git-history.diyao.me Git - systemd/.git/log

user-util: switch order of checks in valid_user_group_name_or_id_full()

When we are supposed to accept numeric UIDs formatted as string, then
let's check that first, before passing things on to
valid_user_group_name_full(), since that might log about, and not the
other way round.

See: #15201
Follow-up for: 93c23c9297e48e594785e0bb9c51504aae5fbe3e

(cherry picked from commit a85daa0dfb3eb03be9845760e90e54b9af8fb00e)

Related: #1848373

shared/user-util: allow usernames with dots in specific fields

People do have usernames with dots, and it makes them very unhappy that systemd
doesn't like their that. It seems that there is no actual problem with allowing
dots in the username. In particular chown declares ":" as the official
separator, and internally in systemd we never rely on "." as the seperator
between user and group (nor do we call chown directly). Using dots in the name
is probably not a very good idea, but we don't need to care. Debian tools
(adduser) do not allow users with dots to be created.

This patch allows *existing* names with dots to be used in User, Group,
SupplementaryGroups, SocketUser, SocketGroup fields, both in unit files and on
the command line. DynamicUsers and sysusers still follow the strict policy.
user@.service and tmpfiles already allowed arbitrary user names, and this
remains unchanged.

Fixes #12754.

(cherry picked from commit ae480f0b09aec815b64579bb1828ea935d8ee236)

Related: #1848373

user-util: Allow names starting with a digit

In 1a29610f5fa1bcb2eeb37d2c6b79d8d1a6dbb865 the change inadvertedly
disabled names with digit as the first character. This follow-up change
allows a digit as the first character in compat mode.

Fixes: #15141
(cherry picked from commit 93c23c9297e48e594785e0bb9c51504aae5fbe3e)

Related: #1848373

shared/user-util: emit a warning on names with dots

(cherry picked from commit 88e2ed0b5bf6f08f5a2d4d64b1fefdc7192b9aac)

Related: #1848373

shared/user-util: add compat forms of user name checking functions

New functions are called valid_user_group_name_compat() and
valid_user_group_name_or_id_compat() and accept dots in the user
or group name. No functional change except the tests.

(cherry picked from commit 1a29610f5fa1bcb2eeb37d2c6b79d8d1a6dbb865)

This completes previous partial cherry-pick of the same commit (commit
76176de0889c3e8b9b3a176da24e4f8dbbd380a3).

Related: #1848373

tests: beef up integer parsing tests

(cherry picked from commit 53c6db99fa4b52f97e19977f21d3133f8ceb3dcd)

Related: #1848373

parse-util: also parse integers prefixed with 0b and 0o

Let's adopt Python 3 style 0b and 0x syntaxes, because it makes a ton of
sense, in particular in bitmask settings.

(cherry picked from commit fc80cabcf584a8b486bdff5be0c074fec4059cdc)

Related: #1848373

strv: add new macro STARTSWITH_SET()

This is to startswith() what PATH_STARTSWITH_SET() is to
path_startswith().

Or in other words, checks if the specified string has any of the listed
prefixes, and if so, returns the remainder of the string.

(cherry picked from commit 52f1552073047195d51901f7e5a5a4fa3189034e)

Related: #1848373

user-util: be stricter in parse_uid()

Let's refuse "+" and "-" prefixed UIDs. Let's refuse whitespace-prefixed
UIDS, Let's refuse zero-prefixed UIDs. Let's be safe than sorry.

(cherry picked from commit f5979b63cc305ba217dfd174b1bf0583bcf75a73)

Related: #1848373

parse-util: rewrite parse_mode() on top of safe_atou_full()

Parsing is hard, hence let's use our own careful wrappers wherever
possible.

(cherry picked from commit c44702a8bd8cc8b7f2f1df21db9308d9af7dda5b)

Related: #1848373

parse-util: make return parameter optional in safe_atou16_full()

All other safe_atoXYZ_full() functions have the parameter optional,
let's make it optoinal here, too.

(cherry picked from commit aa85e4d3cef8ca8436e480bce9fa4ce72876b636)

Related: #1848373

parse-util: allow '-0' as alternative to '0' and '+0'

Let's allow "-0" as alternative to "+0" and "0" when parsing integers,
unless the new SAFE_ATO_REFUSE_PLUS_MINUS flag is specified.

In cases where allowing the +/- syntax shall not be allowed
SAFE_ATO_REFUSE_PLUS_MINUS is the right flag to use, but this also means
that -0 as only negative integer that fits into an unsigned value should
be acceptable if the flag is not specified.

(cherry picked from commit c78eefc13562a8fc0c22c00a6d3001af89860258)

Related: #1848373

parse-util: allow tweaking how to parse integers

This allows disabling a few alternative ways to decode integers
formatted as strings, for safety reasons.

See: #15991
(cherry picked from commit 707e93aff8f358f8a62117e54b857530d6594e4b)

Related: #1848373

basic/parse-util: add safe_atoux64()

(cherry picked from commit ce51632a357d347737bf40d3817df331cd8874cb)

Related: #1848373

parse-util: sometimes it is useful to check if a string is a valid integer, but not actually parse it

(cherry picked from commit 22810041c2200fe72b0e0c985d0e404f8b80f9e2)

Related: #1848373

basic/user-util: always use base 10 for user/group numbers

We would parse numbers with base prefixes as user identifiers. For example,
"0x2b3bfa0" would be interpreted as UID==45334432 and "01750" would be
interpreted as UID==1000. This parsing was used also in cases where either a
user/group name or number may be specified. This means that names like
0x2b3bfa0 would be ambiguous: they are a valid user name according to our
documented relaxed rules, but they would also be parsed as numeric uids.

This behaviour is definitely not expected by users, since tools generally only
accept decimal numbers (e.g. id, getent passwd), while other tools only accept
user names and thus will interpret such strings as user names without even
attempting to convert them to numbers (su, ssh). So let's follow suit and only
accept numbers in decimal notation. Effectively this means that we will reject
such strings as a username/uid/groupname/gid where strict mode is used, and try
to look up a user/group with such a name in relaxed mode.

Since the function changed is fairly low-level and fairly widely used, this
affects multiple tools: loginctl show-user/enable-linger/disable-linger foo',
the third argument in sysusers.d, fourth and fifth arguments in tmpfiles.d,
etc.

Fixes #15985.

(cherry picked from commit 156a5fd297b61bce31630d7a52c15614bf784843)

Resolves: #1848373

core: add support for setting CPUAffinity= to special "numa" value

systemd will automatically derive CPU affinity mask from NUMA node
mask.

Fixes #13248

(cherry picked from commit e2b2fb7f566d13a3de61952b5356cd4d2eaee917)

Resolves: #1740657

dbus-execute: make transfer of CPUAffinity endian safe (#12711)

We store the affinity mask in the native endian. However, over D-Bus we
must transfer the mask in little endian byte order.

This is the second part of c367f996f5f091a63f812f0140b304c649be77fc.

(cherry picked from commit 75e40119a471454516ad0acc96f6f4094e7fb652)

Related: #1740657

mount-setup: fix segfault in mount_cgroup_controllers when using gcc9 compiler

According to the documentation:
https://gcc.gnu.org/gcc-9/porting_to.html#complit

The 'join_controllers' that relied on the extended lifetime needs
to be fixed, move the compound literals to the function scope it
need to accessible in.

Resolves: #1868877

core: remove support for API bus "started outside our own logic"

Looking at a recent Bad Day, my log contains over 100 lines of

    systemd[23895]: Failed to connect to API bus: Connection refused

It is due to "systemd --user" retrying to connect to an API bus.[*]  I
would prefer to avoid spamming the logs.  I don't think it is good for us
to retry so much like this.

systemd was mislead by something setting DBUS_SESSION_BUS_ADDRESS.  My best
guess is an unfortunate series of events caused gdm to set this.  gdm has
code to start a session dbus if there is not a bus available already (and
in this case it exports the environment variable).  I believe it does not
normally do this when running under systemd, because "systemd --user" and
hence "dbus.service" would already have been started by pam_systemd.

I see two possibilities

1. Rip out the check for DBUS_SESSION_BUS_ADDRESS entirely.
2. Only check for DBUS_SESSION_BUS_ADDRESS on startup.  Not in the
   "recheck" logic.

The justification for 2), is that the recheck is called from unit_notify(),
this is used to check whether the service just started (or stopped) was
"dbus.service".  This reason for rechecking does not apply if we think
the session bus was started outside our logic.

But I think we can justify 1).  dbus-daemon ships a statically-enabled
/usr/lib/systemd/user/dbus.service, which would conflict with an attempt to
use an external dbus.  Also "systemd --user" is started from user@.service;
if you try to start it manually so that it inherits an environment
variable, it will conflict if user@.service was started by pam_systemd
(or loginctl enable-linger).

(cherry picked from commit d3243f55ca9b5f305306ba4105ab29768e372a78)

Resolves: #1764282

socket: New option 'FlushPending' (boolean) to flush socket before entering listening state

Disabled by default. When Enabled, before listening on the socket, flush the content.
Applies when Accept=no only.

(cherry picked from commit 3e5f04bf6468fcb79c080f02b0eab08f258bff0c)

Resolves: #1870638

man: document the new systemctl --show-transaction option

(cherry picked from commit df4a7cb7323c8cf00553d766913312c5b7ccd508)

Related: #846319

test: add some basic testing that "systemctl start -T" does something

(cherry picked from commit f087c7e072bb338d5c7c0781c9fbc900612efd18)

Related: #846319

systemctl: add new --show-transaction switch

This new switch uses the new method call EnqueueUnitJob() for enqueuing
a job and showing the jobs it enqueued.

Fixes: #2297
(cherry picked from commit 85d9b5981ba6b7ee3955f95fa6cf3bb8cdf3444d)

Resolves: #846319

systemctl: split out extra args generation into helper function of its own

(cherry picked from commit 94369fc0663255bbd327f97dba288ececf51a514)

Related: #846319

systemctl: clean up start_unit_one() error handling

Let's split exit code handling in two: "r" is only used for errno-style
errors, and "ret" is used for exit() codes. Then, let's use EXIT_SUCCESS
for checking whether the latter is already used.

This way it should always be clear what kind of error we are processing,
and when we propaate one into the other.

Moreover this allows us to drop "q" form all inner loops, avoiding
confusion when to use "q" and when "r" to store received errors.

Fixes: #9704
(cherry picked from commit 0e8d9c0c4d7e71487c486f626c59853cfb031d16)

Related: #846319

systemctl: Only wait when there's something to wait for.

Tested:
- `systemctl --wait start i-do-not-exist.service` does not wait.
- `systemctl --wait start i-do-not-exist.service valid-unit.service` does.

(cherry picked from commit 46f2579c2ac9f6780d5afec1000764defc6b581e)

Related: #846319

systemctl: reindent table

(cherry picked from commit 5fd77930ad9980af5257f9f871556d6973db736c)

Related: #846319

systemctl: replace switch statement by table of structures

(cherry picked from commit c45e5fb877033c9e3f9b79121644ed71032af379)

Related: #846319

core: add new API for enqueing a job with returning the transaction data

(cherry picked from commit 50cbaba4fe5a32850998682699322d012e597e4a)

Related: #846319

sd-bus: break the loop in bus_ensure_running() if the bus is not connecting

This might fix #17025:
> the call trace is
> bus_ensure_running -> sd_bus_process -> bus_process_internal -> process_closeing --> sd_bus_close
> |
> \-> process_match

We ended doing callouts to the Disconnected matches from bus_ensure_running()
and shouldn't. bus_ensure_running() should never do callouts. This change
should fix this however: once we notice that the connection is going down we
will now fail instantly with ENOTOCONN instead of calling any callbacks.

(cherry picked from commit 93a59b1ae5d3bcb0ec1488ebc13d0d1ff4d1729a)

Resolves: #1885553

units: drop reference to sushell man page

sushell was a Fedoraism, and has been removed since. Hence our upstream
unit files shouldn't reference it either.

(cherry picked from commit 6dc14d73664390682d47d7e5bcbdbb362d04f623)

Resolves: #1871827

units: fix systemd.special man page reference in system-update-cleanup.service

(cherry picked from commit faab72d16b310c17be4b908cfe15eca122d16ae4)

Resolves: #1871827

vconsole-setup: downgrade log message when setting font fails on dummy console

Since commit 883eb9be985fd86d9cabe967eeeab91cdd396a81, vconsole-setup might be
called again to operate on dummy console where font operations are not
supported but where it's still important to have the correct keymap set [0][1].

vconsole-setup is mainly called by udev but can also be run via a dependency of
an early service. Both cases might end up calling vconsole-setup on the dummy
console.

The first case can happen during early boot even on systems that use (instead
of the dummy console) a "simple" video console driver supporting font
operations (such as vgacon) until a more specific driver (such as i915) takes
the console over. While this is happening vgacon is deactivated and temporarly
replaced by the dummy console [2].

There are also other cases where systemd-vconsole-setup might be called on
dummy console especially during (very) early boot. Indeed
systemd-vconsole-setup.service might be pulled in by early interactive services
such as 'dracut-cmdline-ask.service` which is run before udev.

If that happens on platforms with no grapical HWs (such as embedded ARM) or
with dummy console initially installed until a driver takes over (like Xen and
xen-fbfront) then setting font will fail.

Therefore this patch downgrades the log message emitted when setting font fails
to LOG_DEBUG and when font operations is not implemented like it's the case for
the dummy console.

Fixes: #16406.

[0] https://github.com/systemd/systemd/issues/10826
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1652473
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/vga/vgaarb.c?h=v5.7#n204

(cherry picked from commit 0ef1adf51274960358e852d3bc36ae6c288a70d9)

Resolves: #1889996

seccomp: rework how the S[UG]ID filter is installed

If we know that a syscall is undefined on the given architecture, don't
even try to add it.

Try to install the filter even if some syscalls fail. Also use a helper
function to make the whole a bit less magic.

This allows the S[UG]ID test to pass on arm64.

(cherry picked from commit da4dc9a6748797e804b6bc92ad513d509abf581c)

Resolves: #1860374

basic/virt: try the /proc/1/sched hack also for PID1

If a container manager does not set $container, we could end up
in a strange situation when detect-virt returns container-other when
run as non-pid-1 and none when run as pid-1.

(cherry picked from commit 342bed02084c4396dd2f1054bd559bfb2699cfcb)
Resolves: #1868877

build: use simple project version in pkgconfig files

Loosely based on commit a67c318df8800ba98d7361308937ed276dc73982.

Resolves: #1862714

logind: don't print warning when user@.service template is masked

User instance of systemd is optional feature and if user@.service
template is masked then administrator most likely doesn't want --user
instances of systemd for logged in users. We don't need to be verbose
about it.

(cherry picked from commit 03b6fa0c5b51b0d39334ff6ba183a3391443bcf6)

Resolves: #1880270

cgroup: freezer action must be NOP when cgroup v2 freezer is not available

Low-level cgroup freezer state manipulation is invoked directly from the
job engine when we are about to execute the job in order to make sure
the unit is not frozen and job execution is not blocked because of
that.

Currently with cgroup v1 we would needlessly do a bunch of work in the
function and even falsely update the freezer state. Don't do any of this
and skip the function silently when v2 freezer is not available.

Following bug is fixed by this commit,

$ systemd-run --unit foo.service /bin/sleep infinity
$ systemctl restart foo.service
$ systemctl show -p FreezerState foo.service

Before (cgroup v1, i.e. full "legacy" mode):
FreezerState=thawing

After:
FreezerState=running

(cherry picked from commit 9a1e90aee556b7a30d87553a891a4175ae77ed68)

Resolves: #1868831

core: make sure to restore the control command id, too

Fixes: #15356
(cherry picked from commit e9da62b18af647bfa73807e1c7fc3bfa4bb4b2ac)

Resolves: #1829867

man: document new "boot-complete.target" unit

(cherry picked from commit 82ea38258c0f4964c2f3ad3691c6e4554c4f0bb0)

Related: #1872243

units: add generic boot-complete.target

(cherry picked from commit 329d20db3cb02d789473b8f7e4a59526fcbf5728)

Resolves: #1872243

device: don't emit PropetiesChanged needlessly

Functions called from device_setup_unit() already make sure that unit is
enqueued in case it is a new unit or properties exported on the bus have
changed.

This should prevent unnecessary DBus wakeups and associated DBus traffic
when device_setup_unit() was called while reparsing /proc/self/mountinfo
due to the mountinfo notifications. Note that we parse
/proc/self/mountinfo quite often on the busy systems (e.g. k8s container
hosts) but majority of the time mounts didn't change, only some mount
got added. Thus we don't need to generate PropertiesChanged for devices
associated with the mounts that didn't change.

Thanks to Renaud Métrich <rmetrich@redhat.com> for debugging the
problem and providing draft version of the patch.

(cherry picked from commit 2e129d5d6bd6bd8be4b5359e81a880cbf72a44b8)

Resolves: #1793533

device: make sure we emit PropertiesChanged signal once we set sysfs

(cherry picked from commit 7c4d139485139eae95b17a1d54cb51ae958abd70)

Related: #1793533

tests: sleep a bit and give kernel time to perform the action after manual freeze/thaw

Fixes: #16050
(cherry picked from commit a0d79df8e59c6bb6dc0382d71e835dec869a7df4)

Related: #1848421

fix mis-merge

Resolves: #1848421

test: add test for cgroup v2 freezer support

(cherry picked from commit d446ae89c0168f17eed7135ac06df3b294b3fcc6)

Related: #1830861

core: fix the return value in order to make sure we don't dipatch method return too early

Actually, it is the same kind of problem as in d910f4c . Basically, we
need to return 1 on success code path in slice_freezer_action().
Otherwise we dispatch DBus return message too soon.

Fixes: #16050
(cherry picked from commit 2884836e3c26fa76718319cdc6d13136bbc1354d)

Related: #1830861

core/cgroup: fix return value of unit_cgorup_freezer_action()

We should return 0 only if current freezer state, as reported by the
kernel, is already the desired state. Otherwise, we would dispatch
return dbus message prematurely in bus_unit_method_freezer_generic().

Thanks to Frantisek Sumsal for reporting the issue.

(cherry picked from commit d910f4c2b2542544d7b187a09605da7a0f220837)

Related: #1830861

core: introduce support for cgroup freezer

With cgroup v2 the cgroup freezer is implemented as a cgroup
attribute called cgroup.freeze. cgroup can be frozen by writing "1"
to the file and kernel will send us a notification through
"cgroup.events" after the operation is finished and processes in the
cgroup entered quiescent state, i.e. they are not scheduled to
run. Writing "0" to the attribute file does the inverse and process
execution is resumed.

This commit exposes above low-level functionality through systemd's DBus
API. Each unit type must provide specialized implementation for these
methods, otherwise, we return an error. So far only service, scope, and
slice unit types provide the support. It is possible to check if a
given unit has the support using CanFreeze() DBus property.

Note that DBus API has a synchronous behavior and we dispatch the reply
to freeze/thaw requests only after the kernel has notified us that
requested operation was completed.

(cherry picked from commit d9e45bc3abb8adf5a1cb20816ba8f2d2aa65b17e)

Resolves: #1830861

shared: add NULL callback check in one more place

Follow-up for 9f65637308.

(cherry picked from commit d3d53e5cd143bf96d1eb0e254f16fa8d458d38ce)

Related: #1830861

shared: Don't try calling NULL callback in bus_wait_for_units_clear

BugLink: https://bugs.launchpad.net/bugs/1870930
(cherry picked from commit 9f656373082cb13542b877b4f5cb917ef5ff329c)

Related: #1830861

shared: fix assert call

Fixup for 3572d3df8f8. Coverity CID#1403013.

(cherry picked from commit 60b17d6fcd988c9995b7d1476d3aba1c4cbbfddd)

Related: #1830861

shared: add generic logic for waiting for a unit to enter some state

This is a generic implementation of a client-side logic of waiting until
a unit enters or leaves some state.

This is a more generic implementation of the WaitContext logic currently
in systemctl.c, and is supposed to replace it (a later commit does
this). It's similar to bus-wait-for-jobs.c and we probably should fold
that one into it later on.

This code is more powerful and cleaner than the WaitContext logic
however. In addition to waiting for a unit to exit this also allows us
to wait for a unit to leave the "maintainance" state.

This commit only implements the generic logic, and adds no users of it
yet.

(cherry picked from commit 3572d3df8f822d4cf1601428401a837f723771cf)

Related: #1830861

basic/cgroup-util: introduce cg_get_keyed_attribute_full()

Callers of cg_get_keyed_attribute_full() can now specify via the flag whether the
missing keyes in cgroup attribute file are OK or not. Also the wrappers for both
strict and graceful version are provided.

(cherry picked from commit 25a1f04c682260bb9b96e25bdf33665d6172db98)

Related: #1830861

selinux: do preprocessor check only in selinux-access.c

This has the advantage that mac_selinux_access_check() can be used as a
function in all contexts. For example, parameters passed to it won't be
reported as unused if the "function" call is replaced with 0 on SELinux
disabled builds.

(cherry picked from commit 08deac6e3e9119aeb966375f94695e4aa14ffb1c)

Related: #1830861

core: don't consider SERVICE_SKIP_CONDITION for abnormal or failure restarts

Fixes: #16115
(cherry picked from commit bb9244781c6fc7608f7cac910269f8987b8adc01)

Related: #1737283

meson: allow setting the version string during configuration

Very loosely based on upstream commits e1ca734edd17a90a325d5b566a4ea96e66c206e5
and 681bd2c524ed71ac04045c90884ba8d55eee7b66.

Resolves: #1804252

cgroup: Mark memory protections as explicitly set in transient units

A later version of the DefaultMemory{Low,Min} patch changed these to
require explicitly setting memory_foo_set, but we only set that in
load-fragment, not dbus-cgroup.

Without these, we may fall back to either DefaultMemoryFoo or
CGROUP_LIMIT_MIN when we really shouldn't.

(cherry picked from commit 184e989d7da4648bd36511ffa28a9f2b469589d1)

Related: #1763435

cgroup: Respect DefaultMemoryMin when setting memory.min

This is an oversight from https://github.com/systemd/systemd/pull/12332.

Sadly the tests didn't catch it since it requires a real cgroup
hierarchy to see, and it wasn't seen in prod since we're only currently
using DefaultMemoryLow, not DefaultMemoryMin. :-(

(cherry picked from commit 64fe532e90b3e99bf7821ded8a1107c239099e40)

Related: #1763435

cgroup: Check ancestor memory min for unified memory config

Otherwise we might not enable it when we should, ie. DefaultMemoryMin is
set in a parent, but not MemoryMin in the current unit.

(cherry picked from commit 7c9d2b79935d413389a603918a711df75acd3f48)

Related: #1763435

cgroup: Test that it's possible to set memory protection to 0 again

The previous commit fixes this up, and this should prevent it
regressing.

(cherry picked from commit 465ace74d9820824968ab5e82c81e42c2f1894b0)

Related: #1763435

cgroup: Support 0-value for memory protection directives

These make sense to be explicitly set at 0 (which has a different effect
than the default, since it can affect processing of `DefaultMemoryXXX`).

Without this, it's not easily possible to relinquish memory protection
for a subtree, which is not great.

(cherry picked from commit 22bf131be278b95a4a204514d37a4344cf6365c6)

Related: #1763435

cgroup: Readd some plumbing for DefaultMemoryMin

Somehow these got lost in the previous PR, rendering DefaultMemoryMin
not very useful.

(cherry picked from commit 7e7223b3d57c950b399352a92e1d817f7c463602)

Related: #1763435

cgroup: Polish hierarchically aware protection docs a bit

I missed adding a section in `systemd.resource-control` about
DefaultMemoryMin in #12332.

Also, add a NEWS entry going over the general concept.

(cherry picked from commit acdb4b5236f38bbefbcc4a47fdbb9cd558b4b5c5)

Related: #1763435

unit: Add DefaultMemoryMin

(cherry picked from commit 7ad5439e0663e39e36619957fa37eefe8026bcab)

Related: #1763435

cgroup: Create UNIT_DEFINE_ANCESTOR_MEMORY_LOOKUP

This is in preparation for creating unit_get_ancestor_memory_min.

(cherry picked from commit 6264b85e92aeddb74b8d8808a08c9eae8390a6a5)

Related: #1763435

cgroup: Implement default propagation of MemoryLow with DefaultMemoryLow

In cgroup v2 we have protection tunables -- currently MemoryLow and
MemoryMin (there will be more in future for other resources, too). The
design of these protection tunables requires not only intermediate
cgroups to propagate protections, but also the units at the leaf of that
resource's operation to accept it (by setting MemoryLow or MemoryMin).

This makes sense from an low-level API design perspective, but it's a
good idea to also have a higher-level abstraction that can, by default,
propagate these resources to children recursively. In this patch, this
happens by having descendants set memory.low to N if their ancestor has
DefaultMemoryLow=N -- assuming they don't set a separate MemoryLow
value.

Any affected unit can opt out of this propagation by manually setting
`MemoryLow` to some value in its unit configuration. A unit can also
stop further propagation by setting `DefaultMemoryLow=` with no
argument. This removes further propagation in the subtree, but has no
effect on the unit itself (for that, use `MemoryLow=0`).

Our use case in production is simplifying the configuration of machines
which heavily rely on memory protection tunables, but currently require
tweaking a huge number of unit files to make that a reality. This
directive makes that significantly less fragile, and decreases the risk
of misconfiguration.

After this patch is merged, I will implement DefaultMemoryMin= using the
same principles.

(cherry picked from commit c52db42b78f6fbeb7792cc4eca27e2767a48b6ca)

Related: #1763435

test: remove support for suffix in get_testdata_dir()

Instead, use path_join() in callers wherever needed.

(cherry picked from commit 55890a40c3ec0c061c04d1395a38c26313132d12)

Related: #1763435

core: introduce cgroup_add_device_allow()

(cherry picked from commit fd870bac25c2dd36affaed0251b5a7023f635306)

Related: #1763435

core: add MemoryMin

The kernel added support for a new cgroup memory controller knob memory.min in
bf8d5d52ffe8 ("memcg: introduce memory.min") which was merged during v4.18
merge window.

Add MemoryMin to support memory.min.

(cherry picked from commit 484226357789991de0b3363beb69258be06b4c92)

Resolves: #1763435

sd-bus: skip sending formatted UIDs via SASL

The dbus external authentication takes as optional argument the UID the
sender wants to authenticate as. This uid is purely optional. The
AF_UNIX socket already conveys the same information through the
auxiliary socket data, so we really don't have to provide that
information.

Unfortunately, there is no way to send empty arguments, since they are
interpreted as "missing argument", which has a different meaning. The
SASL negotiation thus changes from:

    AUTH EXTERNAL <uid>
    NEGOTIATE_UNIX_FD                   (optional)
    BEGIN

to:

    AUTH EXTERNAL
    DATA
    NEGOTIATE_UNIX_FD                   (optional)
    BEGIN

And thus the replies we expect as a client change from:

    OK <server-id>
    AGREE_UNIX_FD                       (optional)

to:

    DATA
    OK <server-id>
    AGREE_UNIX_FD                       (optional)

Since the old sd-bus server implementation used the wrong reply for
"AUTH" requests that do not carry the arguments inlined, we decided to
make sd-bus clients accept this as well. Hence, sd-bus now allows
"OK <server-id>\r\n" replies instead of "DATA\r\n" replies.

Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
(cherry picked from commit 1ed4723d38cd0d1423c8fe650f90fa86007ddf55)

Resolves: #1838081

sd-bus: fix SASL reply to empty AUTH

The correct way to reply to "AUTH <protocol>" without any payload is to
send "DATA" rather than "OK". The "DATA" reply triggers the client to
respond with the requested payload.

In fact, adding the data as hex-encoded argument like
"AUTH <protocol> <hex-data>" is an optimization that skips the "DATA"
roundtrip. The standard way to perform an authentication is to send the
"DATA" line.

This commit fixes sd-bus to properly send the "DATA" line. Surprisingly
no existing implementation depends on this, as they all pass the data
directly as argument to "AUTH". This will not work if we want to pass
an empty argument, though.

Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
(cherry picked from commit 2010873b4b49b223e0cc07d28205b09c693ef005)

Related: #1838081

sd-bus: avoid magic number in SASL length calculation

Lets avoid magic numbers and use a constant `strlen()` instead.

Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
(cherry picked from commit 3cacdab925c40a5d9b7cf3f67719201bbaa17f67)

Related: #1838081

core: downgrade CPUQuotaPeriodSec= clamping logs to debug

After the first warning log, further messages are downgraded to LOG_DEBUG.

(cherry picked from commit 527ede0c638b47b62a87900438a8a09dea42889e)

Related: #1770379

core: add CPUQuotaPeriodSec=

This new setting allows configuration of CFS period on the CPU cgroup, instead
of using a hardcoded default of 100ms.

Tested:
- Legacy cgroup + Unified cgroup
- systemctl set-property
- systemctl show
- Confirmed that the cgroup settings (such as cpu.cfs_period_ns) were set
  appropriately, including updating the CPU quota (cpu.cfs_quota_ns) when
  CPUQuotaPeriodSec= is updated.
- Checked that clamping works properly when either period or (quota * period)
  are below the resolution of 1ms, or if period is above the max of 1s.

(cherry picked from commit 10f28641115733c61754342d5dcbe70b083bea4b)

Resolves: #1770379

cgroup: use structured initialization

(cherry picked from commit de8a711a5849f9239c93aefa5554a62986dfce42)

Related: #1770379

time-util: Introduce parse_sec_def_infinity

This works like parse_sec() but defaults to USEC_INFINITY when passed an
empty string or only whitespace.

Also introduce config_parse_sec_def_infinity, which can be used to parse
config options using this function.

This is useful for time options that use "infinity" for default and that
can be reset by unsetting them.

Introduce a test case to ensure it works as expected.

(cherry picked from commit 7b61ce3c44ef5908e817009ce4f9d2a7a37722be)

Related: #1770379

core: add IODeviceLatencyTargetSec

This adds support for the following proposed latency based IO control
mechanism.

https://lkml.org/lkml/2018/6/5/428

(cherry picked from commit 6ae4283cb14c4e4a895f4bbba703804e4128c86c)

Resolves: #1831519

core: coldplug possible nop_job

When a unit in a state INACTIVE or DEACTIVATING, JobType JOB_TRY_RESTART or
JOB_TRY_RELOAD will be collapsed to JOB_NOP. And use u->nop_job instead
of u->job.

If a JOB_NOP job is going on with a waiting state, a parallel daemon-reload
just install it during deserialization. Without a coldplug, the job will
not be in m->run_queue, which results in a hung try-restart or
try-reload process.

Reproduce:

run systemctl try-restart test.servcie (inactive) repeatly in a terminal.
run systemctl daemon-reload repeatly in other terminals.

After successful reproduce, systemctl list-jobs will list the hang job.

Upsteam:
systemd/systemd#13124

(cherry picked from commit b49e14d5f3081dfcd363d8199a14c0924ae9152f)

Resolves: #1829798

mount: don't add Requires for tmp.mount

This is a follow-up to #1619292.

rhel-only
Resolves: #1748840

resolvconf: fixes for the compatibility interface

Also use compat_main() when called as `resolvconf`, since the interface
is closer to that of `systemd-resolve`.

Use a heap allocated string to set arg_ifname, since a stack allocated
one would be lost after the function returns. (This last one broke the
case where an interface name was suffixed with a dot, such as in
`resolvconf -a tap0.dhcp`.)

Tested:
$ build/resolvconf -a nonexistent.abc </etc/resolv.conf
Unknown interface 'nonexistent': No such device

Fixes #9423.

(cherry picked from commit 5a01b3f35d7b6182c78b6973db8d99bdabd4f9c3)

Resolves: #1835594

sulogin-shell: Use force if SYSTEMD_SULOGIN_FORCE set

When the root account is locked sulogin will either inform you of
this and not allow you in or if --force is used it will hand
you passwordless root (if using a recent enough version of util-linux).

Not being allowed a shell is ofcourse inconvenient, but at the same
time handing out passwordless root unconditionally is probably not
a good idea everywhere.

This patch thus allows to control which behaviour you want by
setting the SYSTEMD_SULOGIN_FORCE environment variable to true
or false to control the behaviour, eg. via adding this to
'systemctl edit rescue.service' (or emergency.service):

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1

Distributions who used locked root accounts and want the passwordless
behaviour could thus simply drop in the override file in
/etc/systemd/system/rescue.service.d/override.conf

Fixes: #7115
Addresses: https://bugs.debian.org/802211
(cherry picked from commit 33eb44fe4a8d7971b5614bc4c2d90f8d91cce66c)

Resolves: #1625929

tmpfiles: fix crash with NULL in arg_root and other fixes and tests

The function to replacement paths into the configuration file list was borked.
Apart from the crash with empty root prefix, it would incorrectly handle the
case where root *was* set, and the replacement file was supposed to override
an existing file.

prefix_root is used instead of path_join because prefix_root removes duplicate
slashes (when --root=dir/ is used).

A test is added.

Fixes #11124.

(cherry picked from commit 082bb1c59bd4300bcdc08488c94109680cfadf57)

Resolves: #1836024

seccomp: fix __NR__sysctl usage

Loosely based on
https://github.com/systemd/systemd/pull/14032 and
https://github.com/systemd/systemd/pull/14268.

Related: #1843871

fuzz-compress: add fuzzer for compression and decompression

(cherry picked from commit 029427043b2e0523a21f54374f872b23cf744350)
Resolves: #1843871

journal: adapt for new improved LZ4_decompress_safe_partial()

With lz4 1.8.3, this function can now decompress partial results into a smaller
buffer. The release news don't say anything interesting, but the test case that
was previously failing now works OK.

Fixes #10259.

A test is added. It shows that with *older* lz4, a partial decompression can
occur with the returned size smaller then the requested number of bytes _and_
smaller then the size of the compressed data:

(lz4-libs-1.8.2-1.fc29.x86_64)
Compressed 4194304 → 16464
Decompressed → 4194304
Decompressed partial 12/4194304 → 4194304
Decompressed partial 1/1 → -2 (bad)
Decompressed partial 2/2 → -2 (bad)
Decompressed partial 3/3 → -2 (bad)
Decompressed partial 4/4 → -2 (bad)
Decompressed partial 5/5 → -2 (bad)
Decompressed partial 6/6 → 6 (good)
Decompressed partial 7/7 → 6 (good)
Decompressed partial 8/8 → 6 (good)
Decompressed partial 9/9 → 6 (good)
Decompressed partial 10/10 → 6 (good)
Decompressed partial 11/11 → 6 (good)
Decompressed partial 12/12 → 6 (good)
Decompressed partial 13/13 → 6 (good)
Decompressed partial 14/14 → 6 (good)
Decompressed partial 15/15 → 6 (good)
Decompressed partial 16/16 → 6 (good)
Decompressed partial 17/17 → 6 (good)
Decompressed partial 18/18 → -16459 (bad)

(lz4-libs-1.8.3-1.fc29.x86_64)
Compressed 4194304 → 16464
Decompressed → 4194304
Decompressed partial 12/4194304 → 12
Decompressed partial 1/1 → 1 (good)
Decompressed partial 2/2 → 2 (good)
Decompressed partial 3/3 → 3 (good)
Decompressed partial 4/4 → 4 (good)
...

If we got such a short "successful" decompression in decompress_startswith() as
implemented before this patch, we could be confused and return a false negative
result. But it turns out that this only occurs with small output buffer
sizes. We use greedy_realloc() to manager the buffer, so it is always at least
64 bytes. I couldn't hit a case where decompress_startswith() would actually
return a bogus result. But since the lack of proof is not conclusive, the code
for *older* lz4 is changed too, just to be safe. We cannot rule out that on a
different architecture or with some unlucky compressed string we could hit this
corner case.

The fallback code is guarded by a version check. The check uses a function not
the compile-time define, because there was no soversion bump in lz4 or new
symbols, and we could be compiled against a newer lz4 and linked at runtime
with an older one. (This happens routinely e.g. when somebody upgrades a subset
of distro packages.)

(cherry picked from commit e41ef6fd0027d3619dc1cf062100b2d224d0ee7e)
Resolves: #1843871

test-compress: add test for short decompress_startswith calls

I thought this might fail with lz4 < 1.8.3, but it seems that because of
greedy_realloc, we always use a buffer that is large enough, and it always
passes.

(cherry picked from commit ba17efce44e6a1e139c1671205e9a6ed3824af1b)
Resolves: #1843871

Drop support for lz4 < 1.3.0

lz4-r130 was released on May 29th, 2015. Let's drop the work-around for older
versions. In particular, we won't test any new code against those ancient
releases, so we shouldn't pretend they are supported.

(cherry picked from commit e0a1d4b049e6991919a0eacd5d96f7f39dc6ddd1)
Resolves: #1843871

core: ExecCondition= for services

Closes #10596

(cherry picked from commit 31cd5f63ce86a0784c4ef869c4d323a11ff14adc)

Resolves: #1737283

test-execute: provide custom failure message

test_exec_ambientcapabilities: exec-ambientcapabilities-nobody.service: exit status 0, expected 1

Sometimes we get just the last line, for example from the failure summary,
so make it as useful as possible.

(cherry picked from commit 6aed6a11577b108b9a39f26aeae5e45d98f20c90)

Related: #1737283

test-execute: allow filtering test cases by pattern

When debugging failure in one of the cases, it's annoying to have to wade
through the output from all the other cases. Let's allow picking select
cases.

(cherry picked from commit 9efb96315ae502dabeb94ab35816ea8955563b7a)

Related: #1737283

tests: always use the right vtable wrapper calls

Prompted by https://github.com/systemd/systemd/pull/10836#discussion_r234598868

(cherry picked from commit bd7989a3d90e5d97e09f1eef33d09b2469a79f4d)

Related: #1737283

core: log a recognizable message when a unit succeeds, too

We already are doing it on failure, let's do it on success, too.

Fixes: #10265
(cherry picked from commit 523ee2d41471bfb738f52d59de9b469301842644)

Related: #1737283

core: make log messages about units entering a 'failed' state recognizable

Let's make this recognizable, and carry result information in a
structure fashion.

(cherry picked from commit 7c047d7443347c109daf67023a01c118b5f361eb)

Related: #1737283

core: split out all logic that updates a Job on a unit's unit_notify() invocation

Just some refactoring, no change in behaviour.

(cherry picked from commit 16c74914d233ec93012d77e5f93cf90e42939669)

Related: #1737283

job: when a job was skipped due to a failed condition, log about it

Previously we'd neither show console status output nor log output. Let's
fix that, and still log something.

(cherry picked from commit 9a80f2f4533883d272e6a436512aa7e88cedc549)

Related: #1737283

core: move unit_status_emit_starting_stopping_reloading() and related calls to job.c

This call is only used by job.c and very specific to job handling.
Moreover the very similar logic of job_emit_status_message() is already
in job.c.

Hence, let's clean this up, and move both sets of functions to job.c,
and rename them a bit so that they express precisely what they do:

1. unit_status_emit_starting_stopping_reloading() →
job_emit_begin_status_message()
2. job_emit_status_message() → job_emit_done_status_message()

The first call is after all what we call when we begin with the
execution of a job, and the second call what we call when we are done
wiht it.

Just some moving and renaming, not other changes, and hence no change in
behaviour.

(cherry picked from commit 33a3fdd9781329379f74e11a7a2707816aad8c61)

Related: #1737283

nspawn: chown() the legacy hierarchy when it's used in a container

This is a follow-up to 720f0a2f3c928cc9379501a52146be9fbb4d9be2.

Closes https://github.com/systemd/systemd/issues/10026
Closes https://github.com/systemd/systemd/issues/9563

(cherry picked from commit 89f180201cd8c0f3ce5cb6e8dd7e2b3cbcf71527)

Resolves: 1837094

nspawn: move payload to sub-cgroup first, then sync cgroup trees

if we sync the legacy and unified trees before moving to the right
subcgroup then ultimately the cgroup paths in the hierarchies will be
out-of-sync... Hence, let's move the payload first, and sync then.

Addresses: https://github.com/systemd/systemd/pull/9762#issuecomment-441187979
(cherry picked from commit 27da7ef0d09e00eae821f3ef26e1a666fe7aa087)

Resolves: #1837094