Compare commits
20 Commits
c0c669470c
...
7965f1caf9
| Author | SHA1 | Date |
|---|---|---|
Yu Watanabe
|
7965f1caf9 | |
|
gerblesh
|
bbec1c87d3 | |
|
Yu Watanabe
|
f29a07f3fc | |
|
Luca Boccassi
|
0566bd9643 | |
|
Lennart Poettering
|
7b4b3a8f7b | |
|
Winterhuman
|
5bed97dd57 | |
|
Luca Boccassi
|
c4d7a13c06 | |
|
Abderrahim Kitouni
|
0ae6f4843e | |
|
Yu Watanabe
|
1ea1a79aa1 | |
|
Luca Boccassi
|
7a9d0abe4d | |
|
Yu Watanabe
|
6046cc3660 | |
|
Yu Watanabe
|
e2dead6f50 | |
|
Yu Watanabe
|
b35e16cc24 | |
|
Yu Watanabe
|
c3da628d39 | |
|
Yu Watanabe
|
f6ab7f884d | |
|
Yu Watanabe
|
4c3e67eece | |
|
Yu Watanabe
|
4d12620598 | |
|
Yu Watanabe
|
8f5460f02d | |
|
Ivan Kruglov
|
3aa3f130c1 | |
|
Ivan Kruglov
|
df18408ac6 |
|
|
@ -684,6 +684,15 @@ fi</programlisting>
|
|||
<citerefentry><refentrytitle>file-hierarchy</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Notes</title>
|
||||
|
||||
<para>
|
||||
All example codes in this page are licensed under <literal>MIT No Attribution</literal>
|
||||
(SPDX-License-Identifier: MIT-0).
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See Also</title>
|
||||
<para><simplelist type="inline">
|
||||
|
|
|
|||
|
|
@ -128,7 +128,8 @@
|
|||
|
||||
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
|
||||
a read-only subvolume/directory in the image directory that is named after the specified URL and its
|
||||
HTTP etag. A writable snapshot is then taken from this subvolume, and named after the specified local
|
||||
HTTP etag (see <ulink url="https://en.wikipedia.org/wiki/HTTP_ETag">HTTP ETag</ulink> for more
|
||||
information). A writable snapshot is then taken from this subvolume, and named after the specified local
|
||||
name. This behavior ensures that creating multiple instances of the same URL is efficient, as
|
||||
multiple downloads are not necessary. In order to create only the read-only image, and avoid creating
|
||||
its writable snapshot, specify <literal>-</literal> as local name.</para>
|
||||
|
|
|
|||
|
|
@ -28,7 +28,9 @@
|
|||
<title>Description</title>
|
||||
|
||||
<para><command>pam_systemd_loadkey</command> reads a NUL-separated password list from the kernel keyring,
|
||||
and sets the last password in the list as the PAM authtok.</para>
|
||||
and sets the last password in the list as the PAM authtok, which can be used by e.g.
|
||||
<citerefentry project='man-pages'><refentrytitle>pam_get_authtok</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
||||
</para>
|
||||
|
||||
<para>The password list is supposed to be stored in the "user" keyring of the root user,
|
||||
by an earlier call to
|
||||
|
|
|
|||
|
|
@ -61,7 +61,10 @@
|
|||
<literal>systemd-run0</literal> PAM stack.</para>
|
||||
|
||||
<para>Note that <command>run0</command> is implemented as an alternative multi-call invocation of
|
||||
<citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
|
||||
<citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>. That is,
|
||||
<command>run0</command> is a symbolic link to <command>systemd-run</command> executable file, and it
|
||||
behaves as <command>run0</command> if it is invoked through the symbolic link, otherwise behaves as
|
||||
<command>systemd-run</command>.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
|
|
|||
|
|
@ -41,8 +41,10 @@
|
|||
<refsect1>
|
||||
<title>Kernel Command Line</title>
|
||||
|
||||
<para><filename>systemd-rfkill</filename> understands the
|
||||
following kernel command line parameter:</para>
|
||||
<para>
|
||||
<command>systemd-rfkill</command> understands the following kernel command line parameter. See also
|
||||
<citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
|
||||
</para>
|
||||
|
||||
<variablelist class='kernel-commandline-options'>
|
||||
<varlistentry>
|
||||
|
|
|
|||
|
|
@ -302,7 +302,7 @@
|
|||
and running in an initrd equivalent to true, otherwise false. This implements a restricted subset of
|
||||
the per-unit setting of the same name, see
|
||||
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
|
||||
details: currently, the <literal>full</literal> or <literal>struct</literal> values are not
|
||||
details: currently, the <literal>full</literal> or <literal>strict</literal> values are not
|
||||
supported.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||
|
|
|
|||
|
|
@ -394,9 +394,9 @@
|
|||
<listitem><para>SBAT metadata associated with the UKI or addon. SBAT policies are useful to revoke
|
||||
whole groups of UKIs or addons with a single, static policy update that does not take space in
|
||||
DBX/MOKX. If not specified manually, a default metadata entry consisting of
|
||||
<literal>uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/</literal>
|
||||
<programlisting>uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/</programlisting>
|
||||
for UKIs and
|
||||
<literal>uki-addon,1,UKI Addon,addon,1,https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html</literal>
|
||||
<programlisting>uki-addon,1,UKI Addon,addon,1,https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html</programlisting>
|
||||
for addons will be used, to ensure it is always possible to revoke them. For more information on
|
||||
SBAT see <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim documentation</ulink>.
|
||||
</para>
|
||||
|
|
|
|||
|
|
@ -289,7 +289,8 @@ int write_string_file_full(
|
|||
const char *fn,
|
||||
const char *line,
|
||||
WriteStringFileFlags flags,
|
||||
const struct timespec *ts) {
|
||||
const struct timespec *ts,
|
||||
const char *label_fn) {
|
||||
|
||||
bool call_label_ops_post = false, made_file = false;
|
||||
_cleanup_fclose_ FILE *f = NULL;
|
||||
|
|
@ -321,7 +322,8 @@ int write_string_file_full(
|
|||
mode_t mode = write_string_file_flags_to_mode(flags);
|
||||
|
||||
if (FLAGS_SET(flags, WRITE_STRING_FILE_LABEL|WRITE_STRING_FILE_CREATE)) {
|
||||
r = label_ops_pre(dir_fd, fn, mode);
|
||||
const char *lookup = label_fn ? label_fn : fn;
|
||||
r = label_ops_pre(dir_fd, lookup, mode);
|
||||
if (r < 0)
|
||||
goto fail;
|
||||
|
||||
|
|
|
|||
|
|
@ -51,12 +51,13 @@ int write_string_stream_full(FILE *f, const char *line, WriteStringFileFlags fla
|
|||
static inline int write_string_stream(FILE *f, const char *line, WriteStringFileFlags flags) {
|
||||
return write_string_stream_full(f, line, flags, /* ts= */ NULL);
|
||||
}
|
||||
int write_string_file_full(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags, const struct timespec *ts);
|
||||
|
||||
int write_string_file_full(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags, const struct timespec *ts, const char *label_fn);
|
||||
static inline int write_string_file(const char *fn, const char *line, WriteStringFileFlags flags) {
|
||||
return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL);
|
||||
return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL, /*label_fn=*/ NULL);
|
||||
}
|
||||
static inline int write_string_file_at(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags) {
|
||||
return write_string_file_full(dir_fd, fn, line, flags, /* ts= */ NULL);
|
||||
return write_string_file_full(dir_fd, fn, line, flags, /* ts= */ NULL, /*label_fn=*/ NULL);
|
||||
}
|
||||
int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4);
|
||||
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@
|
|||
#include "fileio.h"
|
||||
#include "format-util.h"
|
||||
#include "hexdecoct.h"
|
||||
#include "iovec-util.h"
|
||||
#include "macro.h"
|
||||
#include "memory-util.h"
|
||||
#include "parse-util.h"
|
||||
|
|
@ -31,8 +32,7 @@ int decrypt_pkcs11_key(
|
|||
const char *key_file, /* We either expect key_file and associated parameters to be set (for file keys) … */
|
||||
size_t key_file_size,
|
||||
uint64_t key_file_offset,
|
||||
const void *key_data, /* … or key_data and key_data_size (for literal keys) */
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data, /* … or literal keys via key_data */
|
||||
usec_t until,
|
||||
AskPasswordFlags askpw_flags,
|
||||
void **ret_decrypted_key,
|
||||
|
|
@ -47,15 +47,15 @@ int decrypt_pkcs11_key(
|
|||
|
||||
assert(friendly_name);
|
||||
assert(pkcs11_uri);
|
||||
assert(key_file || key_data);
|
||||
assert(key_file || iovec_is_set(key_data));
|
||||
assert(ret_decrypted_key);
|
||||
assert(ret_decrypted_key_size);
|
||||
|
||||
/* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */
|
||||
|
||||
if (key_data) {
|
||||
data.encrypted_key = (void*) key_data;
|
||||
data.encrypted_key_size = key_data_size;
|
||||
if (iovec_is_set(key_data)) {
|
||||
data.encrypted_key = (void*) key_data->iov_base;
|
||||
data.encrypted_key_size = key_data->iov_len;
|
||||
|
||||
data.free_encrypted_key = false;
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -16,8 +16,7 @@ int decrypt_pkcs11_key(
|
|||
const char *key_file,
|
||||
size_t key_file_size,
|
||||
uint64_t key_file_offset,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
AskPasswordFlags askpw_flags,
|
||||
void **ret_decrypted_key,
|
||||
|
|
@ -39,8 +38,7 @@ static inline int decrypt_pkcs11_key(
|
|||
const char *key_file,
|
||||
size_t key_file_size,
|
||||
uint64_t key_file_offset,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
AskPasswordFlags askpw_flags,
|
||||
void **ret_decrypted_key,
|
||||
|
|
|
|||
|
|
@ -1471,8 +1471,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
|||
struct crypt_device *cd,
|
||||
const char *name,
|
||||
const char *key_file,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
uint32_t flags,
|
||||
bool pass_volume_key) {
|
||||
|
|
@ -1489,7 +1488,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
|||
assert(name);
|
||||
assert(arg_fido2_device || arg_fido2_device_auto);
|
||||
|
||||
if (arg_fido2_cid && !key_file && !key_data)
|
||||
if (arg_fido2_cid && !key_file && !iovec_is_set(key_data))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"FIDO2 mode with manual parameters selected, but no keyfile specified, refusing.");
|
||||
|
||||
|
|
@ -1513,7 +1512,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
|||
arg_fido2_rp_id,
|
||||
arg_fido2_cid, arg_fido2_cid_size,
|
||||
key_file, arg_keyfile_size, arg_keyfile_offset,
|
||||
key_data, key_data_size,
|
||||
key_data,
|
||||
until,
|
||||
arg_fido2_manual_flags,
|
||||
"cryptsetup.fido2-pin",
|
||||
|
|
@ -1623,8 +1622,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
|||
struct crypt_device *cd,
|
||||
const char *name,
|
||||
const char *key_file,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
uint32_t flags,
|
||||
bool pass_volume_key) {
|
||||
|
|
@ -1635,6 +1633,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
|||
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
|
||||
_cleanup_(sd_event_unrefp) sd_event *event = NULL;
|
||||
_cleanup_free_ void *discovered_key = NULL;
|
||||
struct iovec discovered_key_data = {};
|
||||
int keyslot = arg_key_slot, r;
|
||||
const char *uri = NULL;
|
||||
bool use_libcryptsetup_plugin = use_token_plugins();
|
||||
|
|
@ -1653,13 +1652,13 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
|||
return r;
|
||||
|
||||
uri = discovered_uri;
|
||||
key_data = discovered_key;
|
||||
key_data_size = discovered_key_size;
|
||||
discovered_key_data = IOVEC_MAKE(discovered_key, discovered_key_size);
|
||||
key_data = &discovered_key_data;
|
||||
}
|
||||
} else {
|
||||
uri = arg_pkcs11_uri;
|
||||
|
||||
if (!key_file && !key_data)
|
||||
if (!key_file && !iovec_is_set(key_data))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "PKCS#11 mode selected but no key file specified, refusing.");
|
||||
}
|
||||
|
||||
|
|
@ -1682,7 +1681,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
|||
friendly,
|
||||
uri,
|
||||
key_file, arg_keyfile_size, arg_keyfile_offset,
|
||||
key_data, key_data_size,
|
||||
key_data,
|
||||
until,
|
||||
arg_ask_password_flags,
|
||||
&decrypted_key, &decrypted_key_size);
|
||||
|
|
@ -2231,9 +2230,9 @@ static int attach_luks_or_plain_or_bitlk(
|
|||
if (token_type == TOKEN_TPM2)
|
||||
return attach_luks_or_plain_or_bitlk_by_tpm2(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
||||
if (token_type == TOKEN_FIDO2)
|
||||
return attach_luks_or_plain_or_bitlk_by_fido2(cd, name, key_file, key_data->iov_base, key_data->iov_len, until, flags, pass_volume_key);
|
||||
return attach_luks_or_plain_or_bitlk_by_fido2(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
||||
if (token_type == TOKEN_PKCS11)
|
||||
return attach_luks_or_plain_or_bitlk_by_pkcs11(cd, name, key_file, key_data->iov_base, key_data->iov_len, until, flags, pass_volume_key);
|
||||
return attach_luks_or_plain_or_bitlk_by_pkcs11(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
||||
if (key_data)
|
||||
return attach_luks_or_plain_or_bitlk_by_key_data(cd, name, key_data, flags, pass_volume_key);
|
||||
if (key_file)
|
||||
|
|
|
|||
|
|
@ -1698,7 +1698,8 @@ _public_ int sd_varlink_get_events(sd_varlink *v) {
|
|||
ret |= EPOLLIN;
|
||||
|
||||
if (!v->write_disconnected &&
|
||||
v->output_buffer_size > 0)
|
||||
(v->output_queue ||
|
||||
v->output_buffer_size > 0))
|
||||
ret |= EPOLLOUT;
|
||||
|
||||
return ret;
|
||||
|
|
|
|||
|
|
@ -1129,6 +1129,23 @@ void log_address_debug(const Address *address, const char *str, const Link *link
|
|||
address->family == AF_INET ? strna(address->label) : "");
|
||||
}
|
||||
|
||||
static void address_forget(Link *link, Address *address, bool removed_by_us, const char *msg) {
|
||||
assert(link);
|
||||
assert(address);
|
||||
assert(msg);
|
||||
|
||||
Request *req;
|
||||
if (address_get_request(link, address, &req) >= 0)
|
||||
address_enter_removed(req->userdata);
|
||||
|
||||
if (!address->link && address_get(link, address, &address) < 0)
|
||||
return;
|
||||
|
||||
address_enter_removed(address);
|
||||
log_address_debug(address, msg, link);
|
||||
(void) address_drop(address, removed_by_us);
|
||||
}
|
||||
|
||||
static int address_set_netlink_message(const Address *address, sd_netlink_message *m, Link *link) {
|
||||
uint32_t flags;
|
||||
int r;
|
||||
|
|
@ -1181,16 +1198,8 @@ static int address_remove_handler(sd_netlink *rtnl, sd_netlink_message *m, Remov
|
|||
(r == -EADDRNOTAVAIL || !address->link) ? LOG_DEBUG : LOG_WARNING,
|
||||
r, "Could not drop address");
|
||||
|
||||
if (address->link) {
|
||||
/* If the address cannot be removed, then assume the address is already removed. */
|
||||
log_address_debug(address, "Forgetting", link);
|
||||
|
||||
Request *req;
|
||||
if (address_get_request(link, address, &req) >= 0)
|
||||
address_enter_removed(req->userdata);
|
||||
|
||||
(void) address_drop(address, /* removed_by_us = */ true);
|
||||
}
|
||||
/* If the address cannot be removed, then assume the address is already removed. */
|
||||
address_forget(link, address, /* removed_by_us = */ true, "Forgetting");
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
|
@ -1775,14 +1784,7 @@ int link_request_static_addresses(Link *link) {
|
|||
}
|
||||
|
||||
int manager_rtnl_process_address(sd_netlink *rtnl, sd_netlink_message *message, Manager *m) {
|
||||
_cleanup_(address_unrefp) Address *tmp = NULL;
|
||||
struct ifa_cacheinfo cinfo;
|
||||
Link *link;
|
||||
uint16_t type;
|
||||
Address *address = NULL;
|
||||
Request *req = NULL;
|
||||
bool is_new = false, update_dhcp4;
|
||||
int ifindex, r;
|
||||
int r;
|
||||
|
||||
assert(rtnl);
|
||||
assert(message);
|
||||
|
|
@ -1796,6 +1798,7 @@ int manager_rtnl_process_address(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
return 0;
|
||||
}
|
||||
|
||||
uint16_t type;
|
||||
r = sd_netlink_message_get_type(message, &type);
|
||||
if (r < 0) {
|
||||
log_warning_errno(r, "rtnl: could not get message type, ignoring: %m");
|
||||
|
|
@ -1805,6 +1808,7 @@ int manager_rtnl_process_address(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
return 0;
|
||||
}
|
||||
|
||||
int ifindex;
|
||||
r = sd_rtnl_message_addr_get_ifindex(message, &ifindex);
|
||||
if (r < 0) {
|
||||
log_warning_errno(r, "rtnl: could not get ifindex from message, ignoring: %m");
|
||||
|
|
@ -1814,6 +1818,7 @@ int manager_rtnl_process_address(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
return 0;
|
||||
}
|
||||
|
||||
Link *link;
|
||||
r = link_get_by_index(m, ifindex, &link);
|
||||
if (r < 0) {
|
||||
/* when enumerating we might be out of sync, but we will get the address again, so just
|
||||
|
|
@ -1823,6 +1828,7 @@ int manager_rtnl_process_address(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
return 0;
|
||||
}
|
||||
|
||||
_cleanup_(address_unrefp) Address *tmp = NULL;
|
||||
r = address_new(&tmp);
|
||||
if (r < 0)
|
||||
return log_oom();
|
||||
|
|
@ -1890,28 +1896,22 @@ int manager_rtnl_process_address(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
assert_not_reached();
|
||||
}
|
||||
|
||||
update_dhcp4 = tmp->family == AF_INET6;
|
||||
|
||||
/* Then, find the managed Address and Request objects corresponding to the received address. */
|
||||
/* Then, find the managed Address object corresponding to the received address. */
|
||||
Address *address = NULL;
|
||||
(void) address_get(link, tmp, &address);
|
||||
(void) address_get_request(link, tmp, &req);
|
||||
|
||||
if (type == RTM_DELADDR) {
|
||||
if (address) {
|
||||
bool removed_by_us = FLAGS_SET(address->state, NETWORK_CONFIG_STATE_REMOVING);
|
||||
|
||||
address_enter_removed(address);
|
||||
log_address_debug(address, "Forgetting removed", link);
|
||||
(void) address_drop(address, removed_by_us);
|
||||
} else
|
||||
if (address)
|
||||
address_forget(link, address,
|
||||
/* removed_by_us = */ FLAGS_SET(address->state, NETWORK_CONFIG_STATE_REMOVING),
|
||||
"Forgetting removed");
|
||||
else
|
||||
log_address_debug(tmp, "Kernel removed unknown", link);
|
||||
|
||||
if (req)
|
||||
address_enter_removed(req->userdata);
|
||||
|
||||
goto finalize;
|
||||
}
|
||||
|
||||
bool is_new = false;
|
||||
if (!address) {
|
||||
/* If we did not know the address, then save it. */
|
||||
r = address_attach(link, tmp);
|
||||
|
|
@ -1931,6 +1931,8 @@ int manager_rtnl_process_address(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
}
|
||||
|
||||
/* Also update information that cannot be obtained through netlink notification. */
|
||||
Request *req = NULL;
|
||||
(void) address_get_request(link, tmp, &req);
|
||||
if (req && req->waiting_reply) {
|
||||
Address *a = ASSERT_PTR(req->userdata);
|
||||
|
||||
|
|
@ -1978,6 +1980,7 @@ int manager_rtnl_process_address(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
} else if (r < 0)
|
||||
log_link_debug_errno(link, r, "rtnl: failed to read IFA_FLAGS attribute, ignoring: %m");
|
||||
|
||||
struct ifa_cacheinfo cinfo;
|
||||
r = sd_netlink_message_read_cache_info(message, IFA_CACHEINFO, &cinfo);
|
||||
if (r >= 0)
|
||||
address_set_lifetime(m, address, &cinfo);
|
||||
|
|
@ -2000,7 +2003,7 @@ int manager_rtnl_process_address(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
link_enter_failed(link);
|
||||
|
||||
finalize:
|
||||
if (update_dhcp4) {
|
||||
if (tmp->family == AF_INET6) {
|
||||
r = dhcp4_update_ipv6_connectivity(link);
|
||||
if (r < 0) {
|
||||
log_link_warning_errno(link, r, "Failed to notify IPv6 connectivity to DHCPv4 client: %m");
|
||||
|
|
|
|||
|
|
@ -705,10 +705,6 @@ Manager* manager_free(Manager *m) {
|
|||
sd_netlink_unref(m->genl);
|
||||
sd_resolve_unref(m->resolve);
|
||||
|
||||
/* reject (e.g. unreachable) type routes are managed by Manager, but may be referenced by a
|
||||
* link. E.g., DHCP6 with prefix delegation creates unreachable routes, and they are referenced
|
||||
* by the upstream link. And the links may be referenced by netlink slots. Hence, two
|
||||
* set_free() must be called after the above sd_netlink_unref(). */
|
||||
m->routes = set_free(m->routes);
|
||||
|
||||
m->nexthops_by_id = hashmap_free(m->nexthops_by_id);
|
||||
|
|
|
|||
|
|
@ -215,7 +215,7 @@ static int ndisc_remove_unused_nexthops(Link *link) {
|
|||
|
||||
#define NDISC_NEXTHOP_APP_ID SD_ID128_MAKE(76,d2,0f,1f,76,1e,44,d1,97,3a,52,5c,05,68,b5,0d)
|
||||
|
||||
static uint32_t ndisc_generate_nexthop_id(NextHop *nexthop, Link *link, sd_id128_t app_id, uint64_t trial) {
|
||||
static uint32_t ndisc_generate_nexthop_id(const NextHop *nexthop, Link *link, sd_id128_t app_id, uint64_t trial) {
|
||||
assert(nexthop);
|
||||
assert(link);
|
||||
|
||||
|
|
@ -232,7 +232,7 @@ static uint32_t ndisc_generate_nexthop_id(NextHop *nexthop, Link *link, sd_id128
|
|||
return (uint32_t) ((result & 0xffffffff) ^ (result >> 32));
|
||||
}
|
||||
|
||||
static bool ndisc_nexthop_equal(NextHop *a, NextHop *b) {
|
||||
static bool ndisc_nexthop_equal(const NextHop *a, const NextHop *b) {
|
||||
assert(a);
|
||||
assert(b);
|
||||
|
||||
|
|
@ -250,9 +250,11 @@ static bool ndisc_nexthop_equal(NextHop *a, NextHop *b) {
|
|||
return true;
|
||||
}
|
||||
|
||||
static bool ndisc_take_nexthop_id(NextHop *nexthop, NextHop *existing, Manager *manager) {
|
||||
static bool ndisc_take_nexthop_id(NextHop *nexthop, const NextHop *existing, Manager *manager) {
|
||||
assert(nexthop);
|
||||
assert(nexthop->id == 0);
|
||||
assert(existing);
|
||||
assert(existing->id > 0);
|
||||
assert(manager);
|
||||
|
||||
if (!ndisc_nexthop_equal(nexthop, existing))
|
||||
|
|
@ -300,7 +302,7 @@ static int ndisc_nexthop_find_id(NextHop *nexthop, Link *link) {
|
|||
return false;
|
||||
}
|
||||
|
||||
static int ndisc_nexthop_new(Route *route, Link *link, NextHop **ret) {
|
||||
static int ndisc_nexthop_new(const Route *route, Link *link, NextHop **ret) {
|
||||
_cleanup_(nexthop_unrefp) NextHop *nexthop = NULL;
|
||||
int r;
|
||||
|
||||
|
|
|
|||
|
|
@ -247,6 +247,23 @@ static void log_neighbor_debug(const Neighbor *neighbor, const char *str, const
|
|||
IN_ADDR_TO_STRING(neighbor->dst_addr.family, &neighbor->dst_addr.address));
|
||||
}
|
||||
|
||||
static void neighbor_forget(Link *link, Neighbor *neighbor, const char *msg) {
|
||||
assert(link);
|
||||
assert(neighbor);
|
||||
assert(msg);
|
||||
|
||||
Request *req;
|
||||
if (neighbor_get_request(link, neighbor, &req) >= 0)
|
||||
neighbor_enter_removed(req->userdata);
|
||||
|
||||
if (!neighbor->link && neighbor_get(link, neighbor, &neighbor) < 0)
|
||||
return;
|
||||
|
||||
neighbor_enter_removed(neighbor);
|
||||
log_neighbor_debug(neighbor, "Forgetting", link);
|
||||
neighbor_detach(neighbor);
|
||||
}
|
||||
|
||||
static int neighbor_configure(Neighbor *neighbor, Link *link, Request *req) {
|
||||
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
|
||||
int r;
|
||||
|
|
@ -421,16 +438,8 @@ static int neighbor_remove_handler(sd_netlink *rtnl, sd_netlink_message *m, Remo
|
|||
(r == -ESRCH || !neighbor->link) ? LOG_DEBUG : LOG_WARNING,
|
||||
r, "Could not remove neighbor");
|
||||
|
||||
if (neighbor->link) {
|
||||
/* If the neighbor cannot be removed, then assume the neighbor is already removed. */
|
||||
log_neighbor_debug(neighbor, "Forgetting", link);
|
||||
|
||||
Request *req;
|
||||
if (neighbor_get_request(link, neighbor, &req) >= 0)
|
||||
neighbor_enter_removed(req->userdata);
|
||||
|
||||
neighbor_detach(neighbor);
|
||||
}
|
||||
/* If the neighbor cannot be removed, then assume the neighbor is already removed. */
|
||||
neighbor_forget(link, neighbor, "Forgetting");
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
|
@ -529,13 +538,7 @@ int link_drop_static_neighbors(Link *link) {
|
|||
}
|
||||
|
||||
int manager_rtnl_process_neighbor(sd_netlink *rtnl, sd_netlink_message *message, Manager *m) {
|
||||
_cleanup_(neighbor_unrefp) Neighbor *tmp = NULL;
|
||||
Neighbor *neighbor = NULL;
|
||||
Request *req = NULL;
|
||||
uint16_t type, state;
|
||||
bool is_new = false;
|
||||
int ifindex, r;
|
||||
Link *link;
|
||||
int r;
|
||||
|
||||
assert(rtnl);
|
||||
assert(message);
|
||||
|
|
@ -549,6 +552,7 @@ int manager_rtnl_process_neighbor(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
return 0;
|
||||
}
|
||||
|
||||
uint16_t type;
|
||||
r = sd_netlink_message_get_type(message, &type);
|
||||
if (r < 0) {
|
||||
log_warning_errno(r, "rtnl: could not get message type, ignoring: %m");
|
||||
|
|
@ -558,6 +562,7 @@ int manager_rtnl_process_neighbor(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
return 0;
|
||||
}
|
||||
|
||||
uint16_t state;
|
||||
r = sd_rtnl_message_neigh_get_state(message, &state);
|
||||
if (r < 0) {
|
||||
log_warning_errno(r, "rtnl: received neighbor message with invalid state, ignoring: %m");
|
||||
|
|
@ -566,6 +571,7 @@ int manager_rtnl_process_neighbor(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
/* Currently, we are interested in only static neighbors. */
|
||||
return 0;
|
||||
|
||||
int ifindex;
|
||||
r = sd_rtnl_message_neigh_get_ifindex(message, &ifindex);
|
||||
if (r < 0) {
|
||||
log_warning_errno(r, "rtnl: could not get ifindex from message, ignoring: %m");
|
||||
|
|
@ -575,12 +581,14 @@ int manager_rtnl_process_neighbor(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
return 0;
|
||||
}
|
||||
|
||||
Link *link;
|
||||
r = link_get_by_index(m, ifindex, &link);
|
||||
if (r < 0)
|
||||
/* when enumerating we might be out of sync, but we will get the neighbor again. Also,
|
||||
* kernel sends messages about neighbors after a link is removed. So, just ignore it. */
|
||||
return 0;
|
||||
|
||||
_cleanup_(neighbor_unrefp) Neighbor *tmp = NULL;
|
||||
r = neighbor_new(&tmp);
|
||||
if (r < 0)
|
||||
return log_oom();
|
||||
|
|
@ -604,25 +612,20 @@ int manager_rtnl_process_neighbor(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
return 0;
|
||||
}
|
||||
|
||||
/* Then, find the managed Neighbor and Request objects corresponding to the netlink notification. */
|
||||
/* Then, find the managed Neighbor object corresponding to the netlink notification. */
|
||||
Neighbor *neighbor = NULL;
|
||||
(void) neighbor_get(link, tmp, &neighbor);
|
||||
(void) neighbor_get_request(link, tmp, &req);
|
||||
|
||||
if (type == RTM_DELNEIGH) {
|
||||
if (neighbor) {
|
||||
neighbor_enter_removed(neighbor);
|
||||
log_neighbor_debug(neighbor, "Forgetting removed", link);
|
||||
neighbor_detach(neighbor);
|
||||
} else
|
||||
if (neighbor)
|
||||
neighbor_forget(link, neighbor, "Forgetting removed");
|
||||
else
|
||||
log_neighbor_debug(tmp, "Kernel removed unknown", link);
|
||||
|
||||
if (req)
|
||||
neighbor_enter_removed(req->userdata);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* If we did not know the neighbor, then save it. */
|
||||
bool is_new = false;
|
||||
if (!neighbor) {
|
||||
r = neighbor_attach(link, tmp);
|
||||
if (r < 0) {
|
||||
|
|
@ -634,6 +637,8 @@ int manager_rtnl_process_neighbor(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
}
|
||||
|
||||
/* Also update information that cannot be obtained through netlink notification. */
|
||||
Request *req = NULL;
|
||||
(void) neighbor_get_request(link, tmp, &req);
|
||||
if (req && req->waiting_reply) {
|
||||
Neighbor *n = ASSERT_PTR(req->userdata);
|
||||
|
||||
|
|
|
|||
|
|
@ -261,6 +261,8 @@ static int nexthop_dup(const NextHop *src, NextHop **ret) {
|
|||
dest->network = NULL;
|
||||
dest->section = NULL;
|
||||
dest->group = NULL;
|
||||
dest->nexthops = NULL;
|
||||
dest->routes = NULL;
|
||||
|
||||
HASHMAP_FOREACH(nhg, src->group) {
|
||||
_cleanup_free_ struct nexthop_grp *g = NULL;
|
||||
|
|
@ -491,8 +493,11 @@ static void nexthop_forget_dependents(NextHop *nexthop, Manager *manager) {
|
|||
/* If a nexthop is removed, the kernel silently removes routes that depend on the removed nexthop.
|
||||
* Let's forget them. */
|
||||
|
||||
Route *route;
|
||||
SET_FOREACH(route, nexthop->routes) {
|
||||
for (;;) {
|
||||
_cleanup_(route_unrefp) Route *route = set_steal_first(nexthop->routes);
|
||||
if (!route)
|
||||
break;
|
||||
|
||||
Request *req;
|
||||
if (route_get_request(manager, route, &req) >= 0)
|
||||
route_enter_removed(req->userdata);
|
||||
|
|
@ -501,6 +506,26 @@ static void nexthop_forget_dependents(NextHop *nexthop, Manager *manager) {
|
|||
log_route_debug(route, "Forgetting silently removed", manager);
|
||||
route_detach(route);
|
||||
}
|
||||
|
||||
nexthop->routes = set_free(nexthop->routes);
|
||||
}
|
||||
|
||||
static void nexthop_forget(Manager *manager, NextHop *nexthop, const char *msg) {
|
||||
assert(manager);
|
||||
assert(nexthop);
|
||||
assert(msg);
|
||||
|
||||
Request *req;
|
||||
if (nexthop_get_request_by_id(manager, nexthop->id, &req) >= 0)
|
||||
nexthop_enter_removed(req->userdata);
|
||||
|
||||
if (!nexthop->manager && nexthop_get_by_id(manager, nexthop->id, &nexthop) < 0)
|
||||
return;
|
||||
|
||||
nexthop_enter_removed(nexthop);
|
||||
log_nexthop_debug(nexthop, msg, manager);
|
||||
nexthop_forget_dependents(nexthop, nexthop->manager);
|
||||
nexthop_detach(nexthop);
|
||||
}
|
||||
|
||||
static int nexthop_remove_handler(sd_netlink *rtnl, sd_netlink_message *m, RemoveRequest *rreq) {
|
||||
|
|
@ -518,18 +543,8 @@ static int nexthop_remove_handler(sd_netlink *rtnl, sd_netlink_message *m, Remov
|
|||
(r == -ENOENT || !nexthop->manager) ? LOG_DEBUG : LOG_WARNING,
|
||||
r, "Could not drop nexthop, ignoring");
|
||||
|
||||
nexthop_forget_dependents(nexthop, manager);
|
||||
|
||||
if (nexthop->manager) {
|
||||
/* If the nexthop cannot be removed, then assume the nexthop is already removed. */
|
||||
log_nexthop_debug(nexthop, "Forgetting", manager);
|
||||
|
||||
Request *req;
|
||||
if (nexthop_get_request_by_id(manager, nexthop->id, &req) >= 0)
|
||||
nexthop_enter_removed(req->userdata);
|
||||
|
||||
nexthop_detach(nexthop);
|
||||
}
|
||||
/* If the nexthop cannot be removed, then assume the nexthop is already removed. */
|
||||
nexthop_forget(manager, nexthop, "Forgetting");
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
|
@ -962,20 +977,6 @@ int link_drop_nexthops(Link *link, bool only_static) {
|
|||
return r;
|
||||
}
|
||||
|
||||
static void nexthop_forget_one(NextHop *nexthop) {
|
||||
assert(nexthop);
|
||||
assert(nexthop->manager);
|
||||
|
||||
Request *req;
|
||||
if (nexthop_get_request_by_id(nexthop->manager, nexthop->id, &req) >= 0)
|
||||
nexthop_enter_removed(req->userdata);
|
||||
|
||||
nexthop_enter_removed(nexthop);
|
||||
log_nexthop_debug(nexthop, "Forgetting silently removed", nexthop->manager);
|
||||
nexthop_forget_dependents(nexthop, nexthop->manager);
|
||||
nexthop_detach(nexthop);
|
||||
}
|
||||
|
||||
void link_forget_nexthops(Link *link) {
|
||||
assert(link);
|
||||
assert(link->manager);
|
||||
|
|
@ -992,7 +993,7 @@ void link_forget_nexthops(Link *link) {
|
|||
if (nexthop->family != AF_INET)
|
||||
continue;
|
||||
|
||||
nexthop_forget_one(nexthop);
|
||||
nexthop_forget(link->manager, nexthop, "Forgetting silently removed");
|
||||
}
|
||||
|
||||
/* Remove all group nexthops their all members are removed in the above. */
|
||||
|
|
@ -1013,7 +1014,7 @@ void link_forget_nexthops(Link *link) {
|
|||
if (!hashmap_isempty(nexthop->group))
|
||||
continue; /* At least one group member still exists. */
|
||||
|
||||
nexthop_forget_one(nexthop);
|
||||
nexthop_forget(link->manager, nexthop, "Forgetting silently removed");
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1077,11 +1078,6 @@ static int nexthop_update_group(NextHop *nexthop, sd_netlink_message *message) {
|
|||
}
|
||||
|
||||
int manager_rtnl_process_nexthop(sd_netlink *rtnl, sd_netlink_message *message, Manager *m) {
|
||||
uint16_t type;
|
||||
uint32_t id, ifindex;
|
||||
NextHop *nexthop = NULL;
|
||||
Request *req = NULL;
|
||||
bool is_new = false;
|
||||
int r;
|
||||
|
||||
assert(rtnl);
|
||||
|
|
@ -1096,6 +1092,7 @@ int manager_rtnl_process_nexthop(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
return 0;
|
||||
}
|
||||
|
||||
uint16_t type;
|
||||
r = sd_netlink_message_get_type(message, &type);
|
||||
if (r < 0) {
|
||||
log_warning_errno(r, "rtnl: could not get message type, ignoring: %m");
|
||||
|
|
@ -1105,6 +1102,7 @@ int manager_rtnl_process_nexthop(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
return 0;
|
||||
}
|
||||
|
||||
uint32_t id;
|
||||
r = sd_netlink_message_read_u32(message, NHA_ID, &id);
|
||||
if (r == -ENODATA) {
|
||||
log_warning_errno(r, "rtnl: received nexthop message without NHA_ID attribute, ignoring: %m");
|
||||
|
|
@ -1117,25 +1115,20 @@ int manager_rtnl_process_nexthop(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
return 0;
|
||||
}
|
||||
|
||||
NextHop *nexthop = NULL;
|
||||
(void) nexthop_get_by_id(m, id, &nexthop);
|
||||
(void) nexthop_get_request_by_id(m, id, &req);
|
||||
|
||||
if (type == RTM_DELNEXTHOP) {
|
||||
if (nexthop) {
|
||||
nexthop_enter_removed(nexthop);
|
||||
log_nexthop_debug(nexthop, "Forgetting removed", m);
|
||||
nexthop_forget_dependents(nexthop, m);
|
||||
nexthop_detach(nexthop);
|
||||
} else
|
||||
if (nexthop)
|
||||
nexthop_forget(m, nexthop, "Forgetting removed");
|
||||
else
|
||||
log_nexthop_debug(&(const NextHop) { .id = id }, "Kernel removed unknown", m);
|
||||
|
||||
if (req)
|
||||
nexthop_enter_removed(req->userdata);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* If we did not know the nexthop, then save it. */
|
||||
bool is_new = false;
|
||||
if (!nexthop) {
|
||||
r = nexthop_add_new(m, id, &nexthop);
|
||||
if (r < 0) {
|
||||
|
|
@ -1147,6 +1140,8 @@ int manager_rtnl_process_nexthop(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
}
|
||||
|
||||
/* Also update information that cannot be obtained through netlink notification. */
|
||||
Request *req = NULL;
|
||||
(void) nexthop_get_request_by_id(m, id, &req);
|
||||
if (req && req->waiting_reply) {
|
||||
NextHop *n = ASSERT_PTR(req->userdata);
|
||||
|
||||
|
|
@ -1182,6 +1177,7 @@ int manager_rtnl_process_nexthop(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
else
|
||||
nexthop->blackhole = r;
|
||||
|
||||
uint32_t ifindex;
|
||||
r = sd_netlink_message_read_u32(message, NHA_OIF, &ifindex);
|
||||
if (r == -ENODATA)
|
||||
nexthop->ifindex = 0;
|
||||
|
|
@ -1192,10 +1188,12 @@ int manager_rtnl_process_nexthop(sd_netlink *rtnl, sd_netlink_message *message,
|
|||
else
|
||||
nexthop->ifindex = (int) ifindex;
|
||||
|
||||
/* All blackhole or group nexthops are managed by Manager. Note that the linux kernel does not
|
||||
* set NHA_OID attribute when NHA_BLACKHOLE or NHA_GROUP is set. Just for safety. */
|
||||
if (!nexthop_bound_to_link(nexthop))
|
||||
/* The linux kernel does not set NHA_OID attribute when NHA_BLACKHOLE or NHA_GROUP is set.
|
||||
* But let's check that for safety. */
|
||||
if (!nexthop_bound_to_link(nexthop) && nexthop->ifindex != 0) {
|
||||
log_debug("rtnl: received blackhole or group nexthop with NHA_OIF attribute, ignoring the attribute.");
|
||||
nexthop->ifindex = 0;
|
||||
}
|
||||
|
||||
nexthop_enter_configured(nexthop);
|
||||
if (req)
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ typedef int (*nexthop_netlink_handler_t)(
|
|||
sd_netlink_message *m,
|
||||
Request *req,
|
||||
Link *link,
|
||||
NextHop *address);
|
||||
NextHop *nexthop);
|
||||
|
||||
struct NextHop {
|
||||
Network *network;
|
||||
|
|
|
|||
|
|
@ -460,6 +460,23 @@ void log_route_debug(const Route *route, const char *str, Manager *manager) {
|
|||
strna(proto), strna(scope), strna(route_type_to_string(route->type)), strna(flags));
|
||||
}
|
||||
|
||||
static void route_forget(Manager *manager, Route *route, const char *msg) {
|
||||
assert(manager);
|
||||
assert(route);
|
||||
assert(msg);
|
||||
|
||||
Request *req;
|
||||
if (route_get_request(manager, route, &req) >= 0)
|
||||
route_enter_removed(req->userdata);
|
||||
|
||||
if (!route->manager && route_get(manager, route, &route) < 0)
|
||||
return;
|
||||
|
||||
route_enter_removed(route);
|
||||
log_route_debug(route, msg, manager);
|
||||
route_detach(route);
|
||||
}
|
||||
|
||||
static int route_set_netlink_message(const Route *route, sd_netlink_message *m) {
|
||||
int r;
|
||||
|
||||
|
|
@ -564,16 +581,8 @@ static int route_remove_handler(sd_netlink *rtnl, sd_netlink_message *m, RemoveR
|
|||
LOG_DEBUG : LOG_WARNING,
|
||||
r, "Could not drop route, ignoring");
|
||||
|
||||
if (route->manager) {
|
||||
/* If the route cannot be removed, then assume the route is already removed. */
|
||||
log_route_debug(route, "Forgetting", manager);
|
||||
|
||||
Request *req;
|
||||
if (route_get_request(manager, route, &req) >= 0)
|
||||
route_enter_removed(req->userdata);
|
||||
|
||||
route_detach(route);
|
||||
}
|
||||
/* If the route cannot be removed, then assume the route is already removed. */
|
||||
route_forget(manager, route, "Forgetting");
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
|
@ -1088,7 +1097,6 @@ static int process_route_one(
|
|||
Route *tmp,
|
||||
const struct rta_cacheinfo *cacheinfo) {
|
||||
|
||||
Request *req = NULL;
|
||||
Route *route = NULL;
|
||||
Link *link = NULL;
|
||||
bool is_new = false, update_dhcp4;
|
||||
|
|
@ -1099,13 +1107,15 @@ static int process_route_one(
|
|||
assert(IN_SET(type, RTM_NEWROUTE, RTM_DELROUTE));
|
||||
|
||||
(void) route_get(manager, tmp, &route);
|
||||
(void) route_get_request(manager, tmp, &req);
|
||||
(void) route_get_link(manager, tmp, &link);
|
||||
|
||||
update_dhcp4 = link && tmp->family == AF_INET6 && tmp->dst_prefixlen == 0;
|
||||
|
||||
switch (type) {
|
||||
case RTM_NEWROUTE:
|
||||
case RTM_NEWROUTE: {
|
||||
Request *req = NULL;
|
||||
(void) route_get_request(manager, tmp, &req);
|
||||
|
||||
if (!route) {
|
||||
if (!manager->manage_foreign_routes && !(req && req->waiting_reply)) {
|
||||
route_enter_configured(tmp);
|
||||
|
|
@ -1159,20 +1169,14 @@ static int process_route_one(
|
|||
(void) route_setup_timer(route, cacheinfo);
|
||||
|
||||
break;
|
||||
|
||||
}
|
||||
case RTM_DELROUTE:
|
||||
if (route) {
|
||||
route_enter_removed(route);
|
||||
log_route_debug(route, "Forgetting removed", manager);
|
||||
route_detach(route);
|
||||
} else
|
||||
if (route)
|
||||
route_forget(manager, route, "Forgetting removed");
|
||||
else
|
||||
log_route_debug(tmp,
|
||||
manager->manage_foreign_routes ? "Kernel removed unknown" : "Ignoring received",
|
||||
manager);
|
||||
|
||||
if (req)
|
||||
route_enter_removed(req->userdata);
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
|
|
@ -1574,13 +1578,7 @@ void link_forget_routes(Link *link) {
|
|||
if (!IN_SET(route->type, RTN_UNICAST, RTN_BROADCAST, RTN_ANYCAST, RTN_MULTICAST))
|
||||
continue;
|
||||
|
||||
Request *req;
|
||||
if (route_get_request(link->manager, route, &req) >= 0)
|
||||
route_enter_removed(req->userdata);
|
||||
|
||||
route_enter_removed(route);
|
||||
log_route_debug(route, "Forgetting silently removed", link->manager);
|
||||
route_detach(route);
|
||||
route_forget(link->manager, route, "Forgetting silently removed");
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -550,6 +550,23 @@ static void log_routing_policy_rule_debug(const RoutingPolicyRule *rule, const c
|
|||
strna(rule->iif), strna(rule->oif), strna(table));
|
||||
}
|
||||
|
||||
static void routing_policy_rule_forget(Manager *manager, RoutingPolicyRule *rule, const char *msg) {
|
||||
assert(manager);
|
||||
assert(rule);
|
||||
assert(msg);
|
||||
|
||||
Request *req;
|
||||
if (routing_policy_rule_get_request(manager, rule, rule->family, &req) >= 0)
|
||||
routing_policy_rule_enter_removed(req->userdata);
|
||||
|
||||
if (!rule->manager && routing_policy_rule_get(manager, rule, rule->family, &rule) < 0)
|
||||
return;
|
||||
|
||||
routing_policy_rule_enter_removed(rule);
|
||||
log_routing_policy_rule_debug(rule, "Forgetting", NULL, manager);
|
||||
routing_policy_rule_detach(rule);
|
||||
}
|
||||
|
||||
static int routing_policy_rule_set_netlink_message(const RoutingPolicyRule *rule, sd_netlink_message *m) {
|
||||
int r;
|
||||
|
||||
|
|
@ -708,16 +725,8 @@ static int routing_policy_rule_remove_handler(sd_netlink *rtnl, sd_netlink_messa
|
|||
(r == -ENOENT || !rule->manager) ? LOG_DEBUG : LOG_WARNING,
|
||||
r, "Could not drop routing policy rule, ignoring");
|
||||
|
||||
if (rule->manager) {
|
||||
/* If the rule cannot be removed, then assume the rule is already removed. */
|
||||
log_routing_policy_rule_debug(rule, "Forgetting", NULL, manager);
|
||||
|
||||
Request *req;
|
||||
if (routing_policy_rule_get_request(manager, rule, rule->family, &req) >= 0)
|
||||
routing_policy_rule_enter_removed(req->userdata);
|
||||
|
||||
routing_policy_rule_detach(rule);
|
||||
}
|
||||
/* If the rule cannot be removed, then assume the rule is already removed. */
|
||||
routing_policy_rule_forget(manager, rule, "Forgetting");
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
|
@ -1046,10 +1055,6 @@ static bool routing_policy_rule_is_created_by_kernel(const RoutingPolicyRule *ru
|
|||
}
|
||||
|
||||
int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Manager *m) {
|
||||
_cleanup_(routing_policy_rule_unrefp) RoutingPolicyRule *tmp = NULL;
|
||||
RoutingPolicyRule *rule = NULL;
|
||||
Request *req = NULL;
|
||||
uint16_t type;
|
||||
int r;
|
||||
|
||||
assert(rtnl);
|
||||
|
|
@ -1063,6 +1068,7 @@ int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Man
|
|||
return 0;
|
||||
}
|
||||
|
||||
uint16_t type;
|
||||
r = sd_netlink_message_get_type(message, &type);
|
||||
if (r < 0) {
|
||||
log_warning_errno(r, "rtnl: could not get message type, ignoring: %m");
|
||||
|
|
@ -1072,6 +1078,7 @@ int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Man
|
|||
return 0;
|
||||
}
|
||||
|
||||
_cleanup_(routing_policy_rule_unrefp) RoutingPolicyRule *tmp = NULL;
|
||||
r = routing_policy_rule_new(&tmp);
|
||||
if (r < 0) {
|
||||
log_oom();
|
||||
|
|
@ -1240,23 +1247,20 @@ int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Man
|
|||
return 0;
|
||||
}
|
||||
|
||||
RoutingPolicyRule *rule = NULL;
|
||||
(void) routing_policy_rule_get(m, tmp, tmp->family, &rule);
|
||||
(void) routing_policy_rule_get_request(m, tmp, tmp->family, &req);
|
||||
|
||||
if (type == RTM_DELRULE) {
|
||||
if (rule) {
|
||||
routing_policy_rule_enter_removed(rule);
|
||||
log_routing_policy_rule_debug(rule, "Forgetting removed", NULL, m);
|
||||
routing_policy_rule_detach(rule);
|
||||
} else
|
||||
if (rule)
|
||||
routing_policy_rule_forget(m, rule, "Forgetting removed");
|
||||
else
|
||||
log_routing_policy_rule_debug(tmp, "Kernel removed unknown", NULL, m);
|
||||
|
||||
if (req)
|
||||
routing_policy_rule_enter_removed(req->userdata);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
Request *req = NULL;
|
||||
(void) routing_policy_rule_get_request(m, tmp, tmp->family, &req);
|
||||
|
||||
bool is_new = false;
|
||||
if (!rule) {
|
||||
if (!req && !m->manage_foreign_rules) {
|
||||
|
|
|
|||
|
|
@ -24,8 +24,7 @@ int acquire_fido2_key(
|
|||
const char *key_file,
|
||||
size_t key_file_size,
|
||||
uint64_t key_file_offset,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
Fido2EnrollFlags required,
|
||||
const char *askpw_credential,
|
||||
|
|
@ -45,10 +44,10 @@ int acquire_fido2_key(
|
|||
"Local verification is required to unlock this volume, but the 'headless' parameter was set.");
|
||||
|
||||
assert(cid);
|
||||
assert(key_file || key_data);
|
||||
assert(key_file || iovec_is_set(key_data));
|
||||
|
||||
if (key_data)
|
||||
salt = IOVEC_MAKE(key_data, key_data_size);
|
||||
if (iovec_is_set(key_data))
|
||||
salt = *key_data;
|
||||
else {
|
||||
if (key_file_size > 0)
|
||||
log_debug("Ignoring 'keyfile-size=' option for a FIDO2 salt file.");
|
||||
|
|
@ -252,7 +251,7 @@ int acquire_fido2_key_auto(
|
|||
/* key_file= */ NULL, /* salt is read from LUKS header instead of key_file */
|
||||
/* key_file_size= */ 0,
|
||||
/* key_file_offset= */ 0,
|
||||
salt, salt_size,
|
||||
&IOVEC_MAKE(salt, salt_size),
|
||||
until,
|
||||
required,
|
||||
"cryptsetup.fido2-pin",
|
||||
|
|
|
|||
|
|
@ -20,8 +20,7 @@ int acquire_fido2_key(
|
|||
const char *key_file,
|
||||
size_t key_file_size,
|
||||
uint64_t key_file_offset,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
Fido2EnrollFlags required,
|
||||
const char *askpw_credential,
|
||||
|
|
@ -52,8 +51,7 @@ static inline int acquire_fido2_key(
|
|||
const char *key_file,
|
||||
size_t key_file_size,
|
||||
uint64_t key_file_offset,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
Fido2EnrollFlags required,
|
||||
const char *askpw_credential,
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <getopt.h>
|
||||
#include <linux/loop.h>
|
||||
|
|
@ -45,6 +46,7 @@
|
|||
#include "process-util.h"
|
||||
#include "rm-rf.h"
|
||||
#include "sort-util.h"
|
||||
#include "selinux-util.h"
|
||||
#include "string-table.h"
|
||||
#include "string-util.h"
|
||||
#include "terminal-util.h"
|
||||
|
|
@ -899,6 +901,7 @@ static int resolve_mutable_directory(
|
|||
_cleanup_free_ char *path = NULL, *resolved_path = NULL, *dir_name = NULL;
|
||||
const char *root = arg_root, *base = MUTABLE_EXTENSIONS_BASE_DIR;
|
||||
int r;
|
||||
_cleanup_close_ int atfd = -EBADF;
|
||||
|
||||
assert(hierarchy);
|
||||
assert(ret_resolved_mutable_directory);
|
||||
|
|
@ -943,6 +946,14 @@ static int resolve_mutable_directory(
|
|||
r = mkdir_p(path_in_root, 0700);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to create a directory '%s': %m", path_in_root);
|
||||
|
||||
atfd = open(path_in_root, O_DIRECTORY|O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(errno, "Failed to open directory '%s': %m", path_in_root);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", path_in_root);
|
||||
}
|
||||
|
||||
r = chase(path, root, CHASE_PREFIX_ROOT, &resolved_path, NULL);
|
||||
|
|
@ -1289,6 +1300,7 @@ static int mount_overlayfs_with_op(
|
|||
|
||||
int r;
|
||||
const char *top_layer = NULL;
|
||||
_cleanup_close_ int atfd = -EBADF;
|
||||
|
||||
assert(op);
|
||||
assert(overlay_path);
|
||||
|
|
@ -1301,10 +1313,28 @@ static int mount_overlayfs_with_op(
|
|||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to make directory '%s': %m", meta_path);
|
||||
|
||||
atfd = open(meta_path, O_DIRECTORY|O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(errno, "Failed to open directory '%s': %m", meta_path);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, op->hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", meta_path);
|
||||
|
||||
if (op->upper_dir && op->work_dir) {
|
||||
r = mkdir_p(op->work_dir, 0700);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to make directory '%s': %m", op->work_dir);
|
||||
_cleanup_close_ int dfd = -EBADF;
|
||||
|
||||
dfd = open(op->work_dir, O_DIRECTORY|O_CLOEXEC);
|
||||
if (dfd < 0)
|
||||
return log_error_errno(errno, "Failed to open directory '%s': %m", op->work_dir);
|
||||
|
||||
r = mac_selinux_fix_full(dfd, NULL, op->hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", op->work_dir);
|
||||
|
||||
top_layer = op->upper_dir;
|
||||
} else {
|
||||
assert(!strv_isempty(op->lower_dirs));
|
||||
|
|
@ -1325,7 +1355,7 @@ static int mount_overlayfs_with_op(
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path) {
|
||||
static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path, const char *hierarchy) {
|
||||
_cleanup_free_ char *f = NULL, *buf = NULL;
|
||||
int r;
|
||||
|
||||
|
|
@ -1343,14 +1373,15 @@ static int write_extensions_file(ImageClass image_class, char **extensions, cons
|
|||
if (!buf)
|
||||
return log_oom();
|
||||
|
||||
r = write_string_file(f, buf, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755);
|
||||
const char *hierarchy_path = path_join(hierarchy, image_class_info[image_class].dot_directory_name, image_class_info[image_class].short_identifier_plural);
|
||||
r = write_string_file_full(AT_FDCWD,f, buf, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755|WRITE_STRING_FILE_LABEL, NULL, hierarchy_path);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to write extension meta file '%s': %m", f);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path) {
|
||||
static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path, const char *hierarchy) {
|
||||
_cleanup_free_ char *f = NULL;
|
||||
struct stat st;
|
||||
int r;
|
||||
|
|
@ -1372,14 +1403,15 @@ static int write_dev_file(ImageClass image_class, const char *meta_path, const c
|
|||
/* Modifying the underlying layers while the overlayfs is mounted is technically undefined, but at
|
||||
* least it won't crash or deadlock, as per the kernel docs about overlayfs:
|
||||
* https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html#changes-to-underlying-filesystems */
|
||||
r = write_string_file(f, FORMAT_DEVNUM(st.st_dev), WRITE_STRING_FILE_CREATE);
|
||||
const char *hierarchy_path = path_join(hierarchy, image_class_info[image_class].dot_directory_name, image_class_info[image_class].short_identifier_plural);
|
||||
r = write_string_file_full(AT_FDCWD, f, FORMAT_DEVNUM(st.st_dev), WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_LABEL, NULL, hierarchy_path);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to write '%s': %m", f);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir) {
|
||||
static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir, const char* hierarchy) {
|
||||
_cleanup_free_ char *escaped_work_dir_in_root = NULL, *f = NULL;
|
||||
char *work_dir_in_root = NULL;
|
||||
int r;
|
||||
|
|
@ -1406,7 +1438,8 @@ static int write_work_dir_file(ImageClass image_class, const char *meta_path, co
|
|||
escaped_work_dir_in_root = cescape(work_dir_in_root);
|
||||
if (!escaped_work_dir_in_root)
|
||||
return log_oom();
|
||||
r = write_string_file(f, escaped_work_dir_in_root, WRITE_STRING_FILE_CREATE);
|
||||
const char *hierarchy_path = path_join(hierarchy, image_class_info[image_class].dot_directory_name, "work_dir");
|
||||
r = write_string_file_full(AT_FDCWD, f, escaped_work_dir_in_root, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_LABEL, NULL, hierarchy_path);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to write '%s': %m", f);
|
||||
|
||||
|
|
@ -1418,8 +1451,10 @@ static int store_info_in_meta(
|
|||
char **extensions,
|
||||
const char *meta_path,
|
||||
const char *overlay_path,
|
||||
const char *work_dir) {
|
||||
|
||||
const char *work_dir,
|
||||
const char *hierarchy) {
|
||||
_cleanup_free_ char *f = NULL;
|
||||
_cleanup_close_ int atfd = -EBADF;
|
||||
int r;
|
||||
|
||||
assert(extensions);
|
||||
|
|
@ -1427,15 +1462,32 @@ static int store_info_in_meta(
|
|||
assert(overlay_path);
|
||||
/* work_dir may be NULL */
|
||||
|
||||
r = write_extensions_file(image_class, extensions, meta_path);
|
||||
f = path_join(meta_path, image_class_info[image_class].dot_directory_name);
|
||||
if (!f)
|
||||
return log_oom();
|
||||
|
||||
r = mkdir_p(f, 0755);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = write_dev_file(image_class, meta_path, overlay_path);
|
||||
atfd = open(f, O_DIRECTORY|O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(errno, "Failed to open directory '%s': %m", f);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", hierarchy);
|
||||
|
||||
r = write_extensions_file(image_class, extensions, meta_path, hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = write_work_dir_file(image_class, meta_path, work_dir);
|
||||
r = write_dev_file(image_class, meta_path, overlay_path, hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = write_work_dir_file(image_class, meta_path, work_dir, hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
@ -1501,6 +1553,8 @@ static int merge_hierarchy(
|
|||
assert(overlay_path);
|
||||
assert(workspace_path);
|
||||
|
||||
mac_selinux_init();
|
||||
|
||||
r = determine_used_extensions(hierarchy, paths, &used_paths, &extensions_used);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
|
@ -1528,7 +1582,7 @@ static int merge_hierarchy(
|
|||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir);
|
||||
r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir, op->hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
|
|||
|
|
@ -1414,7 +1414,7 @@ static int verb_enable(int argc, char **argv, void *userdata) {
|
|||
"SetFeatureEnabled",
|
||||
&error,
|
||||
/* reply= */ NULL,
|
||||
"sbt",
|
||||
"sit",
|
||||
*feature,
|
||||
(int) enable,
|
||||
UINT64_C(0));
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ static int apply_timestamp(const char *path, struct timespec *ts) {
|
|||
timespec_load_nsec(ts)) < 0)
|
||||
return log_oom();
|
||||
|
||||
r = write_string_file_full(AT_FDCWD, path, message, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_LABEL, ts);
|
||||
r = write_string_file_full(AT_FDCWD, path, message, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_LABEL, ts, NULL);
|
||||
if (r == -EROFS)
|
||||
log_debug_errno(r, "Cannot create \"%s\", file system is read-only.", path);
|
||||
else if (r < 0)
|
||||
|
|
|
|||
|
|
@ -22,6 +22,11 @@ trap at_exit EXIT
|
|||
|
||||
systemctl service-log-level systemd-machined debug
|
||||
systemctl service-log-level systemd-importd debug
|
||||
# per request in https://github.com/systemd/systemd/pull/35117
|
||||
systemctl edit --runtime --stdin 'systemd-nspawn@.service' --drop-in=debug.conf <<EOF
|
||||
[Service]
|
||||
Environment=SYSTEMD_LOG_LEVEL=debug
|
||||
EOF
|
||||
|
||||
# Mount temporary directory over /var/lib/machines to not pollute the image
|
||||
mkdir -p /var/lib/machines
|
||||
|
|
@ -278,13 +283,13 @@ varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List
|
|||
# sending TRAP signal
|
||||
rm -f /var/lib/machines/long-running/trap
|
||||
varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Kill '{"name":"long-running", "whom": "leader", "signal": 5}'
|
||||
timeout 30 bash -c "until test -e /var/lib/machines/long-running/trap; do sleep .5; done"
|
||||
timeout 120 bash -c "until test -e /var/lib/machines/long-running/trap; do sleep .5; done"
|
||||
|
||||
# test io.systemd.Machine.Terminate
|
||||
long_running_machine_start
|
||||
rm -f /var/lib/machines/long-running/terminate
|
||||
varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Terminate '{"name":"long-running"}'
|
||||
timeout 10 bash -c "until test -e /var/lib/machines/long-running/terminate; do sleep .5; done"
|
||||
timeout 30 bash -c "until test -e /var/lib/machines/long-running/terminate; do sleep .5; done"
|
||||
timeout 30 bash -c "while varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List '{\"name\":\"long-running\"}'; do sleep 0.5; done"
|
||||
|
||||
# test io.systemd.Machine.Register
|
||||
|
|
@ -356,7 +361,7 @@ journalctl --sync
|
|||
machinectl terminate container-without-os-release
|
||||
machinectl terminate long-running
|
||||
# wait for the container being stopped, otherwise acquiring image metadata by io.systemd.MachineImage.List may fail in the below.
|
||||
timeout 10 bash -c "while machinectl status long-running &>/dev/null; do sleep .5; done"
|
||||
timeout 30 bash -c "while machinectl status long-running &>/dev/null; do sleep .5; done"
|
||||
systemctl kill --signal=KILL systemd-nspawn@long-running.service || :
|
||||
|
||||
(ip addr show lo | grep -q 192.168.1.100) || ip address add 192.168.1.100/24 dev lo
|
||||
|
|
|
|||
Loading…
Reference in New Issue