11 2015 Peter Robinson 220-9 +- The gold linker is now fixed on aarch64 + +* Tue Jun 9 2015 Zbigniew Jędrzejewski-Szmek - 220-8 +- Remove gudev which is now provided as separate package (libgudev) +- Fix for spurious selinux denials (#1224211) +- Udev change events (#1225905) +- Patches for some potential crashes +- ProtectSystem=yes does not touch /home +- Man page fixes, hwdb updates, shell completion updates +- Restored persistent device symlinks for bcache, xen block devices +- Tag all DRM cards as master-of-seat + +* Tue Jun 09 2015 Harald Hoyer 220-7 +- fix udev block device watch + +* Tue Jun 09 2015 Harald Hoyer 220-6 +- add support for network disk encryption + +* Sun Jun 7 2015 Peter Robinson 220-5 +- Disable gold on aarch64 until it's fixed (tracked in rhbz #1225156) + +* Sat May 30 2015 Zbigniew Jędrzejewski-Szmek - 220-4 +- systemd-devel should require systemd-libs, not the main package (#1226301) +- Check for botched translations (#1226566) +- Make /etc/udev/hwdb.d part of the rpm (#1226379) + +* Thu May 28 2015 Richard W.M. Jones - 220-3 +- Add patch to fix udev --daemon not cleaning child processes + (upstream commit 86c3bece38bcf5). + +* Wed May 27 2015 Richard W.M. Jones - 220-2 +- Add patch to fix udev --daemon crash (upstream commit 040e689654ef08). + +* Thu May 21 2015 Lennart Poettering - 220-1 +- New upstream release +- Drop /etc/mtab hack, as that's apparently fixed in mock now (#1116158) +- Remove ghosting for /etc/systemd/system/runlevel*.target, these + targets are not configurable anymore in systemd upstream +- Drop work-around for #1002806, since this is solved upstream now + +* Wed May 20 2015 Dennis Gilmore - 219-15 +- fix up the conflicts version for fedora-release + +* Wed May 20 2015 Zbigniew Jędrzejewski-Szmek - 219-14 +- Remove presets (#1221340) +- Fix (potential) crash and memory leak in timedated, locking failure + in systemd-nspawn, crash in resolved. +- journalctl --list-boots should be faster +- zsh completions are improved +- various ommissions in docs are corrected (#1147651) +- VARIANT and VARIANT_ID fields in os-release are documented +- systemd-fsck-root.service is generated in the initramfs (#1201979, #1107818) +- systemd-tmpfiles should behave better on read-only file systems (#1207083) + +* Wed Apr 29 2015 Zbigniew Jędrzejewski-Szmek - 219-13 +- Patches for some outstanding annoyances +- Small keyboard hwdb updates + +* Wed Apr 8 2015 Zbigniew Jędrzejewski-Szmek - 219-12 +- Tighten requirements between subpackages (#1207381). + +* Sun Mar 22 2015 Zbigniew Jędrzejewski-Szmek - 219-11 +- Move all parts systemd-journal-{remote,upload} to + systemd-journal-gatewayd subpackage (#1193143). +- Create /var/lib/systemd/journal-upload directory (#1193145). +- Cut out lots of stupid messages at debug level which were obscuring more + important stuff. +- Apply "tentative" state for devices only when they are added, not removed. +- Ignore invalid swap pri= settings (#1204336) +- Fix SELinux check for timedated operations to enable/disable ntp (#1014315) +- Fix comparing of filesystem paths (#1184016) + +* Sat Mar 14 2015 Zbigniew Jędrzejewski-Szmek - 219-10 +- Fixes for bugs 1186018, 1195294, 1185604, 1196452. +- Hardware database update. +- Documentation fixes. +- A fix for journalctl performance regression. +- Fix detection of inability to open files in journalctl. +- Detect SuperH architecture properly. +- The first of duplicate lines in tmpfiles wins again. +- Do vconsole setup after loading vconsole driver, not fbcon. +- Fix problem where some units were restarted during systemd reexec. +- Fix race in udevadm settle tripping up NetworkManager. +- Downgrade various log messages. +- Fix issue where journal-remote would process some messages with a delay. +- GPT /srv partition autodiscovery is fixed. +- Reconfigure old Finnish keymaps in post (#1151958) + +* Tue Mar 10 2015 Jan Synáček - 219-9 +- Buttons on Lenovo X6* tablets broken (#1198939) + +* Tue Mar 3 2015 Zbigniew Jędrzejewski-Szmek - 219-8 +- Reworked device handling (#1195761) +- ACL handling fixes (with a script in %%post) +- Various log messages downgraded (#1184712) +- Allow PIE on s390 again (#1197721) + +* Wed Feb 25 2015 Michal Schmidt - 219-7 +- arm: reenable lto. gcc-5.0.0-0.16 fixed the crash (#1193212) + +* Tue Feb 24 2015 Colin Walters - 219-6 +- Revert patch that breaks Atomic/OSTree (#1195761) + +* Fri Feb 20 2015 Michal Schmidt - 219-5 +- Undo the resolv.conf workaround, Aim for a proper fix in Rawhide. + +* Fri Feb 20 2015 Michal Schmidt - 219-4 +- Revive fedora-disable-resolv.conf-symlink.patch to unbreak composes. + +* Wed Feb 18 2015 Michal Schmidt - 219-3 +- arm: disabling gold did not help; disable lto instead (#1193212) + +* Tue Feb 17 2015 Peter Jones - 219-2 +- Update 90-default.present for dbxtool. + +* Mon Feb 16 2015 Lennart Poettering - 219-1 +- New upstream release +- This removes the sysctl/bridge hack, a different solution needs to be found for this (see #634736) +- This removes the /etc/resolv.conf hack, anaconda needs to fix their handling of /etc/resolv.conf as symlink +- This enables "%%check" +- disable gold on arm, as that is broken (see #1193212) + +* Mon Feb 16 2015 Peter Robinson 218-6 +- aarch64 now has seccomp support + +* Thu Feb 05 2015 Michal Schmidt - 218-5 +- Don't overwrite systemd.macros with unrelated Source file. + +* Thu Feb 5 2015 Jan Synáček - 218-4 +- Add a touchpad hwdb (#1189319) + +* Thu Jan 15 2015 Zbigniew Jędrzejewski-Szmek - 218-4 +- Enable xkbcommon dependency to allow checking of keymaps +- Fix permissions of /var/log/journal (#1048424) +- Enable timedatex in presets (#1187072) +- Disable rpcbind in presets (#1099595) + +* Wed Jan 7 2015 Jan Synáček - 218-3 +- RFE: journal: automatically rotate the file if it is unlinked (#1171719) + +* Mon Jan 05 2015 Zbigniew Jędrzejewski-Szmek - 218-3 +- Add firewall description files (#1176626) + +* Thu Dec 18 2014 Jan Synáček - 218-2 +- systemd-nspawn doesn't work on s390/s390x (#1175394) + +* Wed Dec 10 2014 Lennart Poettering - 218-1 +- New upstream release +- Enable "nss-mymachines" in /etc/nsswitch.conf + +* Thu Nov 06 2014 Zbigniew Jędrzejewski-Szmek - 217-4 +- Change libgudev1 to only require systemd-libs (#727499), there's + no need to require full systemd stack. +- Fixes for bugs #1159448, #1152220, #1158035. +- Bash completions updates to allow propose more units for start/restart, + and completions for set-default,get-default. +- Again allow systemctl enable of instances. +- Hardware database update and fixes. +- Udev crash on invalid options and kernel commandline timeout parsing are fixed. +- Add "embedded" chassis type. +- Sync before 'reboot -f'. +- Fix restarting of timer units. + +* Wed Nov 05 2014 Michal Schmidt - 217-3 +- Fix hanging journal flush (#1159641) + +* Fri Oct 31 2014 Michal Schmidt - 217-2 +- Fix ordering cycles involving systemd-journal-flush.service and + remote-fs.target (#1159117) + +* Tue Oct 28 2014 Lennart Poettering - 217-1 +- New upstream release + +* Fri Oct 17 2014 Zbigniew Jędrzejewski-Szmek - 216-12 +- Drop PackageKit.service from presets (#1154126) + +* Mon Oct 13 2014 Zbigniew Jędrzejewski-Szmek - 216-11 +- Conflict with old versions of initscripts (#1152183) +- Remove obsolete Finnish keymap (#1151958) + +* Fri Oct 10 2014 Zbigniew Jędrzejewski-Szmek - 216-10 +- Fix a problem with voluntary daemon exits and some other bugs + (#1150477, #1095962, #1150289) + +* Fri Oct 03 2014 Zbigniew Jędrzejewski-Szmek - 216-9 +- Update to latest git, but without the readahead removal patch + (#1114786, #634736) + +* Wed Oct 01 2014 Kay Sievers - 216-8 +- revert "don't reset selinux context during CHANGE events" + +* Wed Oct 01 2014 Lukáš Nykrýn - 216-7 +- add temporary workaround for #1147910 +- don't reset selinux context during CHANGE events + +* Wed Sep 10 2014 Michal Schmidt - 216-6 +- Update timesyncd with patches to avoid hitting NTP pool too often. + +* Tue Sep 09 2014 Michal Schmidt - 216-5 +- Use common CONFIGURE_OPTS for build2 and build3. +- Configure timesyncd with NTP servers from Fedora/RHEL vendor zone. + +* Wed Sep 03 2014 Zbigniew Jędrzejewski-Szmek - 216-4 +- Move config files for sd-j-remote/upload to sd-journal-gateway subpackage (#1136580) + +* Thu Aug 28 2014 Peter Robinson 216-3 +- Drop no LTO build option for aarch64/s390 now it's fixed in binutils (RHBZ 1091611) + +* Thu Aug 21 2014 Zbigniew Jędrzejewski-Szmek - 216-2 +- Re-add patch to disable resolve.conf symlink (#1043119) + +* Wed Aug 20 2014 Lennart Poettering - 216-1 +- New upstream release + +* Mon Aug 18 2014 Fedora Release Engineering - 215-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Aug 13 2014 Dan Horák 215-11 +- disable LTO also on s390(x) + +* Sat Aug 09 2014 Harald Hoyer 215-10 +- fixed PPC64LE + +* Wed Aug 6 2014 Tom Callaway - 215-9 +- fix license handling + +* Wed Jul 30 2014 Zbigniew Jędrzejewski-Szmek - 215-8 +- Create systemd-journal-remote and systemd-journal-upload users (#1118907) + +* Thu Jul 24 2014 Zbigniew Jędrzejewski-Szmek - 215-7 +- Split out systemd-compat-libs subpackage + +* Tue Jul 22 2014 Kalev Lember - 215-6 +- Rebuilt for gobject-introspection 1.41.4 + +* Mon Jul 21 2014 Zbigniew Jędrzejewski-Szmek - 215-5 +- Fix SELinux context of /etc/passwd-, /etc/group-, /etc/.updated (#1121806) +- Add missing BR so gnutls and elfutils are used + +* Sat Jul 19 2014 Zbigniew Jędrzejewski-Szmek - 215-4 +- Various man page updates +- Static device node logic is conditionalized on CAP_SYS_MODULES instead of CAP_MKNOD + for better behaviour in containers +- Some small networkd link handling fixes +- vconsole-setup runs setfont before loadkeys (https://bugs.freedesktop.org/show_bug.cgi?id=80685) +- New systemd-escape tool +- XZ compression settings are tweaked to greatly improve journald performance +- "watch" is accepted as chassis type +- Various sysusers fixes, most importantly correct selinux labels +- systemd-timesyncd bug fix (https://bugs.freedesktop.org/show_bug.cgi?id=80932) +- Shell completion improvements +- New udev tag ID_SOFTWARE_RADIO can be used to instruct logind to allow user access +- XEN and s390 virtualization is properly detected + +* Mon Jul 07 2014 Colin Walters - 215-3 +- Add patch to disable resolve.conf symlink (#1043119) + +* Sun Jul 06 2014 Zbigniew Jędrzejewski-Szmek - 215-2 +- Move systemd-journal-remote to systemd-journal-gateway package (#1114688) +- Disable /etc/mtab handling temporarily (#1116158) + +* Thu Jul 03 2014 Lennart Poettering - 215-1 +- New upstream release +- Enable coredump logic (which abrt would normally override) + +* Sun Jun 29 2014 Peter Robinson 214-5 +- On aarch64 disable LTO as it still has issues on that arch + +* Thu Jun 26 2014 Zbigniew Jędrzejewski-Szmek - 214-4 +- Bugfixes (#996133, #1112908) + +* Mon Jun 23 2014 Zbigniew Jędrzejewski-Szmek - 214-3 +- Actually create input group (#1054549) + +* Sun Jun 22 2014 Zbigniew Jędrzejewski-Szmek - 214-2 +- Do not restart systemd-logind on upgrades (#1110697) +- Add some patches (#1081429, #1054549, #1108568, #928962) + +* Wed Jun 11 2014 Lennart Poettering - 214-1 +- New upstream release +- Get rid of "floppy" group, since udev uses "disk" now +- Reenable LTO + +* Sun Jun 08 2014 Fedora Release Engineering - 213-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 28 2014 Kay Sievers - 213-3 +- fix systemd-timesync user creation + +* Wed May 28 2014 Michal Sekletar - 213-2 +- Create temporary files after installation (#1101983) +- Add sysstat-collect.timer, sysstat-summary.timer to preset policy (#1101621) + +* Wed May 28 2014 Kay Sievers - 213-1 +- New upstream release + +* Tue May 27 2014 Kalev Lember - 212-6 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Fri May 23 2014 Adam Williamson - 212-5 +- revert change from 212-4, causes boot fail on single CPU boxes (RHBZ 1095891) + +* Wed May 07 2014 Kay Sievers - 212-4 +- add netns udev workaround + +* Wed May 07 2014 Michal Sekletar - 212-3 +- enable uuidd.socket by default (#1095353) + +* Sat Apr 26 2014 Peter Robinson 212-2 +- Disable building with -flto for the moment due to gcc 4.9 issues (RHBZ 1091611) + +* Tue Mar 25 2014 Lennart Poettering - 212-1 +- New upstream release + +* Mon Mar 17 2014 Peter Robinson 211-2 +- Explicitly define which upstream platforms support libseccomp + +* Tue Mar 11 2014 Lennart Poettering - 211-1 +- New upstream release + +* Mon Mar 10 2014 Zbigniew Jędrzejewski-Szmek - 210-8 +- Fix logind unpriviledged reboot issue and a few other minor fixes +- Limit generator execution time +- Recognize buttonless joystick types + +* Fri Mar 07 2014 Karsten Hopp 210-7 +- ppc64le needs link warnings disabled, too + +* Fri Mar 07 2014 Karsten Hopp 210-6 +- move ifarch ppc64le to correct place (libseccomp req) + +* Fri Mar 07 2014 Zbigniew Jędrzejewski-Szmek - 210-5 +- Bugfixes: #1047568, #1047039, #1071128, #1073402 +- Bash completions for more systemd tools +- Bluetooth database update +- Manpage fixes + +* Thu Mar 06 2014 Zbigniew Jędrzejewski-Szmek - 210-4 +- Apply work-around for ppc64le too (#1073647). + +* Sat Mar 01 2014 Zbigniew Jędrzejewski-Szmek - 210-3 +- Backport a few patches, add completion for systemd-nspawn. + +* Fri Feb 28 2014 Zbigniew Jędrzejewski-Szmek - 210-3 +- Apply work-arounds for ppc/ppc64 for bugs 1071278 and 1071284 + +* Mon Feb 24 2014 Lennart Poettering - 210-2 +- Check more services against preset list and enable by default + +* Mon Feb 24 2014 Lennart Poettering - 210-1 +- new upstream release + +* Sun Feb 23 2014 Zbigniew Jędrzejewski-Szmek - 209-2.gitf01de96 +- Enable dnssec-triggerd.service by default (#1060754) + +* Sun Feb 23 2014 Kay Sievers - 209-2.gitf01de96 +- git snapshot to sort out ARM build issues + +* Thu Feb 20 2014 Lennart Poettering - 209-1 +- new upstream release + +* Tue Feb 18 2014 Zbigniew Jędrzejewski-Szmek - 208-15 +- Make gpsd lazily activated (#1066421) + +* Mon Feb 17 2014 Zbigniew Jędrzejewski-Szmek - 208-14 +- Back out patch which causes user manager to be destroyed when unneeded + and spams logs (#1053315) + +* Sun Feb 16 2014 Zbigniew Jędrzejewski-Szmek - 208-13 +- A different fix for #1023820 taken from Mageia +- Backported fix for #997031 +- Hardward database updates, man pages improvements, a few small memory + leaks, utf-8 correctness and completion fixes +- Support for key-slot option in crypttab + +* Sat Jan 25 2014 Ville Skyttä - 208-12 +- Own the %%{_prefix}/lib/kernel(/*) and %%{_datadir}/zsh(/*) dirs. + +* Tue Dec 03 2013 Zbigniew Jędrzejewski-Szmek - 208-11 +- Backport a few fixes, relevant documentation updates, and HWDB changes + (#1051797, #1051768, #1047335, #1047304, #1047186, #1045849, #1043304, + #1043212, #1039351, #1031325, #1023820, #1017509, #953077) +- Flip journalctl to --full by default (#984758) + +* Tue Dec 03 2013 Zbigniew Jędrzejewski-Szmek - 208-9 +- Apply two patches for #1026860 + +* Tue Dec 03 2013 Zbigniew Jędrzejewski-Szmek - 208-8 +- Bump release to stay ahead of f20 + +* Tue Dec 03 2013 Zbigniew Jędrzejewski-Szmek - 208-7 +- Backport patches (#1023041, #1036845, #1006386?) +- HWDB update +- Some small new features: nspawn --drop-capability=, running PID 1 under + valgrind, "yearly" and "annually" in calendar specifications +- Some small documentation and logging updates + +* Tue Nov 19 2013 Zbigniew Jędrzejewski-Szmek - 208-6 +- Bump release to stay ahead of f20 + +* Tue Nov 19 2013 Zbigniew Jędrzejewski-Szmek - 208-5 +- Use unit name in PrivateTmp= directories (#957439) +- Update manual pages, completion scripts, and hardware database +- Configurable Timeouts/Restarts default values +- Support printing of timestamps on the console +- Fix some corner cases in detecting when writing to the console is safe +- Python API: convert keyword values to string, fix sd_is_booted() wrapper +- Do not tread missing /sbin/fsck.btrfs as an error (#1015467) +- Allow masking of fsck units +- Advertise hibernation to swap files +- Fix SO_REUSEPORT settings +- Prefer converted xkb keymaps to legacy keymaps (#981805, #1026872) +- Make use of newer kmod +- Assorted bugfixes: #1017161, #967521, #988883, #1027478, #821723, #1014303 + +* Tue Oct 22 2013 Zbigniew Jędrzejewski-Szmek - 208-4 +- Add temporary fix for #1002806 + +* Mon Oct 21 2013 Zbigniew Jędrzejewski-Szmek - 208-3 +- Backport a bunch of fixes and hwdb updates + +* Wed Oct 2 2013 Lennart Poettering - 208-2 +- Move old random seed and backlight files into the right place + +* Wed Oct 2 2013 Lennart Poettering - 208-1 +- New upstream release + +* Thu Sep 26 2013 Zbigniew Jędrzejewski-Szmek 207-5 +- Do not create /var/var/... dirs + +* Wed Sep 18 2013 Zbigniew Jędrzejewski-Szmek 207-4 +- Fix policykit authentication +- Resolves: rhbz#1006680 + +* Tue Sep 17 2013 Harald Hoyer 207-3 +- fixed login +- Resolves: rhbz#1005233 + +* Mon Sep 16 2013 Harald Hoyer 207-2 +- add some upstream fixes for 207 +- fixed swap activation +- Resolves: rhbz#1008604 + +* Fri Sep 13 2013 Lennart Poettering - 207-1 +- New upstream release + +* Fri Sep 06 2013 Harald Hoyer 206-11 +- support "debug" kernel command line parameter +- journald: fix fd leak in journal_file_empty +- journald: fix vacuuming of archived journals +- libudev: enumerate - do not try to match against an empty subsystem +- cgtop: fixup the online help +- libudev: fix memleak when enumerating childs + +* Wed Sep 04 2013 Harald Hoyer 206-10 +- Do not require grubby, lorax now takes care of grubby +- cherry-picked a lot of patches from upstream + +* Tue Aug 27 2013 Dennis Gilmore - 206-9 +- Require grubby, Fedora installs require grubby, +- kernel-install took over from new-kernel-pkg +- without the Requires we are unable to compose Fedora +- everyone else says that since kernel-install took over +- it is responsible for ensuring that grubby is in place +- this is really what we want for Fedora + +* Tue Aug 27 2013 Kay Sievers - 206-8 +- Revert "Require grubby its needed by kernel-install" + +* Mon Aug 26 2013 Dennis Gilmore 206-7 +- Require grubby its needed by kernel-install + +* Thu Aug 22 2013 Harald Hoyer 206-6 +- kernel-install now understands kernel flavors like PAE + +* Tue Aug 20 2013 Rex Dieter - 206-5 +- add sddm.service to preset file (#998978) + +* Fri Aug 16 2013 Zbigniew Jędrzejewski-Szmek - 206-4 +- Filter out provides for private python modules. +- Add requires on kmod >= 14 (#990994). + +* Sun Aug 11 2013 Zbigniew Jedrzejewski-Szmek - 206-3 +- New systemd-python3 package (#976427). +- Add ownership of a few directories that we create (#894202). + +* Sun Aug 04 2013 Fedora Release Engineering - 206-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jul 23 2013 Kay Sievers - 206-1 +- New upstream release + Resolves (#984152) + +* Wed Jul 3 2013 Lennart Poettering - 205-1 +- New upstream release + +* Wed Jun 26 2013 Michal Schmidt 204-10 +- Split systemd-journal-gateway subpackage (#908081). + +* Mon Jun 24 2013 Michal Schmidt 204-9 +- Rename nm_dispatcher to NetworkManager-dispatcher in default preset (#977433) + +* Fri Jun 14 2013 Harald Hoyer 204-8 +- fix, which helps to sucessfully browse journals with + duplicated seqnums + +* Fri Jun 14 2013 Harald Hoyer 204-7 +- fix duplicate message ID bug +Resolves: rhbz#974132 + +* Thu Jun 06 2013 Harald Hoyer 204-6 +- introduce 99-default-disable.preset + +* Thu Jun 6 2013 Lennart Poettering - 204-5 +- Rename 90-display-manager.preset to 85-display-manager.preset so that it actually takes precedence over 90-default.preset's "disable *" line (#903690) + +* Tue May 28 2013 Harald Hoyer 204-4 +- Fix kernel-install (#965897) + +* Wed May 22 2013 Kay Sievers - 204-3 +- Fix kernel-install (#965897) + +* Thu May 9 2013 Lennart Poettering - 204-2 +- New upstream release +- disable isdn by default (#959793) + +* Tue May 07 2013 Harald Hoyer 203-2 +- forward port kernel-install-grubby.patch + +* Tue May 7 2013 Lennart Poettering - 203-1 +- New upstream release + +* Wed Apr 24 2013 Harald Hoyer 202-3 +- fix ENOENT for getaddrinfo +- Resolves: rhbz#954012 rhbz#956035 +- crypt-setup-generator: correctly check return of strdup +- logind-dbus: initialize result variable +- prevent library underlinking + +* Fri Apr 19 2013 Harald Hoyer 202-2 +- nspawn create empty /etc/resolv.conf if necessary +- python wrapper: add sd_journal_add_conjunction() +- fix s390 booting +- Resolves: rhbz#953217 + +* Thu Apr 18 2013 Lennart Poettering - 202-1 +- New upstream release + +* Tue Apr 09 2013 Michal Schmidt - 201-2 +- Automatically discover whether to run autoreconf and add autotools and git + BuildRequires based on the presence of patches to be applied. +- Use find -delete. + +* Mon Apr 8 2013 Lennart Poettering - 201-1 +- New upstream release + +* Mon Apr 8 2013 Lennart Poettering - 200-4 +- Update preset file + +* Fri Mar 29 2013 Lennart Poettering - 200-3 +- Remove NetworkManager-wait-online.service from presets file again, it should default to off + +* Fri Mar 29 2013 Lennart Poettering - 200-2 +- New upstream release + +* Tue Mar 26 2013 Lennart Poettering - 199-2 +- Add NetworkManager-wait-online.service to the presets file + +* Tue Mar 26 2013 Lennart Poettering - 199-1 +- New upstream release + +* Mon Mar 18 2013 Michal Schmidt 198-7 +- Drop /usr/s?bin/ prefixes. + +* Fri Mar 15 2013 Harald Hoyer 198-6 +- run autogen to pickup all changes + +* Fri Mar 15 2013 Harald Hoyer 198-5 +- do not mount anything, when not running as pid 1 +- add initrd.target for systemd in the initrd + +* Wed Mar 13 2013 Harald Hoyer 198-4 +- fix switch-root and local-fs.target problem +- patch kernel-install to use grubby, if available + +* Fri Mar 08 2013 Harald Hoyer 198-3 +- add Conflict with dracut < 026 because of the new switch-root isolate + +* Thu Mar 7 2013 Lennart Poettering - 198-2 +- Create required users + +* Thu Mar 7 2013 Lennart Poettering - 198-1 +- New release +- Enable journal persistancy by default + +* Sun Feb 10 2013 Peter Robinson 197-3 +- Bump for ARM + +* Fri Jan 18 2013 Michal Schmidt - 197-2 +- Added qemu-guest-agent.service to presets (Lennart, #885406). +- Add missing pygobject3-base to systemd-analyze deps (Lennart). +- Do not require hwdata, it is all in the hwdb now (Kay). +- Drop dependency on dbus-python. + +* Tue Jan 8 2013 Lennart Poettering - 197-1 +- New upstream release + +* Mon Dec 10 2012 Michal Schmidt - 196-4 +- Enable rngd.service by default (#857765). + +* Mon Dec 10 2012 Michal Schmidt - 196-3 +- Disable hardening on s390(x) because PIE is broken there and produces + text relocations with __thread (#868839). + +* Wed Dec 05 2012 Michal Schmidt - 196-2 +- added spice-vdagentd.service to presets (Lennart, #876237) +- BR cryptsetup-devel instead of the legacy cryptsetup-luks-devel provide name + (requested by Milan Brož). +- verbose make to see the actual build flags + +* Wed Nov 21 2012 Lennart Poettering - 196-1 +- New upstream release + +* Tue Nov 20 2012 Lennart Poettering - 195-8 +- https://bugzilla.redhat.com/show_bug.cgi?id=873459 +- https://bugzilla.redhat.com/show_bug.cgi?id=878093 + +* Thu Nov 15 2012 Michal Schmidt - 195-7 +- Revert udev killing cgroup patch for F18 Beta. +- https://bugzilla.redhat.com/show_bug.cgi?id=873576 + +* Fri Nov 09 2012 Michal Schmidt - 195-6 +- Fix cyclical dep between systemd and systemd-libs. +- Avoid broken build of test-journal-syslog. +- https://bugzilla.redhat.com/show_bug.cgi?id=873387 +- https://bugzilla.redhat.com/show_bug.cgi?id=872638 + +* Thu Oct 25 2012 Kay Sievers - 195-5 +- require 'sed', limit HOSTNAME= match + +* Wed Oct 24 2012 Michal Schmidt - 195-4 +- add dmraid-activation.service to the default preset +- add yum protected.d fragment +- https://bugzilla.redhat.com/show_bug.cgi?id=869619 +- https://bugzilla.redhat.com/show_bug.cgi?id=869717 + +* Wed Oct 24 2012 Kay Sievers - 195-3 +- Migrate /etc/sysconfig/ i18n, keyboard, network files/variables to + systemd native files + +* Tue Oct 23 2012 Lennart Poettering - 195-2 +- Provide syslog because the journal is fine as a syslog implementation + +* Tue Oct 23 2012 Lennart Poettering - 195-1 +- New upstream release +- https://bugzilla.redhat.com/show_bug.cgi?id=831665 +- https://bugzilla.redhat.com/show_bug.cgi?id=847720 +- https://bugzilla.redhat.com/show_bug.cgi?id=858693 +- https://bugzilla.redhat.com/show_bug.cgi?id=863481 +- https://bugzilla.redhat.com/show_bug.cgi?id=864629 +- https://bugzilla.redhat.com/show_bug.cgi?id=864672 +- https://bugzilla.redhat.com/show_bug.cgi?id=864674 +- https://bugzilla.redhat.com/show_bug.cgi?id=865128 +- https://bugzilla.redhat.com/show_bug.cgi?id=866346 +- https://bugzilla.redhat.com/show_bug.cgi?id=867407 +- https://bugzilla.redhat.com/show_bug.cgi?id=868603 + +* Wed Oct 10 2012 Michal Schmidt - 194-2 +- Add scriptlets for migration away from systemd-timedated-ntp.target + +* Wed Oct 3 2012 Lennart Poettering - 194-1 +- New upstream release +- https://bugzilla.redhat.com/show_bug.cgi?id=859614 +- https://bugzilla.redhat.com/show_bug.cgi?id=859655 + +* Fri Sep 28 2012 Lennart Poettering - 193-1 +- New upstream release + +* Tue Sep 25 2012 Lennart Poettering - 192-1 +- New upstream release + +* Fri Sep 21 2012 Lennart Poettering - 191-2 +- Fix journal mmap header prototype definition to fix compilation on 32bit + +* Fri Sep 21 2012 Lennart Poettering - 191-1 +- New upstream release +- Enable all display managers by default, as discussed with Adam Williamson + +* Thu Sep 20 2012 Lennart Poettering - 190-1 +- New upstream release +- Take possession of /etc/localtime, and remove /etc/sysconfig/clock +- https://bugzilla.redhat.com/show_bug.cgi?id=858780 +- https://bugzilla.redhat.com/show_bug.cgi?id=858787 +- https://bugzilla.redhat.com/show_bug.cgi?id=858771 +- https://bugzilla.redhat.com/show_bug.cgi?id=858754 +- https://bugzilla.redhat.com/show_bug.cgi?id=858746 +- https://bugzilla.redhat.com/show_bug.cgi?id=858266 +- https://bugzilla.redhat.com/show_bug.cgi?id=858224 +- https://bugzilla.redhat.com/show_bug.cgi?id=857670 +- https://bugzilla.redhat.com/show_bug.cgi?id=856975 +- https://bugzilla.redhat.com/show_bug.cgi?id=855863 +- https://bugzilla.redhat.com/show_bug.cgi?id=851970 +- https://bugzilla.redhat.com/show_bug.cgi?id=851275 +- https://bugzilla.redhat.com/show_bug.cgi?id=851131 +- https://bugzilla.redhat.com/show_bug.cgi?id=847472 +- https://bugzilla.redhat.com/show_bug.cgi?id=847207 +- https://bugzilla.redhat.com/show_bug.cgi?id=846483 +- https://bugzilla.redhat.com/show_bug.cgi?id=846085 +- https://bugzilla.redhat.com/show_bug.cgi?id=845973 +- https://bugzilla.redhat.com/show_bug.cgi?id=845194 +- https://bugzilla.redhat.com/show_bug.cgi?id=845028 +- https://bugzilla.redhat.com/show_bug.cgi?id=844630 +- https://bugzilla.redhat.com/show_bug.cgi?id=839736 +- https://bugzilla.redhat.com/show_bug.cgi?id=835848 +- https://bugzilla.redhat.com/show_bug.cgi?id=831740 +- https://bugzilla.redhat.com/show_bug.cgi?id=823485 +- https://bugzilla.redhat.com/show_bug.cgi?id=821813 +- https://bugzilla.redhat.com/show_bug.cgi?id=807886 +- https://bugzilla.redhat.com/show_bug.cgi?id=802198 +- https://bugzilla.redhat.com/show_bug.cgi?id=767795 +- https://bugzilla.redhat.com/show_bug.cgi?id=767561 +- https://bugzilla.redhat.com/show_bug.cgi?id=752774 +- https://bugzilla.redhat.com/show_bug.cgi?id=732874 +- https://bugzilla.redhat.com/show_bug.cgi?id=858735 + +* Thu Sep 13 2012 Lennart Poettering - 189-4 +- Don't pull in pkg-config as dep +- https://bugzilla.redhat.com/show_bug.cgi?id=852828 + +* Wed Sep 12 2012 Lennart Poettering - 189-3 +- Update preset policy +- Rename preset policy file from 99-default.preset to 90-default.preset so that people can order their own stuff after the Fedora default policy if they wish + +* Thu Aug 23 2012 Lennart Poettering - 189-2 +- Update preset policy +- https://bugzilla.redhat.com/show_bug.cgi?id=850814 + +* Thu Aug 23 2012 Lennart Poettering - 189-1 +- New upstream release + +* Thu Aug 16 2012 Ray Strode 188-4 +- more scriptlet fixes + (move dm migration logic to %%posttrans so the service + files it's looking for are available at the time + the logic is run) + +* Sat Aug 11 2012 Lennart Poettering - 188-3 +- Remount file systems MS_PRIVATE before switching roots +- https://bugzilla.redhat.com/show_bug.cgi?id=847418 + +* Wed Aug 08 2012 Rex Dieter - 188-2 +- fix scriptlets + +* Wed Aug 8 2012 Lennart Poettering - 188-1 +- New upstream release +- Enable gdm and avahi by default via the preset file +- Convert /etc/sysconfig/desktop to display-manager.service symlink +- Enable hardened build + +* Mon Jul 30 2012 Kay Sievers - 187-3 +- Obsolete: system-setup-keyboard + +* Wed Jul 25 2012 Kalev Lember - 187-2 +- Run ldconfig for the new -libs subpackage + +* Thu Jul 19 2012 Lennart Poettering - 187-1 +- New upstream release + +* Mon Jul 09 2012 Harald Hoyer 186-2 +- fixed dracut conflict version + +* Tue Jul 3 2012 Lennart Poettering - 186-1 +- New upstream release + +* Fri Jun 22 2012 Nils Philippsen - 185-7.gite7aee75 +- add obsoletes/conflicts so multilib systemd -> systemd-libs updates work + +* Thu Jun 14 2012 Michal Schmidt - 185-6.gite7aee75 +- Update to current git + +* Wed Jun 06 2012 Kay Sievers - 185-5.gita2368a3 +- disable plymouth in configure, to drop the .wants/ symlinks + +* Wed Jun 06 2012 Michal Schmidt - 185-4.gita2368a3 +- Update to current git snapshot + - Add systemd-readahead-analyze + - Drop upstream patch +- Split systemd-libs +- Drop duplicate doc files +- Fixed License headers of subpackages + +* Wed Jun 06 2012 Ray Strode - 185-3 +- Drop plymouth files +- Conflict with old plymouth + +* Tue Jun 05 2012 Kay Sievers - 185-2 +- selinux udev labeling fix +- conflict with older dracut versions for new udev file names + +* Mon Jun 04 2012 Kay Sievers - 185-1 +- New upstream release + - udev selinux labeling fixes + - new man pages + - systemctl help + +* Thu May 31 2012 Lennart Poettering - 184-1 +- New upstream release + +* Thu May 24 2012 Kay Sievers - 183-1 +- New upstream release including udev merge. + +* Wed Mar 28 2012 Michal Schmidt - 44-4 +- Add triggers from Bill Nottingham to correct the damage done by + the obsoleted systemd-units's preun scriptlet (#807457). + +* Mon Mar 26 2012 Dennis Gilmore - 44-3 +- apply patch from upstream so we can build systemd on arm and ppc +- and likely the rest of the secondary arches + +* Tue Mar 20 2012 Michal Schmidt - 44-2 +- Don't build the gtk parts anymore. They're moving into systemd-ui. +- Remove a dead patch file. + +* Fri Mar 16 2012 Lennart Poettering - 44-1 +- New upstream release +- Closes #798760, #784921, #783134, #768523, #781735 + +* Mon Feb 27 2012 Dennis Gilmore - 43-2 +- don't conflict with fedora-release systemd never actually provided +- /etc/os-release so there is no actual conflict + +* Wed Feb 15 2012 Lennart Poettering - 43-1 +- New upstream release +- Closes #789758, #790260, #790522 + +* Sat Feb 11 2012 Lennart Poettering - 42-1 +- New upstream release +- Save a bit of entropy during system installation (#789407) +- Don't own /etc/os-release anymore, leave that to fedora-release + +* Thu Feb 9 2012 Adam Williamson - 41-2 +- rebuild for fixed binutils + +* Thu Feb 9 2012 Lennart Poettering - 41-1 +- New upstream release + +* Tue Feb 7 2012 Lennart Poettering - 40-1 +- New upstream release + +* Thu Jan 26 2012 Kay Sievers - 39-3 +- provide /sbin/shutdown + +* Wed Jan 25 2012 Harald Hoyer 39-2 +- increment release + +* Wed Jan 25 2012 Kay Sievers - 39-1.1 +- install everything in /usr + https://fedoraproject.org/wiki/Features/UsrMove + +* Wed Jan 25 2012 Lennart Poettering - 39-1 +- New upstream release + +* Sun Jan 22 2012 Michal Schmidt - 38-6.git9fa2f41 +- Update to a current git snapshot. +- Resolves: #781657 + +* Sun Jan 22 2012 Michal Schmidt - 38-5 +- Build against libgee06. Reenable gtk tools. +- Delete unused patches. +- Add easy building of git snapshots. +- Remove legacy spec file elements. +- Don't mention implicit BuildRequires. +- Configure with --disable-static. +- Merge -units into the main package. +- Move section 3 manpages to -devel. +- Fix unowned directory. +- Run ldconfig in scriptlets. +- Split systemd-analyze to a subpackage. + +* Sat Jan 21 2012 Dan Horák - 38-4 +- fix build on big-endians + +* Wed Jan 11 2012 Lennart Poettering - 38-3 +- Disable building of gtk tools for now + +* Wed Jan 11 2012 Lennart Poettering - 38-2 +- Fix a few (build) dependencies + +* Wed Jan 11 2012 Lennart Poettering - 38-1 +- New upstream release + +* Tue Nov 15 2011 Michal Schmidt - 37-4 +- Run authconfig if /etc/pam.d/system-auth is not a symlink. +- Resolves: #753160 + +* Wed Nov 02 2011 Michal Schmidt - 37-3 +- Fix remote-fs-pre.target and its ordering. +- Resolves: #749940 + +* Wed Oct 19 2011 Michal Schmidt - 37-2 +- A couple of fixes from upstream: +- Fix a regression in bash-completion reported in Bodhi. +- Fix a crash in isolating. +- Resolves: #717325 + +* Tue Oct 11 2011 Lennart Poettering - 37-1 +- New upstream release +- Resolves: #744726, #718464, #713567, #713707, #736756 + +* Thu Sep 29 2011 Michal Schmidt - 36-5 +- Undo the workaround. Kay says it does not belong in systemd. +- Unresolves: #741655 + +* Thu Sep 29 2011 Michal Schmidt - 36-4 +- Workaround for the crypto-on-lvm-on-crypto disk layout +- Resolves: #741655 + +* Sun Sep 25 2011 Michal Schmidt - 36-3 +- Revert an upstream patch that caused ordering cycles +- Resolves: #741078 + +* Fri Sep 23 2011 Lennart Poettering - 36-2 +- Add /etc/timezone to ghosted files + +* Fri Sep 23 2011 Lennart Poettering - 36-1 +- New upstream release +- Resolves: #735013, #736360, #737047, #737509, #710487, #713384 + +* Thu Sep 1 2011 Lennart Poettering - 35-1 +- New upstream release +- Update post scripts +- Resolves: #726683, #713384, #698198, #722803, #727315, #729997, #733706, #734611 + +* Thu Aug 25 2011 Lennart Poettering - 34-1 +- New upstream release + +* Fri Aug 19 2011 Harald Hoyer 33-2 +- fix ABRT on service file reloading +- Resolves: rhbz#732020 + +* Wed Aug 3 2011 Lennart Poettering - 33-1 +- New upstream release + +* Fri Jul 29 2011 Lennart Poettering - 32-1 +- New upstream release + +* Wed Jul 27 2011 Lennart Poettering - 31-2 +- Fix access mode of modprobe file, restart logind after upgrade + +* Wed Jul 27 2011 Lennart Poettering - 31-1 +- New upstream release + +* Wed Jul 13 2011 Lennart Poettering - 30-1 +- New upstream release + +* Thu Jun 16 2011 Lennart Poettering - 29-1 +- New upstream release + +* Mon Jun 13 2011 Michal Schmidt - 28-4 +- Apply patches from current upstream. +- Fixes memory size detection on 32-bit with >4GB RAM (BZ712341) + +* Wed Jun 08 2011 Michal Schmidt - 28-3 +- Apply patches from current upstream +- https://bugzilla.redhat.com/show_bug.cgi?id=709909 +- https://bugzilla.redhat.com/show_bug.cgi?id=710839 +- https://bugzilla.redhat.com/show_bug.cgi?id=711015 + +* Sat May 28 2011 Lennart Poettering - 28-2 +- Pull in nss-myhostname + +* Thu May 26 2011 Lennart Poettering - 28-1 +- New upstream release + +* Wed May 25 2011 Lennart Poettering - 26-2 +- Bugfix release +- https://bugzilla.redhat.com/show_bug.cgi?id=707507 +- https://bugzilla.redhat.com/show_bug.cgi?id=707483 +- https://bugzilla.redhat.com/show_bug.cgi?id=705427 +- https://bugzilla.redhat.com/show_bug.cgi?id=707577 + +* Sat Apr 30 2011 Lennart Poettering - 26-1 +- New upstream release +- https://bugzilla.redhat.com/show_bug.cgi?id=699394 +- https://bugzilla.redhat.com/show_bug.cgi?id=698198 +- https://bugzilla.redhat.com/show_bug.cgi?id=698674 +- https://bugzilla.redhat.com/show_bug.cgi?id=699114 +- https://bugzilla.redhat.com/show_bug.cgi?id=699128 + +* Thu Apr 21 2011 Lennart Poettering - 25-1 +- New upstream release +- https://bugzilla.redhat.com/show_bug.cgi?id=694788 +- https://bugzilla.redhat.com/show_bug.cgi?id=694321 +- https://bugzilla.redhat.com/show_bug.cgi?id=690253 +- https://bugzilla.redhat.com/show_bug.cgi?id=688661 +- https://bugzilla.redhat.com/show_bug.cgi?id=682662 +- https://bugzilla.redhat.com/show_bug.cgi?id=678555 +- https://bugzilla.redhat.com/show_bug.cgi?id=628004 + +* Wed Apr 6 2011 Lennart Poettering - 24-1 +- New upstream release +- https://bugzilla.redhat.com/show_bug.cgi?id=694079 +- https://bugzilla.redhat.com/show_bug.cgi?id=693289 +- https://bugzilla.redhat.com/show_bug.cgi?id=693274 +- https://bugzilla.redhat.com/show_bug.cgi?id=693161 + +* Tue Apr 5 2011 Lennart Poettering - 23-1 +- New upstream release +- Include systemd-sysv-convert + +* Fri Apr 1 2011 Lennart Poettering - 22-1 +- New upstream release + +* Wed Mar 30 2011 Lennart Poettering - 21-2 +- The quota services are now pulled in by mount points, hence no need to enable them explicitly + +* Tue Mar 29 2011 Lennart Poettering - 21-1 +- New upstream release + +* Mon Mar 28 2011 Matthias Clasen - 20-2 +- Apply upstream patch to not send untranslated messages to plymouth + +* Tue Mar 8 2011 Lennart Poettering - 20-1 +- New upstream release + +* Tue Mar 1 2011 Lennart Poettering - 19-1 +- New upstream release + +* Wed Feb 16 2011 Lennart Poettering - 18-1 +- New upstream release + +* Mon Feb 14 2011 Bill Nottingham - 17-6 +- bump upstart obsoletes (#676815) + +* Wed Feb 9 2011 Tom Callaway - 17-5 +- add macros.systemd file for %%{_unitdir} + +* Wed Feb 09 2011 Fedora Release Engineering - 17-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Feb 9 2011 Lennart Poettering - 17-3 +- Fix popen() of systemctl, #674916 + +* Mon Feb 7 2011 Bill Nottingham - 17-2 +- add epoch to readahead obsolete + +* Sat Jan 22 2011 Lennart Poettering - 17-1 +- New upstream release + +* Tue Jan 18 2011 Lennart Poettering - 16-2 +- Drop console.conf again, since it is not shipped in pamtmp.conf + +* Sat Jan 8 2011 Lennart Poettering - 16-1 +- New upstream release + +* Thu Nov 25 2010 Lennart Poettering - 15-1 +- New upstream release + +* Thu Nov 25 2010 Lennart Poettering - 14-1 +- Upstream update +- Enable hwclock-load by default +- Obsolete readahead +- Enable /var/run and /var/lock on tmpfs + +* Fri Nov 19 2010 Lennart Poettering - 13-1 +- new upstream release + +* Wed Nov 17 2010 Bill Nottingham 12-3 +- Fix clash + +* Wed Nov 17 2010 Lennart Poettering - 12-2 +- Don't clash with initscripts for now, so that we don't break the builders + +* Wed Nov 17 2010 Lennart Poettering - 12-1 +- New upstream release + +* Fri Nov 12 2010 Matthias Clasen - 11-2 +- Rebuild with newer vala, libnotify + +* Thu Oct 7 2010 Lennart Poettering - 11-1 +- New upstream release + +* Wed Sep 29 2010 Jesse Keating - 10-6 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Bill Nottingham - 10-5 +- merge -sysvinit into main package + +* Mon Sep 20 2010 Bill Nottingham - 10-4 +- obsolete upstart-sysvinit too + +* Fri Sep 17 2010 Bill Nottingham - 10-3 +- Drop upstart requires + +* Tue Sep 14 2010 Lennart Poettering - 10-2 +- Enable audit +- https://bugzilla.redhat.com/show_bug.cgi?id=633771 + +* Tue Sep 14 2010 Lennart Poettering - 10-1 +- New upstream release +- https://bugzilla.redhat.com/show_bug.cgi?id=630401 +- https://bugzilla.redhat.com/show_bug.cgi?id=630225 +- https://bugzilla.redhat.com/show_bug.cgi?id=626966 +- https://bugzilla.redhat.com/show_bug.cgi?id=623456 + +* Fri Sep 3 2010 Bill Nottingham - 9-3 +- move fedora-specific units to initscripts; require newer version thereof + +* Fri Sep 3 2010 Lennart Poettering - 9-2 +- Add missing tarball + +* Fri Sep 3 2010 Lennart Poettering - 9-1 +- New upstream version +- Closes 501720, 614619, 621290, 626443, 626477, 627014, 627785, 628913 + +* Fri Aug 27 2010 Lennart Poettering - 8-3 +- Reexecute after installation, take ownership of /var/run/user +- https://bugzilla.redhat.com/show_bug.cgi?id=627457 +- https://bugzilla.redhat.com/show_bug.cgi?id=627634 + +* Thu Aug 26 2010 Lennart Poettering - 8-2 +- Properly create default.target link + +* Wed Aug 25 2010 Lennart Poettering - 8-1 +- New upstream release + +* Thu Aug 12 2010 Lennart Poettering - 7-3 +- Fix https://bugzilla.redhat.com/show_bug.cgi?id=623561 + +* Thu Aug 12 2010 Lennart Poettering - 7-2 +- Fix https://bugzilla.redhat.com/show_bug.cgi?id=623430 + +* Tue Aug 10 2010 Lennart Poettering - 7-1 +- New upstream release + +* Fri Aug 6 2010 Lennart Poettering - 6-2 +- properly hide output on package installation +- pull in coreutils during package installtion + +* Fri Aug 6 2010 Lennart Poettering - 6-1 +- New upstream release +- Fixes #621200 + +* Wed Aug 4 2010 Lennart Poettering - 5-2 +- Add tarball + +* Wed Aug 4 2010 Lennart Poettering - 5-1 +- Prepare release 5 + +* Tue Jul 27 2010 Bill Nottingham - 4-4 +- Add 'sysvinit-userspace' provide to -sysvinit package to fix upgrade/install (#618537) + +* Sat Jul 24 2010 Lennart Poettering - 4-3 +- Add libselinux to build dependencies + +* Sat Jul 24 2010 Lennart Poettering - 4-2 +- Use the right tarball + +* Sat Jul 24 2010 Lennart Poettering - 4-1 +- New upstream release, and make default + +* Tue Jul 13 2010 Lennart Poettering - 3-3 +- Used wrong tarball + +* Tue Jul 13 2010 Lennart Poettering - 3-2 +- Own /cgroup jointly with libcgroup, since we don't dpend on it anymore + +* Tue Jul 13 2010 Lennart Poettering - 3-1 +- New upstream release + +* Fri Jul 9 2010 Lennart Poettering - 2-0 +- New upstream release + +* Wed Jul 7 2010 Lennart Poettering - 1-0 +- First upstream release + +* Tue Jun 29 2010 Lennart Poettering - 0-0.7.20100629git4176e5 +- New snapshot +- Split off -units package where other packages can depend on without pulling in the whole of systemd + +* Tue Jun 22 2010 Lennart Poettering - 0-0.6.20100622gita3723b +- Add missing libtool dependency. + +* Tue Jun 22 2010 Lennart Poettering - 0-0.5.20100622gita3723b +- Update snapshot + +* Mon Jun 14 2010 Rahul Sundaram - 0-0.4.20100614git393024 +- Pull the latest snapshot that fixes a segfault. Resolves rhbz#603231 + +* Fri Jun 11 2010 Rahul Sundaram - 0-0.3.20100610git2f198e +- More minor fixes as per review + +* Thu Jun 10 2010 Rahul Sundaram - 0-0.2.20100610git2f198e +- Spec improvements from David Hollis + +* Wed Jun 09 2010 Rahul Sundaram - 0-0.1.20090609git2f198e +- Address review comments + +* Tue Jun 01 2010 Rahul Sundaram - 0-0.0.git2010-06-02 +- Initial spec (adopted from Kay Sievers)