This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
This has only been used by Dysnomia, which has been removed from Nixpkgs
in https://github.com/NixOS/nixpkgs/pull/110799 after being broken for
more than a year.
If Dysnomia comes back, it can probably just use
/nix/var/nix/profiles/default/lib/systemd/system, or set its own systemd
flavour looking in that location via the `systemd.package`.
This was recently introduced, and apparently not nixpkgs-fmt'ed.
While there's no global consensus on nixpkgs-fmt'ing everything,
indenting this by 2 more spaces won't hurt.
continuation of #109595
pkgconfig was aliased in 2018, however, it remained in
all-packages.nix due to its wide usage. This cleans
up the remaining references to pkgs.pkgsconfig and
moves the entry to aliases.nix.
python3Packages.pkgconfig remained unchanged because
it's the canonical name of the upstream package
on pypi.
This ensures that all the features that are implemented via dlopen(3)
are available (or explicitly deactivated) by pointing dlopen to the
absolute store path instead of relying on the linkers runtime lookup
code.
All of the dlopen calls have to be handled. When new ones are introduced
by upstream (or one of our patches) those must be explicitly declared,
otherwise the build will fail.
As of systemd version 247 we've seen a few errors like `libpcre2.… not
found` when using e.g. --grep with journalctl. Those errors should
become less unexpected now.
There are generally two classes of dlopen calls. Those that we want to
support and those that should be deactivated / unsupported. This change
enforces that we handle all dlopen calls explicitly. Meaning: There is
not a single dlopen call in the code source tree that we did not
explicitly handle.
In order to do this I introduced a list of attributes that maps from
shared object name to the package that contains them. The package can be
null meaning the reference should be nuked and the shared object will
never be loadable during runtime (because it points at an invalid store
path location).
Contains the following fixes:
- 937118a5b2 journalctl: don't skip the entries that have the same seqnum
- e017ac6a26 sd-bus: use SOCK_CLOEXEC on one more socket
- db31432861 resolved: create stub-resolv.conf symlink with correct security label
- f2ec15e2e5 efi: Only use arm flags if supported
- cd43eee770 core: detect_container() may return negative errno
- 04be042a1f meson: Fix reallocarray check
- 5e906f483b network: do not assume address ready callback is always set to static addresses
- 2ad7a2a96a network: drop assertions to check link state in netlink callback handlers
- f375c8cbb5 network: do not reconfigure interface when the link gains carrier but udev not initialized it yet
- 5d4909decf veritysetup: also place udev socket dep
- 57ddb74245 cryptsetup: Fix crypto device missing issue after bootup
- d3c224d441 network: fix SIGABRT related to unreachable route with DHCP6
- c91648cc83 network: revert previous changes to address_compare_func()
- d8b5d8c8c3 udev: Fix sound.target dependency
- 669107ae68 meson: specify correct libqrencode version in meson dep
- c07dc6cedc udev: link_update() should fail if the entry in symlink dir couldn't have been created
- 367006c806 man: document that automount units are privileged
- 5129808141 logind: fix closing of button input devices
- 37f06c91ef Update logind-button.c
- 9e9fda0a2d async: add trivial cleanup wrapper for asynchronous_close()
- 4a2ca1ca4a Silence cgroups v1 read-only filesystem warning
- ed1f8f4ba2 manager: Fix HW watchdog when systemd starts before driver loaded
- 383a747164 cgroup: Also set blkio.bfq.weight
- 48d41091ac nss-resolve: varlink_call() set error_id only when r >= 0
- 56daba2deb missing: Define several syscall numbers for Alpha arch
- f2a4b96276 Don't assume /run/systemd exists when creating unit-root
- 553530fdc7 mkosi: Add findutils to Fedora config
- e42990dfe3 mkosi: Add rpm to Fedora BuildPackages as it's needed by pkg-config
- 6bacd1d971 mkosi: Replace iptables-dev with libiptc-dev in debian config
- f1fc515c21 dissect: don't declare unused variables on archs that have no GPT discovery
- 30d0c3f58c resolved: synthesize NODATA instead of NXDOMAIN if gateway exists, but of other protocol
- 538ebbd7f3 local-addresses: make returning accumulated list optional
- 228a22bb63 resolved: improve log message when we use TCP a bit
- aa31dd9128 network: ignore broadcast address for /31 or /32 addresses
- 85607cc094 network: fix verification for broadcast address
- dc6ad6482a network: do not set broadcast if prefixlen is 31 or 32
- 39ee319c75 stub: don't ever respond to datagrams coming in on non-localhost addreses, on the stub
- cbea0e5a83 resolved: never allow _gateway lookups to go to the network
- c4df66816b resolved: lower SERVFAIL cache timeout from 30s to 10s
- b5e39c20d9 dns-domain: try IDN2003 rules if IDN2008 doesn't work
- 2c354cedd2 virt: Properly detect nested UML inside another hypervisor
- 10f2cfb715 resolved: properly check per-link NTA list
- a8437c07e4 meson: use '_' as separator in fuzz test names
- 81ef7623c8 man: mention that --key= is about *secret* keys
- 4ef70ecefc meson: check that cxx variable is set before using it
See https://www.redhat.com/sysadmin/fedora-31-control-group-v2 for
details on why this is desirable, and how it impacts containers.
Users that need to keep using the old cgroup hierarchy can re-enable it
by setting `systemd.unifiedCgroupHierarchy` to `false`.
Well-known candidates not supporting that hierarchy, like docker and
hidepid=… will disable it automatically.
Fixes#73800