alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity
nixpkgs/pkgs/os-specific/linux/systemd/0012-inherit-systemd-environment-when-calling-generators.patch

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

45 lines
2.2 KiB
Diff
Raw Normal View History

systemd: 249.5 -> 249.7
2021-12-06 14:39:16 +00:00
From 7ea935a5ac4f31106ce9347227d4eb59b77b02cd Mon Sep 17 00:00:00 2001
systemd: switch from our own fork to upstream repo + local patches After patching, this produces exactly the same source code as in our custom fork, but having the actual patches inlined inside nixpkgs makes it easier to get rid of them. In case more complicated rebasing is necessary, maintainers can - Clone the upstream systemd/systemd[-stable] repo - Checkout the current rev mentioned in src - Apply the patches from this folder via `git am 00*.patch` - Rebase the repo on top of a new version - Export the patch series via `git format-patch $newVersion` - Update the patches = [ … ] attribute (if necessary)
2020-01-26 13:56:41 +00:00
From: Andreas Rammhold <andreas@rammhold.de>
Date: Fri, 2 Nov 2018 21:15:42 +0100
systemd: 249.5 -> 249.7
2021-12-06 14:39:16 +00:00
Subject: [PATCH 12/19] inherit systemd environment when calling generators.
systemd: switch from our own fork to upstream repo + local patches After patching, this produces exactly the same source code as in our custom fork, but having the actual patches inlined inside nixpkgs makes it easier to get rid of them. In case more complicated rebasing is necessary, maintainers can - Clone the upstream systemd/systemd[-stable] repo - Checkout the current rev mentioned in src - Apply the patches from this folder via `git am 00*.patch` - Rebase the repo on top of a new version - Export the patch series via `git format-patch $newVersion` - Update the patches = [ … ] attribute (if necessary)
2020-01-26 13:56:41 +00:00
Systemd generators need access to the environment configured in
stage-2-init.sh since it schedules fsck and mkfs executions based on
being able to find an appropriate binary for the target filesystem.
With this commit I am altering the systemd behaviour since upstream
tries to gather environments with that they call
"environment-generators" and then seems to pass that on to all the other
executables that are being called from managers.
---
systemd: 247.6 -> 249.4 This updates systemd to version v249.4 from version v247.6. Besides the many new features that can be found in the upstream repository they also introduced a bunch of cleanup which ended up requiring a few more patches on our side. a) 0022-core-Handle-lookup-paths-being-symlinks.patch: The way symlinked units were handled was changed in such that the last name of a unit file within one of the unit directories (/run/systemd/system, /etc/systemd/system, ...) is used as the name for the unit. Unfortunately that code didn't take into account that the unit directories themselves could already be symlinks and thus caused all our units to be recognized slightly different. There is an upstream PR for this new patch: https://github.com/systemd/systemd/pull/20479 b) The way the APIVFS is setup has been changed in such a way that we now always have /run. This required a few changes to the confinement tests which did assert that they didn't exist. Instead of adding another patch we can just adopt the upstream behavior. An empty /run doesn't seem harmful. As part of this work I refactored the confinement test just a little bit to allow better debugging of test failures. Previously it would just fail at some point and it wasn't obvious which of the many commands failed or what the unexpected string was. This should now be more obvious. c) Again related to the confinement tests the way a file was tested for being accessible was optimized. Previously systemd would in some situations open a file twice during that check. This was reduced to one operation but required the procfs to be mounted in a units namespace. An upstream bug was filed and fixed. We are now carrying the essential patch to fix that issue until it is backported to a new release (likely only version 250). The good part about this story is that upstream systemd now has a test case that looks very similar to one of our confinement tests. Hopefully that will lead to less friction in the long run. https://github.com/systemd/systemd/issues/20514 https://github.com/systemd/systemd/pull/20515 d) Previously we could grep for dlopen( somewhat reliably but now upstream started using a wrapper around dlopen that is most of the time used with linebreaks. This makes using grep not ergonomic anymore. With this bump we are grepping for anything that looks like a dynamic library name (in contrast to a dlopen(3) call) and replace those instead. That seems more robust. Time will tell if this holds. I tried using coccinelle to patch all those call sites using its tooling but unfornately it does stumble upon the _cleanup_ annotations that are very common in the systemd code. e) We now have some machinery for libbpf support in our systemd build. That being said it doesn't actually work as generating some skeletons doesn't work just yet. It fails with the below error message and is disabled by default (in both minimal and the regular build). > FAILED: src/core/bpf/socket_bind/socket-bind.skel.h > /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h > libbpf: elf: socket_bind_bpf is not a valid eBPF object file > Error: failed to open BPF object file: BPF object format invalid > Traceback (most recent call last): > File "/build/source/tools/build-bpf-skel.py", line 128, in <module> > bpf_build(args) > File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build > gen_bpf_skeleton(bpftool_exec=args.bpftool_exec, > File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton > skel = subprocess.check_output(bpftool_args, universal_newlines=True) > File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output > return run(*popenargs, stdout=PIPE, timeout=timeout, check=True, > File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run > raise CalledProcessError(retcode, process.args, > subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255. > [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut) > ninja: build stopped: subcommand failed. f) We do now have support for TPM2 based disk encryption in our systemd build. The actual bits and pieces to make use of that are missing but there are various ongoing efforts in that direction. There is also the story about systemd in our initrd to enable this being used for root volumes. None of this will yet work out of the box but we can start improving on that front. g) FIDO2 support was added systemd and consequently we can now use that. Just with TPM2 there hasn't been any integration work with NixOS and instead this just adds that capability to work on that. Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 14:10:54 +01:00
src/core/manager.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
systemd: switch from our own fork to upstream repo + local patches After patching, this produces exactly the same source code as in our custom fork, but having the actual patches inlined inside nixpkgs makes it easier to get rid of them. In case more complicated rebasing is necessary, maintainers can - Clone the upstream systemd/systemd[-stable] repo - Checkout the current rev mentioned in src - Apply the patches from this folder via `git am 00*.patch` - Rebase the repo on top of a new version - Export the patch series via `git format-patch $newVersion` - Update the patches = [ … ] attribute (if necessary)
2020-01-26 13:56:41 +00:00
diff --git a/src/core/manager.c b/src/core/manager.c
systemd: regenerate patch list according to instructions
2021-10-16 14:49:53 +01:00
index b9b4789720..79239afe4a 100644
systemd: switch from our own fork to upstream repo + local patches After patching, this produces exactly the same source code as in our custom fork, but having the actual patches inlined inside nixpkgs makes it easier to get rid of them. In case more complicated rebasing is necessary, maintainers can - Clone the upstream systemd/systemd[-stable] repo - Checkout the current rev mentioned in src - Apply the patches from this folder via `git am 00*.patch` - Rebase the repo on top of a new version - Export the patch series via `git format-patch $newVersion` - Update the patches = [ … ] attribute (if necessary)
2020-01-26 13:56:41 +00:00
--- a/src/core/manager.c
+++ b/src/core/manager.c
systemd: regenerate patch list according to instructions
2021-10-16 14:49:53 +01:00
@@ -4149,10 +4149,15 @@ static int manager_run_generators(Manager *m) {
systemd: switch from our own fork to upstream repo + local patches After patching, this produces exactly the same source code as in our custom fork, but having the actual patches inlined inside nixpkgs makes it easier to get rid of them. In case more complicated rebasing is necessary, maintainers can - Clone the upstream systemd/systemd[-stable] repo - Checkout the current rev mentioned in src - Apply the patches from this folder via `git am 00*.patch` - Rebase the repo on top of a new version - Export the patch series via `git format-patch $newVersion` - Update the patches = [ … ] attribute (if necessary)
2020-01-26 13:56:41 +00:00
argv[4] = NULL;
RUN_WITH_UMASK(0022)
- (void) execute_directories((const char* const*) paths, DEFAULT_TIMEOUT_USEC, NULL, NULL,
systemd: 247.6 -> 249.4 This updates systemd to version v249.4 from version v247.6. Besides the many new features that can be found in the upstream repository they also introduced a bunch of cleanup which ended up requiring a few more patches on our side. a) 0022-core-Handle-lookup-paths-being-symlinks.patch: The way symlinked units were handled was changed in such that the last name of a unit file within one of the unit directories (/run/systemd/system, /etc/systemd/system, ...) is used as the name for the unit. Unfortunately that code didn't take into account that the unit directories themselves could already be symlinks and thus caused all our units to be recognized slightly different. There is an upstream PR for this new patch: https://github.com/systemd/systemd/pull/20479 b) The way the APIVFS is setup has been changed in such a way that we now always have /run. This required a few changes to the confinement tests which did assert that they didn't exist. Instead of adding another patch we can just adopt the upstream behavior. An empty /run doesn't seem harmful. As part of this work I refactored the confinement test just a little bit to allow better debugging of test failures. Previously it would just fail at some point and it wasn't obvious which of the many commands failed or what the unexpected string was. This should now be more obvious. c) Again related to the confinement tests the way a file was tested for being accessible was optimized. Previously systemd would in some situations open a file twice during that check. This was reduced to one operation but required the procfs to be mounted in a units namespace. An upstream bug was filed and fixed. We are now carrying the essential patch to fix that issue until it is backported to a new release (likely only version 250). The good part about this story is that upstream systemd now has a test case that looks very similar to one of our confinement tests. Hopefully that will lead to less friction in the long run. https://github.com/systemd/systemd/issues/20514 https://github.com/systemd/systemd/pull/20515 d) Previously we could grep for dlopen( somewhat reliably but now upstream started using a wrapper around dlopen that is most of the time used with linebreaks. This makes using grep not ergonomic anymore. With this bump we are grepping for anything that looks like a dynamic library name (in contrast to a dlopen(3) call) and replace those instead. That seems more robust. Time will tell if this holds. I tried using coccinelle to patch all those call sites using its tooling but unfornately it does stumble upon the _cleanup_ annotations that are very common in the systemd code. e) We now have some machinery for libbpf support in our systemd build. That being said it doesn't actually work as generating some skeletons doesn't work just yet. It fails with the below error message and is disabled by default (in both minimal and the regular build). > FAILED: src/core/bpf/socket_bind/socket-bind.skel.h > /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h > libbpf: elf: socket_bind_bpf is not a valid eBPF object file > Error: failed to open BPF object file: BPF object format invalid > Traceback (most recent call last): > File "/build/source/tools/build-bpf-skel.py", line 128, in <module> > bpf_build(args) > File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build > gen_bpf_skeleton(bpftool_exec=args.bpftool_exec, > File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton > skel = subprocess.check_output(bpftool_args, universal_newlines=True) > File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output > return run(*popenargs, stdout=PIPE, timeout=timeout, check=True, > File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run > raise CalledProcessError(retcode, process.args, > subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255. > [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut) > ninja: build stopped: subcommand failed. f) We do now have support for TPM2 based disk encryption in our systemd build. The actual bits and pieces to make use of that are missing but there are various ongoing efforts in that direction. There is also the story about systemd in our initrd to enable this being used for root volumes. None of this will yet work out of the box but we can start improving on that front. g) FIDO2 support was added systemd and consequently we can now use that. Just with TPM2 there hasn't been any integration work with NixOS and instead this just adds that capability to work on that. Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 14:10:54 +01:00
- (char**) argv, m->transient_environment,
- EXEC_DIR_PARALLEL | EXEC_DIR_IGNORE_ERRORS | EXEC_DIR_SET_SYSTEMD_EXEC_PID);
systemd: switch from our own fork to upstream repo + local patches After patching, this produces exactly the same source code as in our custom fork, but having the actual patches inlined inside nixpkgs makes it easier to get rid of them. In case more complicated rebasing is necessary, maintainers can - Clone the upstream systemd/systemd[-stable] repo - Checkout the current rev mentioned in src - Apply the patches from this folder via `git am 00*.patch` - Rebase the repo on top of a new version - Export the patch series via `git format-patch $newVersion` - Update the patches = [ … ] attribute (if necessary)
2020-01-26 13:56:41 +00:00
-
+ (void) execute_directories((const char* const*) paths, DEFAULT_TIMEOUT_USEC,
+ // On NixOS we must propagate PATH to generators so they are
+ // able to find binaries such as `fsck.${fstype}` and
+ // `mkfs.${fstype}`. That is why the last argument of the
+ // function (envp) is set to NULL. This propagates systemd's
+ // environment (e.g. PATH) that was setup
+ // before calling systemd from stage-2-init.sh.
systemd: 247.6 -> 249.4 This updates systemd to version v249.4 from version v247.6. Besides the many new features that can be found in the upstream repository they also introduced a bunch of cleanup which ended up requiring a few more patches on our side. a) 0022-core-Handle-lookup-paths-being-symlinks.patch: The way symlinked units were handled was changed in such that the last name of a unit file within one of the unit directories (/run/systemd/system, /etc/systemd/system, ...) is used as the name for the unit. Unfortunately that code didn't take into account that the unit directories themselves could already be symlinks and thus caused all our units to be recognized slightly different. There is an upstream PR for this new patch: https://github.com/systemd/systemd/pull/20479 b) The way the APIVFS is setup has been changed in such a way that we now always have /run. This required a few changes to the confinement tests which did assert that they didn't exist. Instead of adding another patch we can just adopt the upstream behavior. An empty /run doesn't seem harmful. As part of this work I refactored the confinement test just a little bit to allow better debugging of test failures. Previously it would just fail at some point and it wasn't obvious which of the many commands failed or what the unexpected string was. This should now be more obvious. c) Again related to the confinement tests the way a file was tested for being accessible was optimized. Previously systemd would in some situations open a file twice during that check. This was reduced to one operation but required the procfs to be mounted in a units namespace. An upstream bug was filed and fixed. We are now carrying the essential patch to fix that issue until it is backported to a new release (likely only version 250). The good part about this story is that upstream systemd now has a test case that looks very similar to one of our confinement tests. Hopefully that will lead to less friction in the long run. https://github.com/systemd/systemd/issues/20514 https://github.com/systemd/systemd/pull/20515 d) Previously we could grep for dlopen( somewhat reliably but now upstream started using a wrapper around dlopen that is most of the time used with linebreaks. This makes using grep not ergonomic anymore. With this bump we are grepping for anything that looks like a dynamic library name (in contrast to a dlopen(3) call) and replace those instead. That seems more robust. Time will tell if this holds. I tried using coccinelle to patch all those call sites using its tooling but unfornately it does stumble upon the _cleanup_ annotations that are very common in the systemd code. e) We now have some machinery for libbpf support in our systemd build. That being said it doesn't actually work as generating some skeletons doesn't work just yet. It fails with the below error message and is disabled by default (in both minimal and the regular build). > FAILED: src/core/bpf/socket_bind/socket-bind.skel.h > /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h > libbpf: elf: socket_bind_bpf is not a valid eBPF object file > Error: failed to open BPF object file: BPF object format invalid > Traceback (most recent call last): > File "/build/source/tools/build-bpf-skel.py", line 128, in <module> > bpf_build(args) > File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build > gen_bpf_skeleton(bpftool_exec=args.bpftool_exec, > File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton > skel = subprocess.check_output(bpftool_args, universal_newlines=True) > File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output > return run(*popenargs, stdout=PIPE, timeout=timeout, check=True, > File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run > raise CalledProcessError(retcode, process.args, > subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255. > [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut) > ninja: build stopped: subcommand failed. f) We do now have support for TPM2 based disk encryption in our systemd build. The actual bits and pieces to make use of that are missing but there are various ongoing efforts in that direction. There is also the story about systemd in our initrd to enable this being used for root volumes. None of this will yet work out of the box but we can start improving on that front. g) FIDO2 support was added systemd and consequently we can now use that. Just with TPM2 there hasn't been any integration work with NixOS and instead this just adds that capability to work on that. Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 14:10:54 +01:00
+ NULL, NULL, (char**) argv, /* NixOS: use inherited env */ NULL,
+ EXEC_DIR_PARALLEL | EXEC_DIR_IGNORE_ERRORS | EXEC_DIR_SET_SYSTEMD_EXEC_PID);
systemd: switch from our own fork to upstream repo + local patches After patching, this produces exactly the same source code as in our custom fork, but having the actual patches inlined inside nixpkgs makes it easier to get rid of them. In case more complicated rebasing is necessary, maintainers can - Clone the upstream systemd/systemd[-stable] repo - Checkout the current rev mentioned in src - Apply the patches from this folder via `git am 00*.patch` - Rebase the repo on top of a new version - Export the patch series via `git format-patch $newVersion` - Update the patches = [ … ] attribute (if necessary)
2020-01-26 13:56:41 +00:00
r = 0;
finish:
--
systemd: 249.5 -> 249.7
2021-12-06 14:39:16 +00:00
2.33.1
systemd: switch from our own fork to upstream repo + local patches After patching, this produces exactly the same source code as in our custom fork, but having the actual patches inlined inside nixpkgs makes it easier to get rid of them. In case more complicated rebasing is necessary, maintainers can - Clone the upstream systemd/systemd[-stable] repo - Checkout the current rev mentioned in src - Apply the patches from this folder via `git am 00*.patch` - Rebase the repo on top of a new version - Export the patch series via `git format-patch $newVersion` - Update the patches = [ … ] attribute (if necessary)
2020-01-26 13:56:41 +00:00
Copy permalink