Compare commits
8 Commits
efe460b0d1
...
b2b5ed5eac
| Author | SHA1 | Date |
|---|---|---|
Ryan Wilson
|
b2b5ed5eac | |
|
gerblesh
|
bbec1c87d3 | |
|
Yu Watanabe
|
f29a07f3fc | |
|
Luca Boccassi
|
0566bd9643 | |
|
Lennart Poettering
|
7b4b3a8f7b | |
|
Ivan Kruglov
|
3aa3f130c1 | |
|
Ivan Kruglov
|
df18408ac6 | |
|
Ryan Wilson
|
bf05e30acc |
|
|
@ -128,7 +128,8 @@
|
|||
|
||||
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
|
||||
a read-only subvolume/directory in the image directory that is named after the specified URL and its
|
||||
HTTP etag. A writable snapshot is then taken from this subvolume, and named after the specified local
|
||||
HTTP etag (see <ulink url="https://en.wikipedia.org/wiki/HTTP_ETag">HTTP ETag</ulink> for more
|
||||
information). A writable snapshot is then taken from this subvolume, and named after the specified local
|
||||
name. This behavior ensures that creating multiple instances of the same URL is efficient, as
|
||||
multiple downloads are not necessary. In order to create only the read-only image, and avoid creating
|
||||
its writable snapshot, specify <literal>-</literal> as local name.</para>
|
||||
|
|
|
|||
|
|
@ -28,7 +28,9 @@
|
|||
<title>Description</title>
|
||||
|
||||
<para><command>pam_systemd_loadkey</command> reads a NUL-separated password list from the kernel keyring,
|
||||
and sets the last password in the list as the PAM authtok.</para>
|
||||
and sets the last password in the list as the PAM authtok, which can be used by e.g.
|
||||
<citerefentry project='man-pages'><refentrytitle>pam_get_authtok</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
||||
</para>
|
||||
|
||||
<para>The password list is supposed to be stored in the "user" keyring of the root user,
|
||||
by an earlier call to
|
||||
|
|
|
|||
|
|
@ -61,7 +61,10 @@
|
|||
<literal>systemd-run0</literal> PAM stack.</para>
|
||||
|
||||
<para>Note that <command>run0</command> is implemented as an alternative multi-call invocation of
|
||||
<citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
|
||||
<citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>. That is,
|
||||
<command>run0</command> is a symbolic link to <command>systemd-run</command> executable file, and it
|
||||
behaves as <command>run0</command> if it is invoked through the symbolic link, otherwise behaves as
|
||||
<command>systemd-run</command>.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
|
|
|||
|
|
@ -41,8 +41,10 @@
|
|||
<refsect1>
|
||||
<title>Kernel Command Line</title>
|
||||
|
||||
<para><filename>systemd-rfkill</filename> understands the
|
||||
following kernel command line parameter:</para>
|
||||
<para>
|
||||
<command>systemd-rfkill</command> understands the following kernel command line parameter. See also
|
||||
<citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
|
||||
</para>
|
||||
|
||||
<variablelist class='kernel-commandline-options'>
|
||||
<varlistentry>
|
||||
|
|
|
|||
|
|
@ -2009,8 +2009,8 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
|
|||
<varlistentry>
|
||||
<term><varname>PrivateUsers=</varname></term>
|
||||
|
||||
<listitem><para>Takes a boolean argument or one of <literal>self</literal> or
|
||||
<literal>identity</literal>. Defaults to false. If enabled, sets up a new user namespace for the
|
||||
<listitem><para>Takes a boolean argument or one of <literal>self</literal>, <literal>identity</literal>,
|
||||
or <literal>full</literal>. Defaults to false. If enabled, sets up a new user namespace for the
|
||||
executed processes and configures a user and group mapping. If set to a true value or
|
||||
<literal>self</literal>, a minimal user and group mapping is configured that maps the
|
||||
<literal>root</literal> user and group as well as the unit's own user and group to themselves and
|
||||
|
|
@ -2026,6 +2026,10 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
|
|||
since all UIDs/GIDs are chosen identically it does provide process capability isolation, and hence is
|
||||
often a good choice if proper user namespacing with distinct UID maps is not appropriate.</para>
|
||||
|
||||
<para>If the parameter is <literal>full</literal>, user namespacing is set up with an identity
|
||||
mapping for all UIDs/GIDs. Similar to <literal>identity</literal>, this does not provide UID/GID
|
||||
isolation, but it does provide process capability isolation.</para>
|
||||
|
||||
<para>If this mode is enabled, all unit processes are run without privileges in the host user
|
||||
namespace (regardless if the unit's own user/group is <literal>root</literal> or not). Specifically
|
||||
this means that the process will have zero process capabilities on the host's user namespace, but
|
||||
|
|
|
|||
|
|
@ -394,9 +394,9 @@
|
|||
<listitem><para>SBAT metadata associated with the UKI or addon. SBAT policies are useful to revoke
|
||||
whole groups of UKIs or addons with a single, static policy update that does not take space in
|
||||
DBX/MOKX. If not specified manually, a default metadata entry consisting of
|
||||
<literal>uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/</literal>
|
||||
<programlisting>uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/</programlisting>
|
||||
for UKIs and
|
||||
<literal>uki-addon,1,UKI Addon,addon,1,https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html</literal>
|
||||
<programlisting>uki-addon,1,UKI Addon,addon,1,https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html</programlisting>
|
||||
for addons will be used, to ensure it is always possible to revoke them. For more information on
|
||||
SBAT see <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim documentation</ulink>.
|
||||
</para>
|
||||
|
|
|
|||
|
|
@ -289,7 +289,8 @@ int write_string_file_full(
|
|||
const char *fn,
|
||||
const char *line,
|
||||
WriteStringFileFlags flags,
|
||||
const struct timespec *ts) {
|
||||
const struct timespec *ts,
|
||||
const char *label_fn) {
|
||||
|
||||
bool call_label_ops_post = false, made_file = false;
|
||||
_cleanup_fclose_ FILE *f = NULL;
|
||||
|
|
@ -321,7 +322,8 @@ int write_string_file_full(
|
|||
mode_t mode = write_string_file_flags_to_mode(flags);
|
||||
|
||||
if (FLAGS_SET(flags, WRITE_STRING_FILE_LABEL|WRITE_STRING_FILE_CREATE)) {
|
||||
r = label_ops_pre(dir_fd, fn, mode);
|
||||
const char *lookup = label_fn ? label_fn : fn;
|
||||
r = label_ops_pre(dir_fd, lookup, mode);
|
||||
if (r < 0)
|
||||
goto fail;
|
||||
|
||||
|
|
|
|||
|
|
@ -51,12 +51,13 @@ int write_string_stream_full(FILE *f, const char *line, WriteStringFileFlags fla
|
|||
static inline int write_string_stream(FILE *f, const char *line, WriteStringFileFlags flags) {
|
||||
return write_string_stream_full(f, line, flags, /* ts= */ NULL);
|
||||
}
|
||||
int write_string_file_full(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags, const struct timespec *ts);
|
||||
|
||||
int write_string_file_full(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags, const struct timespec *ts, const char *label_fn);
|
||||
static inline int write_string_file(const char *fn, const char *line, WriteStringFileFlags flags) {
|
||||
return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL);
|
||||
return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL, /*label_fn=*/ NULL);
|
||||
}
|
||||
static inline int write_string_file_at(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags) {
|
||||
return write_string_file_full(dir_fd, fn, line, flags, /* ts= */ NULL);
|
||||
return write_string_file_full(dir_fd, fn, line, flags, /* ts= */ NULL, /*label_fn=*/ NULL);
|
||||
}
|
||||
int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4);
|
||||
|
||||
|
|
|
|||
|
|
@ -2103,6 +2103,23 @@ static int setup_private_users(PrivateUsers private_users, uid_t ouid, gid_t ogi
|
|||
uid_map = strdup("0 0 65536\n");
|
||||
if (!uid_map)
|
||||
return -ENOMEM;
|
||||
} else if (private_users == PRIVATE_USERS_FULL) {
|
||||
/* Map all UID/GID from original to new user namespace. We can't use `0 0 UINT32_MAX` because
|
||||
* this is the same UID/GID map as the init user namespace and there are various applications
|
||||
* (i.e. systemd's running_in_userns()) that check whether they are in a user namespace by
|
||||
* comparing uid_map/gid_map to `0 0 UINT32_MAX`. Thus, we still map all UIDs/GIDs but do it
|
||||
* using two extents to differentiate the new user namespace from the init namespace:
|
||||
* 0 0 1
|
||||
* 1 1 UINT32_MAX - 1
|
||||
*
|
||||
* Note the kernel defines the UID range between 0 and UINT32_MAX so we map all UIDs even though
|
||||
* the UID range beyond INT32_MAX (e.g. i.e. the range above the signed 32-bit range) is
|
||||
* icky. For example, setfsuid() returns the old UID as signed integer. But units can decide to
|
||||
* use these UIDs/GIDs so we need to map them. */
|
||||
r = asprintf(&uid_map, "0 0 1\n"
|
||||
"1 1 " UID_FMT "\n", UINT32_MAX - 1);
|
||||
if (r < 0)
|
||||
return -ENOMEM;
|
||||
/* Can only set up multiple mappings with CAP_SETUID. */
|
||||
} else if (have_effective_cap(CAP_SETUID) > 0 && uid != ouid && uid_is_valid(uid)) {
|
||||
r = asprintf(&uid_map,
|
||||
|
|
@ -2123,6 +2140,11 @@ static int setup_private_users(PrivateUsers private_users, uid_t ouid, gid_t ogi
|
|||
gid_map = strdup("0 0 65536\n");
|
||||
if (!gid_map)
|
||||
return -ENOMEM;
|
||||
} else if (private_users == PRIVATE_USERS_FULL) {
|
||||
r = asprintf(&gid_map, "0 0 1\n"
|
||||
"1 1 " UID_FMT "\n", UINT32_MAX - 1);
|
||||
if (r < 0)
|
||||
return -ENOMEM;
|
||||
/* Can only set up multiple mappings with CAP_SETGID. */
|
||||
} else if (have_effective_cap(CAP_SETGID) > 0 && gid != ogid && gid_is_valid(gid)) {
|
||||
r = asprintf(&gid_map,
|
||||
|
|
|
|||
|
|
@ -3364,6 +3364,7 @@ static const char* const private_users_table[_PRIVATE_USERS_MAX] = {
|
|||
[PRIVATE_USERS_NO] = "no",
|
||||
[PRIVATE_USERS_SELF] = "self",
|
||||
[PRIVATE_USERS_IDENTITY] = "identity",
|
||||
[PRIVATE_USERS_FULL] = "full",
|
||||
};
|
||||
|
||||
DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(private_users, PrivateUsers, PRIVATE_USERS_SELF);
|
||||
|
|
|
|||
|
|
@ -65,6 +65,7 @@ typedef enum PrivateUsers {
|
|||
PRIVATE_USERS_NO,
|
||||
PRIVATE_USERS_SELF,
|
||||
PRIVATE_USERS_IDENTITY,
|
||||
PRIVATE_USERS_FULL,
|
||||
_PRIVATE_USERS_MAX,
|
||||
_PRIVATE_USERS_INVALID = -EINVAL,
|
||||
} PrivateUsers;
|
||||
|
|
|
|||
|
|
@ -1698,7 +1698,8 @@ _public_ int sd_varlink_get_events(sd_varlink *v) {
|
|||
ret |= EPOLLIN;
|
||||
|
||||
if (!v->write_disconnected &&
|
||||
v->output_buffer_size > 0)
|
||||
(v->output_queue ||
|
||||
v->output_buffer_size > 0))
|
||||
ret |= EPOLLOUT;
|
||||
|
||||
return ret;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <getopt.h>
|
||||
#include <linux/loop.h>
|
||||
|
|
@ -45,6 +46,7 @@
|
|||
#include "process-util.h"
|
||||
#include "rm-rf.h"
|
||||
#include "sort-util.h"
|
||||
#include "selinux-util.h"
|
||||
#include "string-table.h"
|
||||
#include "string-util.h"
|
||||
#include "terminal-util.h"
|
||||
|
|
@ -899,6 +901,7 @@ static int resolve_mutable_directory(
|
|||
_cleanup_free_ char *path = NULL, *resolved_path = NULL, *dir_name = NULL;
|
||||
const char *root = arg_root, *base = MUTABLE_EXTENSIONS_BASE_DIR;
|
||||
int r;
|
||||
_cleanup_close_ int atfd = -EBADF;
|
||||
|
||||
assert(hierarchy);
|
||||
assert(ret_resolved_mutable_directory);
|
||||
|
|
@ -943,6 +946,14 @@ static int resolve_mutable_directory(
|
|||
r = mkdir_p(path_in_root, 0700);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to create a directory '%s': %m", path_in_root);
|
||||
|
||||
atfd = open(path_in_root, O_DIRECTORY|O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(errno, "Failed to open directory '%s': %m", path_in_root);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", path_in_root);
|
||||
}
|
||||
|
||||
r = chase(path, root, CHASE_PREFIX_ROOT, &resolved_path, NULL);
|
||||
|
|
@ -1289,6 +1300,7 @@ static int mount_overlayfs_with_op(
|
|||
|
||||
int r;
|
||||
const char *top_layer = NULL;
|
||||
_cleanup_close_ int atfd = -EBADF;
|
||||
|
||||
assert(op);
|
||||
assert(overlay_path);
|
||||
|
|
@ -1301,10 +1313,28 @@ static int mount_overlayfs_with_op(
|
|||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to make directory '%s': %m", meta_path);
|
||||
|
||||
atfd = open(meta_path, O_DIRECTORY|O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(errno, "Failed to open directory '%s': %m", meta_path);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, op->hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", meta_path);
|
||||
|
||||
if (op->upper_dir && op->work_dir) {
|
||||
r = mkdir_p(op->work_dir, 0700);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to make directory '%s': %m", op->work_dir);
|
||||
_cleanup_close_ int dfd = -EBADF;
|
||||
|
||||
dfd = open(op->work_dir, O_DIRECTORY|O_CLOEXEC);
|
||||
if (dfd < 0)
|
||||
return log_error_errno(errno, "Failed to open directory '%s': %m", op->work_dir);
|
||||
|
||||
r = mac_selinux_fix_full(dfd, NULL, op->hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", op->work_dir);
|
||||
|
||||
top_layer = op->upper_dir;
|
||||
} else {
|
||||
assert(!strv_isempty(op->lower_dirs));
|
||||
|
|
@ -1325,7 +1355,7 @@ static int mount_overlayfs_with_op(
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path) {
|
||||
static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path, const char *hierarchy) {
|
||||
_cleanup_free_ char *f = NULL, *buf = NULL;
|
||||
int r;
|
||||
|
||||
|
|
@ -1343,14 +1373,15 @@ static int write_extensions_file(ImageClass image_class, char **extensions, cons
|
|||
if (!buf)
|
||||
return log_oom();
|
||||
|
||||
r = write_string_file(f, buf, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755);
|
||||
const char *hierarchy_path = path_join(hierarchy, image_class_info[image_class].dot_directory_name, image_class_info[image_class].short_identifier_plural);
|
||||
r = write_string_file_full(AT_FDCWD,f, buf, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755|WRITE_STRING_FILE_LABEL, NULL, hierarchy_path);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to write extension meta file '%s': %m", f);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path) {
|
||||
static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path, const char *hierarchy) {
|
||||
_cleanup_free_ char *f = NULL;
|
||||
struct stat st;
|
||||
int r;
|
||||
|
|
@ -1372,14 +1403,15 @@ static int write_dev_file(ImageClass image_class, const char *meta_path, const c
|
|||
/* Modifying the underlying layers while the overlayfs is mounted is technically undefined, but at
|
||||
* least it won't crash or deadlock, as per the kernel docs about overlayfs:
|
||||
* https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html#changes-to-underlying-filesystems */
|
||||
r = write_string_file(f, FORMAT_DEVNUM(st.st_dev), WRITE_STRING_FILE_CREATE);
|
||||
const char *hierarchy_path = path_join(hierarchy, image_class_info[image_class].dot_directory_name, image_class_info[image_class].short_identifier_plural);
|
||||
r = write_string_file_full(AT_FDCWD, f, FORMAT_DEVNUM(st.st_dev), WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_LABEL, NULL, hierarchy_path);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to write '%s': %m", f);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir) {
|
||||
static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir, const char* hierarchy) {
|
||||
_cleanup_free_ char *escaped_work_dir_in_root = NULL, *f = NULL;
|
||||
char *work_dir_in_root = NULL;
|
||||
int r;
|
||||
|
|
@ -1406,7 +1438,8 @@ static int write_work_dir_file(ImageClass image_class, const char *meta_path, co
|
|||
escaped_work_dir_in_root = cescape(work_dir_in_root);
|
||||
if (!escaped_work_dir_in_root)
|
||||
return log_oom();
|
||||
r = write_string_file(f, escaped_work_dir_in_root, WRITE_STRING_FILE_CREATE);
|
||||
const char *hierarchy_path = path_join(hierarchy, image_class_info[image_class].dot_directory_name, "work_dir");
|
||||
r = write_string_file_full(AT_FDCWD, f, escaped_work_dir_in_root, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_LABEL, NULL, hierarchy_path);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to write '%s': %m", f);
|
||||
|
||||
|
|
@ -1418,8 +1451,10 @@ static int store_info_in_meta(
|
|||
char **extensions,
|
||||
const char *meta_path,
|
||||
const char *overlay_path,
|
||||
const char *work_dir) {
|
||||
|
||||
const char *work_dir,
|
||||
const char *hierarchy) {
|
||||
_cleanup_free_ char *f = NULL;
|
||||
_cleanup_close_ int atfd = -EBADF;
|
||||
int r;
|
||||
|
||||
assert(extensions);
|
||||
|
|
@ -1427,15 +1462,32 @@ static int store_info_in_meta(
|
|||
assert(overlay_path);
|
||||
/* work_dir may be NULL */
|
||||
|
||||
r = write_extensions_file(image_class, extensions, meta_path);
|
||||
f = path_join(meta_path, image_class_info[image_class].dot_directory_name);
|
||||
if (!f)
|
||||
return log_oom();
|
||||
|
||||
r = mkdir_p(f, 0755);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = write_dev_file(image_class, meta_path, overlay_path);
|
||||
atfd = open(f, O_DIRECTORY|O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(errno, "Failed to open directory '%s': %m", f);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", hierarchy);
|
||||
|
||||
r = write_extensions_file(image_class, extensions, meta_path, hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = write_work_dir_file(image_class, meta_path, work_dir);
|
||||
r = write_dev_file(image_class, meta_path, overlay_path, hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = write_work_dir_file(image_class, meta_path, work_dir, hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
@ -1501,6 +1553,8 @@ static int merge_hierarchy(
|
|||
assert(overlay_path);
|
||||
assert(workspace_path);
|
||||
|
||||
mac_selinux_init();
|
||||
|
||||
r = determine_used_extensions(hierarchy, paths, &used_paths, &extensions_used);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
|
@ -1528,7 +1582,7 @@ static int merge_hierarchy(
|
|||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir);
|
||||
r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir, op->hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ static int apply_timestamp(const char *path, struct timespec *ts) {
|
|||
timespec_load_nsec(ts)) < 0)
|
||||
return log_oom();
|
||||
|
||||
r = write_string_file_full(AT_FDCWD, path, message, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_LABEL, ts);
|
||||
r = write_string_file_full(AT_FDCWD, path, message, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_LABEL, ts, NULL);
|
||||
if (r == -EROFS)
|
||||
log_debug_errno(r, "Cannot create \"%s\", file system is read-only.", path);
|
||||
else if (r < 0)
|
||||
|
|
|
|||
|
|
@ -10,3 +10,5 @@ systemd-run -p PrivateUsersEx=self --wait bash -c 'test "$(cat /proc/self/uid_ma
|
|||
systemd-run -p PrivateUsersEx=self --wait bash -c 'test "$(cat /proc/self/gid_map)" == " 0 0 1"'
|
||||
systemd-run -p PrivateUsersEx=identity --wait bash -c 'test "$(cat /proc/self/uid_map)" == " 0 0 65536"'
|
||||
systemd-run -p PrivateUsersEx=identity --wait bash -c 'test "$(cat /proc/self/gid_map)" == " 0 0 65536"'
|
||||
systemd-run -p PrivateUsersEx=full --wait bash -c 'test "$(cat /proc/self/uid_map | tr -d "\n")" == " 0 0 1 1 1 4294967294"'
|
||||
systemd-run -p PrivateUsersEx=full --wait bash -c 'test "$(cat /proc/self/gid_map | tr -d "\n")" == " 0 0 1 1 1 4294967294"'
|
||||
|
|
|
|||
|
|
@ -22,6 +22,11 @@ trap at_exit EXIT
|
|||
|
||||
systemctl service-log-level systemd-machined debug
|
||||
systemctl service-log-level systemd-importd debug
|
||||
# per request in https://github.com/systemd/systemd/pull/35117
|
||||
systemctl edit --runtime --stdin 'systemd-nspawn@.service' --drop-in=debug.conf <<EOF
|
||||
[Service]
|
||||
Environment=SYSTEMD_LOG_LEVEL=debug
|
||||
EOF
|
||||
|
||||
# Mount temporary directory over /var/lib/machines to not pollute the image
|
||||
mkdir -p /var/lib/machines
|
||||
|
|
@ -278,13 +283,13 @@ varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List
|
|||
# sending TRAP signal
|
||||
rm -f /var/lib/machines/long-running/trap
|
||||
varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Kill '{"name":"long-running", "whom": "leader", "signal": 5}'
|
||||
timeout 30 bash -c "until test -e /var/lib/machines/long-running/trap; do sleep .5; done"
|
||||
timeout 120 bash -c "until test -e /var/lib/machines/long-running/trap; do sleep .5; done"
|
||||
|
||||
# test io.systemd.Machine.Terminate
|
||||
long_running_machine_start
|
||||
rm -f /var/lib/machines/long-running/terminate
|
||||
varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Terminate '{"name":"long-running"}'
|
||||
timeout 10 bash -c "until test -e /var/lib/machines/long-running/terminate; do sleep .5; done"
|
||||
timeout 30 bash -c "until test -e /var/lib/machines/long-running/terminate; do sleep .5; done"
|
||||
timeout 30 bash -c "while varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List '{\"name\":\"long-running\"}'; do sleep 0.5; done"
|
||||
|
||||
# test io.systemd.Machine.Register
|
||||
|
|
@ -356,7 +361,7 @@ journalctl --sync
|
|||
machinectl terminate container-without-os-release
|
||||
machinectl terminate long-running
|
||||
# wait for the container being stopped, otherwise acquiring image metadata by io.systemd.MachineImage.List may fail in the below.
|
||||
timeout 10 bash -c "while machinectl status long-running &>/dev/null; do sleep .5; done"
|
||||
timeout 30 bash -c "while machinectl status long-running &>/dev/null; do sleep .5; done"
|
||||
systemctl kill --signal=KILL systemd-nspawn@long-running.service || :
|
||||
|
||||
(ip addr show lo | grep -q 192.168.1.100) || ip address add 192.168.1.100/24 dev lo
|
||||
|
|
|
|||
Loading…
Reference in New Issue