Expose a new `withKmod` option to be able to enable and disable kmod
integration, including the `systemd-modules-load` tool for automatic
modules loading during the system boot sequence.
Expose a new `withPam` option to allow enabling and disabling
integration with PAM stack, including the `systemd-user-sessions` daemon
and the associated `.service` file, as well as `pam_systemd.so` PAM
module for integration with `systemd-logind` and user session
registration with the systemd cgroup hierarchy.
Expose a new `withAudit` flag (defaults to `true` for backwards compatibility) to be able to conditionally enable and disable an integration with the `libaudit` library, which is used to integrate with Linux Audit Framework for logging various security-relevant events.
Expose a new `withAcl` flag (defaults to true for backwards compatibility) to be able to conditionally enable and disable an integration with `libacl` library, which is used by variety of systemd tools and daemon, e.g. `journald` will check ACLs in addition to regular permissions when accessing journal files and `systemd-nspawn` will update ACL entries when used with the `--private-users-chown` flag.
Expose a new `withLibidn2` flag (defauts to true for backwards compatibility) to be able to conditionally enable and disable integration with `libidn2`, which is used by the `systemd-network` and `systemd-resolved` to support internationalized domain names.
Changelog:
```
6c327d74aa hwdb: update to 11875a98e4f1c31e247d99e00c7774ea3653bafd
0b81fcd16d chase-symlinks: Always open a dirfd to the root directory
aa20a210a0 chase-symlinks: chase_symlinks_at() AT_FDCWD fixes
bb3e44323b escape: add missing non-NULL parameter assertions
c4e7cf2bd7 test-escape: Add tests for escaping bogus UTF-8 sequences
e906fd2421 escape: Ensure that output is always valid UTF-8
1a22006574 virt: correctly detect QEMU emulated pSeries guests
5ee19fdfa0 psi-util: fix error handling
9ffa0d439f journald: remove triplicate logging about failure to write log lines
4f7f93cc6a journald: downgrade various log messages from LOG_WARNING to LOG_INFO
a2dc51cd8c journald: make sure shall_try_append_again() logs about all return codes passed in, not just some
144ac494ec systemctl: print better message if default target is masked
791754f683 Revert "dissect-image: don't probe swap partitions needlessly"
d0e7841dce rules: remove redundant duplicate comparisons
dc98d58dd8 man: add two missing commands to synopsys
e093acd062 core/dbus-socket: check the socket path is absolute
a719c2ec2f sd-event: fix error handling
58c821af60 sd-event: always initialize sd_event.perturb
2bfb07b22f systemctl: show "Until:" field only for service and scope units
d9abd8babe tmpfiles.d: drop misleading comment
0f4dbe6367 Enable TPM by default with SetCredentialEncrypted
8d8240bdf6 stub: Fix unaligned read
44c2ff5b1e efi: drop executable-stack bit from .elf file
f2460b78b9 logind-session: make stopping of idle session visible to admins
1947b9939c sleep: check if we're on AC power before checking battery capacity
452cad62c8 install: fail early if specifier expansion failed
eae11e3f06 homectl: add missing break
9024afb994 core/manager: falling back to execute generators without sandboxing
aac692160e man/tmpfiles.d: adjust the table in synopsis, improve spelling
d2739b8c14 test: disable pipefail when testing interactive firstboot
755431b233 ukify: Set fast_load option when parsing PE files
343e90462f core: permit sending augmented enable/disable methods
ba1cb4156b process-util: show requested process name in the log
5140da8937 systemctl: edit: fix double free of instanced name
c4cdbb978f journalctl: fix output when --lines is used with --grep
6dafcad55c loop-util: fix error condition and return value
ec6c1fbf7d Correct journal misspell
6b6df9a845 cryptsetup: check the existence of salt by salt_size > 0
cd5de2811a boot: Fix assertion failure
01b90e1588 pid1: generate compat warning for SystemCallArchitectures= if seccomp is off
a3177cbe54 core/mount: fix default target for /sysusr/usr and its child
3168bda640 mkosi: configure multiarch libdir in debian/ubuntu builds
51b7acfcef tpm2: fix build failure without openssl
a88e35bf95 resolved: Fall back to TCP if UDP is blocked
```
systemd v253 changelog/NEWS:
https://github.com/systemd/systemd/blob/v253/NEWS
NixOS changes:
0007-hostnamed-localed-timedated-disable-methods-that-cha.patch was
dropped, because systemd gained support to handle read-only /etc.
*-add-rootprefix-to-lookup-dir-paths.patch required some updates too,
as src/basic/def.h moved to src/basic/constants.h.
systemd/systemd#25771 switched p11kit to become
dlopen()'ed, so we need to patch that path.
added a note to the 23.05 release notes to recommend `nixos-rebuild boot`
Co-authored-by: Florian Klink <flokli@flokli.de>
with structuredAttrs lists will be bash arrays which cannot be exported
which will be a issue with some patches and some wrappers like cc-wrapper
this makes it clearer that NIX_CFLAGS_COMPILE must be a string as lists
in env cause a eval failure
libBPF does not compile for mips64 targets using clang (rathern than
gcc) because clang lacks the necessary _MIPS_SZPTR compiler builtin.
Let's allow the rest of systemd to compile.
- The glibc people noticed this problem [way back in
2011](https://sourceware.org/pipermail/libc-ports/2011-June/001959.html)
and consider it to be a clang/llvm bug. I am inclined to agree.
- [clang has the `_MIPS_SZPTR`
builtin](3af9cb5375/clang/lib/Basic/Targets/Mips.cpp (L185))
and seems to have had it since before they switched to git.
This may in fact be a nixpkgs bug -- that we're not invoking clang
in a way that tells the frontend to make the mips builtins
available, even if the backend is emitting mips binaries. Or at
least we aren't tricking systemd's build machinery into doing that.
GHC's js backend depends on systemd via emscripten via closure compiler
via jdk via cups. Before it fails to evaluate, though, since
llvmPackages looks into `targetPackages.stdenv.cc` to determine which
C++ library to use (something that should be rectified in the future).
[Unfortunately], for `pkgsCross.ghcjs`, `stdenv.cc` throws which blows
up evaluating `pkgsCross.buildPackages.llvmPackages.clang`.
This is in principle unnecessary. We want to build
`pkgsCross.ghcjs.buildPackages.haskell.compiler.native-bignum.ghcHEAD`
which depends on `pkgsCross.ghcjs.buildPackages.systemd` which needs
clang and friends only in `nativeBuildInputs`, so
`pkgsCross.ghcjs.buildPackages.buildPackages.llvmPackages.clang`.
Unfortunately, due to the nature of splicing, we first evaluate the
“adjacent” derivation before we can access the spliced derivation we are
actually interested in. If the former
fails (`pkgsCross.ghcjs.buildPackages.llvmPackages.clang`), we can't do
the latter.
The solution is to just not rely on splicing in this case and take
`buildPackages.llvmPackages.clang` directly (relative to
`buildPackages.systemd` in this case!) which avoids the whole problem.
[Unfortunately]: c739c420db (diff-3209527bd27cbc775f579b1e295b0264c850859c7245d526965cec456b8c70a4R61)
Fixes sd-boot on (some?) Intel Macbooks, as reported in
https://github.com/NixOS/nixpkgs/pull/201558#issuecomment-1348823127.
Full log:
```
13de548fca network: manage addresses in the way the kernel does
fcc174cbdd import: wire up SYSTEMD_IMPORT_BTRFS_{SUBVOL,QUOTA} to importd
6cb0724a06 machine-pool: simplify return values from setup_machine_directory()
1c9e7fc8f2 boot: Only do full driver initialization in VMs
79b97ec652 boot: improve support for qemu (helpers only)
87add68b39 boot: Make sure all partitions drivers are connected
989f0c52e1 boot: Use EFI_BOOT_MANAGER_POLICY_PROTOCOL to connect console devices
b89be71bf4 network: unset Link.ndisc_configured only when a new address or route is requested
fc4f804b07 network: fix indentation
fc60072926 dissect: rework DISSECT_IMAGE_ADD_PARTITION_DEVICES + DISSECT_IMAGE_OPEN_PARTITION_DEVICES
1267b35273 fuzz: shorten filename of testcase
7fc478f751 resolve: optimize conversion of TXT fields to json
772e89452e hexdecoct: fix NULL pointer dereferences in hexmem()
002fc46688 hexdecoct: add missing NULL check
be1088b7a0 test: add tests for base64_append()
acb0414a1f hexdecoct: several cleanups for base64_append()
9410eb20eb cryptsetup: retry TPM2 unseal operation if it fails with TPM2_RC_PCR_CHANGED
1c8abb343a man: mention that DefaultRouteOnDevice= create the IPv4 default route
6c869ad3bd selinux: accept the fact that getxyzcon() can return success and NULL
0fdeb7c640 oomd: print dry run output at INFO level
4119d25e62 journald: prevent segfault on empty attr/current
6fdf196f99 core: use correct scope of looking up units
6d7b0dacc6 test-network: add test for bond mac address config
6405eba4b6 network: Fix set bond device MAC address failed
dbc59253ec test-fs-util: Add relative path chase_symlinks() tests
6e99f9c8fb chase-symlink: when converting directory O_PATH fd to real fd, don't bother with /proc/
bc6fc812fd test: add basic tests for octescape()
2ea5de7881 escape: fix wrong octescape of bad character
8999727a82 network: drop REMOVING flag when a netlink message is sent to kernel
a064abff76 dissect: show color in log output
278a97708b log: Switch logging to runtime when FS becomes read-only
44984e15bb resolve: format zero-length RDATA according to rfc3597
d59009dc1d manager: do not append '\n' when writing sysctl settings
2a66b4c894 test: check if we can use SHA1 MD for signing before using it
d0b80bf81e dissect-image: log expected UUID for /var
b0b97848e8 bootspec: fix null-dereference-read
0ba8e9ecff virt: Support detection of LMHS SRE guests
787b2c32f3 terminal-util: Set OPOST when setting ONLCR
c7bf13b2d9 units: change Requires=systemd-networkd.service → BindsTo= one more time
e3d9376692 core/device: verify device syspath on switching root
9523f85b2e core/device: also serialize/deserialize device syspath
10b3ce781b core/device: update comment
2505010178 sd-netlink: fix segfault
4b885f3591 test: Add tests for systemd-cgtop args parsing
b97c1c427c cgtop: Do not rewrite -P or -k options
6cbf72a8d9 logind: Properly unescape names of lingering users
01a39e96b5 units: Use BindsTo=systemd-networkd in systemd-networkd-wait-online.service
b0c39ffc54 resolved: remove inappropriate assert()
e0521346ec stub: Detect empty LoadOptions when run from EFI shell
7ca40a8b08 stub: Fix cmdline handling
b39f2ab98f boot: Use xstr8_to_16 for path conversion
6387a74d2c boot: Use xstr8_to_16
ff7469af96 boot: Add xstrn8_to_16
475c130003 core: update audit messages
c74bc2cd49 dissect: fix fsck
ce55eb4ebd process-util: add new FORK_CLOEXEC_OFF flag for disabling O_CLOEXEC on remaining fds
36c3c4172d fd-util: add new fd_cloexec_many() helper
57b4329b38 fd-util: make fd_in_set() (and thus close_all_fds()) handle invalidated fds in the array
12c41564cd tmpfiles: log at info level when some allowed failures occur
77f524dda0 find-esp: include device sysname in the log message
8d23210a2e find-esp: downgrade and ignore error on retrieving PART_ENTRY_SCHEME when searching
eea92b179d sd-bus: Use goto finish instead of return in bus_add_match_full
0916514b8c strv: Make sure strv_make_nulstr() always returns a valid nulstr
2ddd7b5def bootctl: rework how we handle referenced but absent EFI boot entries
2daecc7179 bootctl: downgrade log message when firmware reports non-existent or invalid boot entry
9a7186e92a bootctl: make boot entry id logged in hex
62f58d94f8 dissect-image: do not try to close invalid fd
c1dd021d16 boot: Silence driver reconnect errors
a09a41c2f7 meson: install test-kernel-install only when -Dkernel-install=true
9b6f12262f udev: make sure auto-root logic also works in UKIs booted from XBOOTLDR
d5e3625a61 repart: respect --discard=no also for block devices
79f161ac65 portable: add a few more useful debug log messages
bcd42b3c88 oomd: fix unreachable test case in test-oomd-util
2bdf5b0382 oomd: always allow root-owned cgroups to set ManagedOOMPreference
da01d83ab4 network: wifi: try to reconfigure when connected
595dd9b2b9 resolved: Fix OpenSSL error messages
2ecb8fc841 basic/strv: check printf arguments to strv_extendf()
81e2c87a47 manager: fix format strings for trigger metadata
d337ac02d6 resolved: when configuring 127.0.0.1 as per-interface DNS server, contact it via "lo" always
813d52dbf8 resolved: use right conditionalization when setting unicast ifindex on UDP sockets
2b52748d45 nspawn: allow sched_rr_get_interval_time64 through seccomp filter
5c34bc9bc3 boot/measure: fix oom check
f68be4fd79 fuzz: fuzz-compress: fix copy-and-paste error: buf -> buf2 (#25431)
132f0ec7de Handle MACHINE_ID=uninitialized
25fcbdae7e shared/tpm2-util: Fix "Error: Esys invalid ESAPI handle (40000001)" warning
6189505d79 boot: Correctly handle @saved default patterns
148b2d8ad3 Revert "journal: Make sd_journal_previous/next() return 0 at HEAD/TAIL"
d34ea410f4 Fix reading /etc/machine-id in kernel-install (#25388)
7b99f68f1c systemctl: do not show unit properties with --all
f791ecd0c5 ac-power: check battery existence and status
c2620a6bdb pid1: skip cleanup if root is not tmpfs/ramfs
83a772aae2 Revert "initrd: extend SYSTEMD_IN_INITRD to accept non-ramfs rootfs"
4d11c9b3cd networkd-ipv4acd.c: Use net/if.h for getting IFF_LOOPBACK definition
aff1caf3fd boot: Replace firmware security hooks directly
f9d9a68ecc boot: Rework security arch override
c6d7b4014c boot: Manually convert filepaths if needed
c8c5b79fb6 boot: Do not require a loaded image path
5894d4bd79 boot: Fix memory leak
5c0b918c02 boot: Fix error message
542dbc623e tpm2: add some extra validation of device string before using it
b3228085ba tpm2-util: force default TCTI to be "device" with parameter "/dev/tpmrm0"
31c2abd305 Create CNAME
2ec3187d6c test: compile test-utmp.c only if UTMP is enabled
````
`
```
git log --oneline v251.7..v251.8
ae8b249af4 test: fstab-generator: adjust PATH for fsck
03514a9f64 man: add note that network-generator is not a generator
8c8a423821 condition: Check that subsystem is enabled in ConditionSecurity=tpm2
9243b88b55 test: wait for loop device to be removed
f5c2be99bc test: wait for the lodev to get properly initialized
8cfe979030 test: disable LSan in the ASan env wrapper
db00a62be8 test: introduce a simple environment file for test service
fd082f335e test: lower the # of mpath devices to 16
d17a45340b test: make TEST-64 a bit more ASan friendly
a51cc9e578 test: don't wrap binaries built with ASan
e176dca593 test: drop all LD_PRELOAD-related ASan workarounds
9fba4cdf61 test: set $ASAN_RT_PATH along with $LD_PRELOAD to the ASan runtime DSO
4fbf69fd1b semaphore: remove the Semaphore repositories recursively
6258394c1e test: wrap `ls` and `stat` to make it work w/ sanitizers in specific cases
db14b371df test: create an ASan wrapper for `getent` and `su`
1027d3d633 test: always wrap useradd/userdel when running w/ ASan
65ab7b0950 Revert "Support -D_FORTIFY_SOURCE=3 by using __builtin_dynamic_object_size."
f994276068 test: make TEST-63 more reliable on slower machines
68b4f10f82 test: use PBKDF2 with capped iterations instead of Argon2
1f32ec761c hashmap: use assert_se() to make clang happy
94a25aa6d5 coredump: drop an unused variable
5f09fa4d5e network: drop an unused variable
a29ddb989b machine: drop an unused variable
9a71cd3bf6 sd-journal: drop an unused variable
ae0537f18f ci: reenable validation of GH Actions files
6e92f64ca4 ci: temporarily disable validation of GH Action files
6cd1b11d02 cryptsetup: fix build with -Db_ndebug=true
0ab5e9fe98 test: wrap binaries using systemd DSOs when running w/ ASan
6d4ae5a7cd test: make the virt detection quiet
024ee3def9 test: check for other hypervisors as well
520be40734 test-mountpoint-util: support running on a mount namespace with another mount on /proc
2cd4aed358 test-mountpoint-util: use log_info()
c7b66dbe2a test-mountpoint-util: fix NULL arg to %s
4e49c726ad test: drop redundant log message
b57ef0c672 build(deps): bump meson from 0.63.2 to 0.63.3 in /.github/workflows
8c80564405 build(deps): bump ninja from 1.10.2.3 to 1.10.2.4 in /.github/workflows
70e90da84b build(deps): bump meson from 0.63.1 to 0.63.2 in /.github/workflows
489c00dee5 build(deps): bump meson from 0.63.0 to 0.63.1 in /.github/workflows
08e85ad43d build(deps): bump meson from 0.62.2 to 0.63.0 in /.github/workflows
b0619c9c55 build(deps): bump meson from 0.62.0 to 0.62.2 in /.github/workflows
d982169592 build(deps): bump systemd/mkosi
9d4af5fea1 mkosi: libbpf0 -> libbpf1
3abf9f08f1 mkosi: Switch to Fedora 37
18f9fbab08 mkosi: update to latest commit
5403b727a7 mkosi: Use SourceFileTransfer=mount
9744c04ffd mkosi: Drop kernel-modules-extra from Fedora config
ab2f7a9b9e mkosi: install fdisk for test-loop-block
17acdca99d mkosi: Set ExtraSearchPaths=build/ by default
420e782904 mkosi: update to latest commit
43ef15c752 mkosi: add back packages removed from OpenSUSE build
9a94aa1d88 mkosi: disable isc-dhcp-server again
d1785c462f mkosi: Ensure we build all features/components in mkosi
6712396da3 meson: Downgrade efi-ld warning
66309ee674 ci: Add mold to build tests
86c25ca937 ci: build with clang-15; drop clang-12
28457b030e mkosi: Drop workarounds
abecb21561 mkosi: Update to latest commit
d9eaf39930 mkosi: Update to latest commit
619b36b22c mkosi: Don't use InstallDirectory by default
cdf3fd312a mkosi: Use mkosi.output/ as output directory by default
b8a746e89b mkosi: Add package libfdisk to Ubuntu dependencies (#24211)
0e518f3639 ci: set a timeout for each mkosi stage
5e79cf977c mkosi: Update to latest
edef8edf0b mkosi: Update to latest commit
a0402d3ab6 mkosi: Update to latest commit
081168fa19 mkosi: Build against Fedora rawhide as well
a38a0504ec mkosi: Remove usage of deprecated option names/sections
47404f1802 mkosi: Changes to allow booting with sanitizers in mkosi
db1281e12e mkosi: Update Ubuntu config to 22.04
ca8dc691fe mkosi: Install xxd in images
f12a6945c6 ci: limit which env variables we pass through `sudo`
7e24ac6d77 mkosi: update to latest main
a46ba01e79 mkosi: Update to latest release
7ef1d71895 mkosi: Pull in fix that solves action mirror issue
d3d90ae66b mkosi: Update CI to mkosi 13
9bf797be2c ci: build systemd with clang with -Dmode=release --optimization=2
9e88b3a5e1 ci: bump gcc in the "build test" workflow
dcbc64db61 ci: prefer the distro llvm version if available
ccd81889d4 ci: bump GH Actions to Ubuntu Jammy where applicable
b8fbf21526 kernel-install/90-loaderentry: do not add multiple systemd.machine_id options
fe5e692bfc tests: minor simplification in test-execute
a94fe70bbe tests: make test-execute pass on openSUSE
4a65c1674b firstboot: fix segfault when --locale-messages= is passed without --locale=
c3b22515b9 test: introduce sanity coverage for auxiliary utils
c61e4377d7 udev: add safe guard for setting by-id symlink
2f4fdaaecc udev: drop redundant call of usb_id and assignment of ID_USB_INTERFACE_NUM
491924940f udev: first set properties based on usb subsystem
293c006789 test: further extend systemctl's sanity coverage
f48e6576a2 test: add a couple of sanity tests for systemctl
3d5e379808 test: rename TEST-26-SETENV to TEST-26-SYSTEMCTL
a34afc4197 namespace: Add hidepid/subset support check
2ac138a5b6 coverage: Mark _coverage__exit as noreturn
9952c228a9 parse_hwdb: allow negative value for EVDEV_ABS_ properties
7b6fa1d3e6 test: add a couple of sanity tests for journalctl
cf21555d6d sd-device-monitor: dynamically allocate receive buffer
ee42e84968 man: use the correct 'Markers' property name for marking units
45090f3418 core: fix memleak in GetUnitFileLinks method
7eefd2fbb7 network: forcibly reconfigure all interfaces after sleep
66fa6110ba resolved: fix typo in feature level table
2f8f1d9e4a network: skip to reassign master ifindex if already set
d94f197818 resolved: fix copypasta in resolved varlink API
b61fcaca1b udev: always create device symlinks for USB disks
6fc2f387af man: Add documentation for AssertCredential= (#25178)
c339e8d71b man: document reboot --poweroff exception
91b8491e97 network: allow 0 for table number
3f94f03389 network: Table= also accepts table name
bdd84e82e5 analyze: add --image= + --root= to --help text
23d66a03de meson: Fix build with --optimization=plain
98a45608c4 manager: allow transient units to have drop-ins
228cd82d2c manager: reformat boolean expression in unit_is_pristine()
````
Changes:
```
654ae8c1e4 base-filesystem.c: add trailing zero byte for s390x entry
e4a19eef33 basic/missing_loop.h: fix missing lo_flags LO_FLAGS_DIRECT_IO
24238be484 mount-util: fix error code
1b1ad8c79f udev: certainly restart event for previously locked device
7dacfb3fb4 stub: Use EfiLoaderCode for kernel memory
eaeaf4f6ef network: do not silently stop to process configuration on activation failure
bb803856bc bus: use inline trace argument for ANONYMOUS auth
6349062326 Fix ObjectManager interface emitted for non-manager objects
c90ab07fa0 test-bus-objects: Test interfaces added/removed signal interfaces
e32fe1b457 Fix GetManagedObjects returning ObjectManager interface for non-manager objects
efd8e39f4a test-bus-objects: Test GetManagedObjects interfaces are correct
344efd022a coredump: when parsing json, optionally copy the string first
de08edca17 systemctl: color ignored exit status in yellow, not red
1531a496e3 manager: make clear internal Dump() logic is debugging only.
c4fd38f7d2 man: document the Dump() calls of the PID 1 D-Bus interface, and what they are
140fee4627 resolve: do not cache mDNS goodbye packet
1a2d93a770 kbd-model-map: correct variants for cz-qwerty to include comma
9d1ebb2247 resolve: persist DNSOverTLS configuration in state file
3137ac6ef5 udev: support by-path devlink for multipath nvme block devices
c948091cc5 run: make --working-directory= work for --scope too
7bb204620d kbd-model-map: add a mapping for switched czech qwerty/us
e5157050d1 test: add more test cases for mkdir_p_safe() and mkdir_p_root()
b3a9f7b5cb mkdir: chase_symlinks_and_stat() does not return 0
0bfdc91807 units: make sure that initrd-switch-root.service pulls in .target
45fb64c54b units: add dependency ordering for emergency.service conflicts
6535813084 units: add ordering dependencies on initrd-switch-root.target
09c90224f1 units/systemd-network-generator.service: add forgotten ordering for shutdown
1dd723a3b8 units: reorder/split unit dependency blocks
054cad0097 man: explicitly document that "reboot -f" is different from "systemctl reboot -f"
c5b0ae86b1 watchdog: use /dev/watchdog0 only if it exists
ac805eac15 journalctl: respect --quiet flag during file concistency verification
c1d729795d xdg-autostart-service: expand tilde in Exec lines
35c5f5d688 unit: drop ProtectClock=yes from systemd-udevd.service
175ba30cf6 busctl: Fix warning about invaild introspection data
6c7b91372d udev/rules,hwdb: filter out mostly meaningless default strings
8b89e677e9 units: prolong the stop timeout for homed
202a79e7c5 homed: don't wait indefinitely for workers on exit
44660d2e12 man: fix static bridge example
e0dde8a14f log: don't attempt to duplicate closed fd
254b77e73c condition: fix device-tree firmware path
96da39ddb1 udev-util: minor cleanups for on_ac_power()
3345520512 docs: fix incorrect env var name for credentials directory
49f9fa87b2 shell-completion: drop unused $mode
1e29d934de oomd: fix off-by-one when dumping kill candidates
b00cb050c8 on-ac-power: ignore devices with scope==Device
9886011356 on-ac-power: rework logic
1fc74d251e sd-device: add helper to read a unsigned int attribute
6d4c138534 shared/udev-util: say "ignoring device", not "ignoring"
cd2fad2300 virt: Support detection of Apple Virtualization.framework guests
6e47e75c86 virt: align tables
951e99231e check-os-release.py compatible with Python < 3.8
d572a74163 core/mount: adjust deserialized state based on /proc/self/mountinfo
2e372afc35 Allow uneven length BootXXXX variables
8ad143e684 gpt: fix native uuids for s390x
2bb9a0a29b udev: fix inversed inequality for timeout of retrying event
cf67d5ed1b bash-completion: add systemd-sysext support
ada437cfb1 sysext: add missing COMMAND to the help output and man synopsis
58bc1e8e04 hostname: make chassis type actually obtained from ACPI when nothing from DMI
4ffde70981 booctl: do not say uuids differ if one of the uuids is unset
5219a99ccb bash-completion: autocomplete cgroup names in systemd-cgtop
9f2f391153 sysusers: add fsync for passwd (#24324)
c966377c51 dhcp6: do not append ORO option when no option requested
97474b03e7 dhcp6: gracefully handle NoBinding error
c67a388aef udev/cdrom_id: check last track info
52c631b02e firstboot: fix can't overwrite timezone
f279a6f4d1 cryptenroll: fix memory leak
66b060225d sd-device-enumerator: drop noisy log messages
6e1acfe818 sd-device-monitor: actually refuse to send invalid devices
81339c45e8 sd-device-monitor: fix inversed condition
1760559918 resolvctl: only remove protocol after last dot when mangling ifname for resolvconf
a3348ba748 oom: drop invalid %m in the log message
b3dd66f32b meson: Test correct efi linker for supported args
f9d936b865 sysusers: properly process user entries with an explicit GID
ec5a46ca34 sysusers: only check whether the requested GID is available
037b1a8acc dhcp: fix potential buffer overflow
ed2955f8fe udev-util: assume system is running on AC power when no battery found
37b54927d3 Fix issue with system time set back (#24131)
4fdca1ab9e shared/generator: Ensure growfs unit runs after repart
32f9d70f8b manager: optionally, do a full preset on first boot
```
When we initially applied the openembedded patchset to make systemd
build with musl, these options had to be disabled for it to work.
Now they seem to work fine, so re-enabling.
The NixOS systemd module has to include some upstream unit files
depending on if the systemd package was built with utmp support.
This makes it possible for the NixOS systemd module to detect if the
systemd package was built with utmp support.
So far, we have been building Systemd without `BPF_FRAMEWORK`. As a
result, some Systemd features like `RestrictNetworkInterfaces=` cannot
work. To make things worse, Systemd doesn't even complain when using a
feature which requires `+BPF_FRAMEWORK`; yet, the option has no effect:
# systemctl --version | grep -o "\-BPF_FRAMEWORK"
-BPF_FRAMEWORK
# systemd-run -t -p RestrictNetworkInterfaces="lo" ping -c 1 8.8.8.8
This commit enables `BPF_FRAMEWORK` by default. This is in line with
other distros (e.g., Fedora). Also note that BPF does not support stack
protector: https://lkml.org/lkml/2020/2/21/1000. To that end, I added a
small `CFLAGS` patch to the BPF building to keep using stack protector
as a default.
I also added an appropriate NixOS test.
The ConditionFileNotEmpty override patch wasn't correct for stage1, which
does have the modules in /lib. So, remove the patch and set
the right path with overrides in the final system.
Also, make sure systemd-tmpfiles-setup-dev is pulled in to create
all the necessary symlinks.
patchShebangs was writing a build platform bash shebang to
systemd-update-helper, which ends up in the output. To fix this, this patch
restricts patchShebangs to only run on certain directories.
Also, remove a comment stating that patchShebangs will no longer be necessary
after the next systemd release. This is not the case because /usr/bin/env
doesn't exist within the sandbox and will still need to be patched.
Account for all `with*` options causing their respective unit files to
not be built, just like the current code `withCryptsetup` already does.
This fixes build errors like the following:
```
missing /nix/store/5fafsfms64fn3ywv274ky7arhm9yq2if-systemd-250.4/example/systemd/system/systemd-importd.service
error: builder for '/nix/store/67rdli5q5akzwmqgf8q0a1yp76jgr0px-system-units.drv' failed with exit code 1
```
Found by using a customised systemd package as follows:
```
systemd.package = pkgs.systemd-small;
nixpkgs.config.packageOverrides = pkgs: {
"systemd-small" = pkgs.systemd.override {
withImportd = false;
withMachined = false;
...
};
};
```
In Issue #169693 we found out that systemd-bootaa64.efi does not have
required `#### LoaderInfo: systemd-boot 250.4 ####` marking.
It is destroyed by `nixpkgs`'s `_doStrip` hook (part of `fixupOutputHooks`).
It makes sense as PE32+ is a bit different from ELF where `.sdmagic` section
is inserted.
The change avoids stripping EFI files altogether by moving them out
of default strip directories of _doStrip for the time while `fixupPhase`
is running.
Closes: https://github.com/NixOS/nixpkgs/issues/169693
- Fix the name of the env
- Add the correct kmod to the initrd
- Add `less` to make journalctl usable
- Fix SYSTEMD_SULOGIN_FORCe for rescue.target
- Add some missing binaries
Among other things fixes build failure on linux-headers-5.17:
../src/basic/meson.build:389:8: ERROR: Problem encountered: found unknown filesystem(s) defined in kernel headers:
Filesystem found in kernel header but not in filesystems-gperf.gperf: CIFS_SUPER_MAGIC
Filesystem found in kernel header but not in filesystems-gperf.gperf: SMB2_SUPER_MAGIC
As reported in
https://github.com/NixOS/nixpkgs/pull/156096#pullrequestreview-900986176,
this fails to build on EFI enabled RISC-V because the requested EFI
linker (efi-ld=gold) is unsupported. According to Wikipedia gold only
supports x86, x86-64, ARM, PowerPC, TileGX.
Removing this option alltogether will cause meson to figure out the
default linker by itself.
This helps systemd during runtime to make decisions about the sanity of
the system clock. See the references news article for more details on
the matter.
We don't have to do that as we already set all the feature flags to
null. Setting individual libraries to null instead of disabling their
feature flag will lead with bad example that will cause each of the
features to be disabled with multiple flags in the systemdMinimal
variant.
If a dependency is pulled in via another feature we should disable that
rather than setting it to null. Overriding a given package should be the
last resort.
It was originally moved because of nixops autoLuks feature which
has been unsupported for a while.
See:
* https://github.com/NixOS/nixpkgs/issues/62211
* https://github.com/NixOS/nixops/pull/1156#issuecomment-605339705
systemd-tmpfiles-setup-dev.service needs to run very early (even before
udev runs) because udev rules assume static device nodes already exist
even before udev is started. If these static device nodes do not exist;
systemd might have trouble mounting filesystems that require static
device nodes (like loopfs and btrfs).
Fixes build of pkgsMusl.systemdMinimal (and pkgsMusl.systemd if combined with
other fixes).
These patches are applied conditionally on purpose: They are not checked to
be properly guarded. They should not block future systemd upgrades.
Also see the original RFC section around musl systemd:
https://github.com/NixOS/rfcs/blob/master/rfcs/0023-musl-libc.md#systemd
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
This has only been used by Dysnomia, which has been removed from Nixpkgs
in https://github.com/NixOS/nixpkgs/pull/110799 after being broken for
more than a year.
If Dysnomia comes back, it can probably just use
/nix/var/nix/profiles/default/lib/systemd/system, or set its own systemd
flavour looking in that location via the `systemd.package`.
This was recently introduced, and apparently not nixpkgs-fmt'ed.
While there's no global consensus on nixpkgs-fmt'ing everything,
indenting this by 2 more spaces won't hurt.
continuation of #109595
pkgconfig was aliased in 2018, however, it remained in
all-packages.nix due to its wide usage. This cleans
up the remaining references to pkgs.pkgsconfig and
moves the entry to aliases.nix.
python3Packages.pkgconfig remained unchanged because
it's the canonical name of the upstream package
on pypi.
This ensures that all the features that are implemented via dlopen(3)
are available (or explicitly deactivated) by pointing dlopen to the
absolute store path instead of relying on the linkers runtime lookup
code.
All of the dlopen calls have to be handled. When new ones are introduced
by upstream (or one of our patches) those must be explicitly declared,
otherwise the build will fail.
As of systemd version 247 we've seen a few errors like `libpcre2.… not
found` when using e.g. --grep with journalctl. Those errors should
become less unexpected now.
There are generally two classes of dlopen calls. Those that we want to
support and those that should be deactivated / unsupported. This change
enforces that we handle all dlopen calls explicitly. Meaning: There is
not a single dlopen call in the code source tree that we did not
explicitly handle.
In order to do this I introduced a list of attributes that maps from
shared object name to the package that contains them. The package can be
null meaning the reference should be nuked and the shared object will
never be loadable during runtime (because it points at an invalid store
path location).
Contains the following fixes:
- 937118a5b2 journalctl: don't skip the entries that have the same seqnum
- e017ac6a26 sd-bus: use SOCK_CLOEXEC on one more socket
- db31432861 resolved: create stub-resolv.conf symlink with correct security label
- f2ec15e2e5 efi: Only use arm flags if supported
- cd43eee770 core: detect_container() may return negative errno
- 04be042a1f meson: Fix reallocarray check
- 5e906f483b network: do not assume address ready callback is always set to static addresses
- 2ad7a2a96a network: drop assertions to check link state in netlink callback handlers
- f375c8cbb5 network: do not reconfigure interface when the link gains carrier but udev not initialized it yet
- 5d4909decf veritysetup: also place udev socket dep
- 57ddb74245 cryptsetup: Fix crypto device missing issue after bootup
- d3c224d441 network: fix SIGABRT related to unreachable route with DHCP6
- c91648cc83 network: revert previous changes to address_compare_func()
- d8b5d8c8c3 udev: Fix sound.target dependency
- 669107ae68 meson: specify correct libqrencode version in meson dep
- c07dc6cedc udev: link_update() should fail if the entry in symlink dir couldn't have been created
- 367006c806 man: document that automount units are privileged
- 5129808141 logind: fix closing of button input devices
- 37f06c91ef Update logind-button.c
- 9e9fda0a2d async: add trivial cleanup wrapper for asynchronous_close()
- 4a2ca1ca4a Silence cgroups v1 read-only filesystem warning
- ed1f8f4ba2 manager: Fix HW watchdog when systemd starts before driver loaded
- 383a747164 cgroup: Also set blkio.bfq.weight
- 48d41091ac nss-resolve: varlink_call() set error_id only when r >= 0
- 56daba2deb missing: Define several syscall numbers for Alpha arch
- f2a4b96276 Don't assume /run/systemd exists when creating unit-root
- 553530fdc7 mkosi: Add findutils to Fedora config
- e42990dfe3 mkosi: Add rpm to Fedora BuildPackages as it's needed by pkg-config
- 6bacd1d971 mkosi: Replace iptables-dev with libiptc-dev in debian config
- f1fc515c21 dissect: don't declare unused variables on archs that have no GPT discovery
- 30d0c3f58c resolved: synthesize NODATA instead of NXDOMAIN if gateway exists, but of other protocol
- 538ebbd7f3 local-addresses: make returning accumulated list optional
- 228a22bb63 resolved: improve log message when we use TCP a bit
- aa31dd9128 network: ignore broadcast address for /31 or /32 addresses
- 85607cc094 network: fix verification for broadcast address
- dc6ad6482a network: do not set broadcast if prefixlen is 31 or 32
- 39ee319c75 stub: don't ever respond to datagrams coming in on non-localhost addreses, on the stub
- cbea0e5a83 resolved: never allow _gateway lookups to go to the network
- c4df66816b resolved: lower SERVFAIL cache timeout from 30s to 10s
- b5e39c20d9 dns-domain: try IDN2003 rules if IDN2008 doesn't work
- 2c354cedd2 virt: Properly detect nested UML inside another hypervisor
- 10f2cfb715 resolved: properly check per-link NTA list
- a8437c07e4 meson: use '_' as separator in fuzz test names
- 81ef7623c8 man: mention that --key= is about *secret* keys
- 4ef70ecefc meson: check that cxx variable is set before using it