If PAMName= is used we'll spawn a PAM session for the service, and leave
a process around that closes the PAM session eventually. That process
must close the "exec_fd" that we use to implement Type=exec. After all
the logic relies on the fact that execve() will implicitly close the
exec_fd, and the EOF seen on it is hence indication for the service
manager that execve() has worked. But if we keep an fd open in the PAM
service process, then this is not going to work.
Hence close the fd explicitly so that it definitely doesn't stay pinned
in the child.
Otherwise, log_netdev_xyz() does not provide netdev name if it is called
in done(). It is hard to debug.
This should not change any effective behavior, at least with the current
implementation of done() per netdev kind.
This new transaction result is emitted when the upstream server
indicates a fatal error that we will not try to recover from.
Currently, it is emitted when a validating recursive resolver reports an
error validating dnssec records for a domain. The extended error message
should help give context to the admin.
Some fields of the DnsPacket are not populated until we extract an
answer, like p->opt, despite being referenced by macros like
DNS_PACKET_RCODE. We can reorder some of the basic checks to follow
dns_packet_extract.
The current check checks for n_sigbus_queue
being greater than or equal to SIGBUS_QUEUE_MAX,
when it should be just greater than as
n_sigbus_queue being SIGBUS_QUEUE_MAX indicates
that the queue is full, but not overflowed.
(Hopefully) a temporary workaround for #30573 where starting a user
session when PID 1 is rate limited stalls even after it leaves the rate
limited state:
[ 11.658201] H systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=UnitRemoved cookie=4208 reply_cookie=0 signature=so error-name=n/a error-mes>
[ 11.658233] H systemd[1]: Event source 0x559babdd8bb0 (mount-monitor-dispatch) left rate limit state.
[ 101.562697] H busctl[784]: Failed to get credentials: Transport endpoint is not connected
[ 101.563480] H systemd[1]: systemd-journald.service: Got notification message from PID 300 (WATCHDOG=1)
[ 101.563725] H testsuite-74.sh[784]: BusAddress=unixexec:path=systemd-run,argv1=-M.host,argv2=-PGq,argv3=--wait,argv4=-pUser%3dtestuser,argv5=-pPAMName%3dlogin,argv6=systemd-stdio-bridge,argv7=-punix:path%3d%24%7bXDG_RUNTIME_DIR%7d/bus
[ 101.564136] H systemd[1]: Successfully forked off '(sd-expire)' as PID 787.
[ 101.564754] H systemd[1]: Successfully forked off '(sd-expire)' as PID 788.
[ 101.564831] H testsuite-74.sh[381]: + echo 'Subtest /usr/lib/systemd/tests/testdata/units/testsuite-74.busctl.sh failed'
The issue appeared after ee07fff03b which does a bunch of mounts/umounts
that get PID 1 into a rate limited state, and is frequent enough to be
annoying, so let's temporarily bump the rate limit to alleviate that.
When KeepCarrier is set, networkd doesn't close tun/tap file descriptor
preserving the active interface state, but doesn't disable its queue
which makes kernel to think that it's still active and send packets to
it.
This patch disables the created queue right after tun/tap interface
creation.
Here is the steps to reproduce the bug:
Having:
systemd/network/10-tun-test.netdev:
[NetDev]
Name=tun-test
Kind=tun
[Tun]
MultiQueue=yes
KeepCarrier=yes
systemd/network/10-tun-test.network:
[Match]
Name=tun-test
[Network]
DHCP=no
IPv6AcceptRA=false
LLMNR=false
MulticastDNS=false
Address=172.31.0.1/24
app.c:
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <linux/if.h>
#include <sys/ioctl.h>
#include <linux/if_tun.h>
int main() {
int fd;
struct ifreq ifr;
memset(&ifr, 0, sizeof ifr);
strcpy(ifr.ifr_name, "tun-test");
ifr.ifr_flags = IFF_TUN | IFF_NO_PI | IFF_MULTI_QUEUE;
if((fd = open("/dev/net/tun", O_RDWR)) < 0) {
perror("Open error");
return 1;
}
if(ioctl(fd, TUNSETIFF, &ifr)) {
perror("Configure error");
return 1;
}
puts("Ready.");
char buf[1500];
while(1) {
int size = read(fd, buf, sizeof buf);
if(size < 0) {
perror("Read error");
return 1;
}
printf("Read %d bytes.\n", size);
}
return 0;
}
Run:
* gcc -o app app.c && ./app
* ping -I tun-test 172.31.0.2
Before the patch the app shows no pings, but after it works properly.
This adds a new concept for handling paths. At appropriate places, if a
path such as /foo/bar/baz.v/ is specified, we'll
automatically enumerate all entries in /foo/bar/baz.v/baz* and then
do a version sort and pick the newest file.
A slightly more complex syntax is available, too:
/foo/bar/baz.v/quux___waldo
if that's used, then we'll look for all files matching
/foo/bar/baz.v/quux*waldo, and split out the middle, and version sort
it, and pick the nwest.
The ___ wildcard indicates both a version string, and if needed an
architecture ID, in case per-arch entries shall be supported.
This is a very simple way to maintain versioned resources in a dir, and
make systemd's components automatically pick the newest. Example:
/srv/myimages.v/foobar_1.32.65_x86-64.raw
/srv/myimages.v/foobar_1.33.45_x86-64.raw
/srv/myimages.v/foobar_1.31.5_x86-64.raw
/srv/myimages.v/foobar_1.31.5_arm64.raw
If now nspawn is invoked like this:
systemd-nspawn --image=/srv/myimages.v/foobar___.raw
Then it will automatically pick
/srv/myimages.v/foobar_1.33.45_x86-64.raw as the version to boot on
x86-64, and /srv/myimages.v/foobar_1.31.5_arm64.raw on arm64.
This commit only adds the basic implementation for picking files from a
dir, but no hook-up anywhere.
If a TPM doesn't do ECC it could either return zero curves when asked
for it, or it could simply fail with TPM2_RC_VALUES because it doesn't
recognize the capability at all.
Handle both cases the same way.
Fixes: #30679
This commit introduces new D-Bus API, StartAuxiliaryScope(). It may be
used by services as part of the restart procedure. Service sends an
array of PID file descriptors corresponding to processes that are part
of the service and must continue running also after service restarts,
i.e. they haven't finished the job why they were spawned in the first
place (e.g. long running video transcoding job). Systemd creates new
scope unit for these processes and migrates them into it. Cgroup
properties of scope are copied from the service so it retains same
cgroup settings and limits as service had.
