[pull] main from systemd:main#502
Merged
pull[bot] merged 28 commits intoadamlaska:mainfrom Feb 26, 2026
Merged
Conversation
…cified Follow-up for 79dd24c
Such setup makes zero sense, as if we unshare userns ourselves we'd immediately lose CAP_SYS_ADMIN over the userns specified.
* Make sure we're not passing NULL to rmdir() * Remove the inner "tmp" subdir as well, so that callers can handle this transparently (e.g. exec_shared_runtime_make() is not aware of the nested rmdir() requirements) While at it, remove unneeded PROTECT_ERRNO.
…Tmp= modes properly
…mp= state The only reason why ExecSharedRuntime.(var_)tmp_dir might be suppressed is when (/var)/tmp/ is listed in InaccessiblePaths=, in which case mount namespace is needed anyways. Moreover, the current logic imposes a chicken-and-egg problem: at various places in pid1 we'd need to check whether the unit runs in a mountns, but the ExecSharedRuntime may not be allocated for it just yet.
In #28515, multiple people report that services that have PrivateTmp=yes and DefaultDependencies=no fail to create the temporary directories under /tmp, when /tmp is e.g. a bind mount or some other kind of mount that takes more time. Before PrivateTmp=disconnected was added, we didn't have a nice solution: DefaultDependencies=no is used to start services very early, so we wouldn't want to add a dependency on /tmp automatically. With PrivateTmp=disconnected we have a fairly nice solution. Let's "upgrade" to this mode automatically. Strictly speaking, it is a small compat break, but in practice it's unlikely to matter for early-boot services whether their /tmp is private or disconnected. The dependency on /tmp that is checked is After. I think this is enough, since any tmp.mount would be pulled in by local-fs.target and the rest of the transaction anyway, so we don't need to check more than After. The asserts are relaxed, because now the two settings can now diverge in either way. Resolves #28515. [yhndnzj: fix unit_add_exec_dependencies() to handle the new combination; add a comment in exec_needs_sys_admin()]
As in the previous commit, checking for both requirements and ordering seems unnecessary. In practical cases, the mount will be pulled in by the rest of the transaction, so ordering is the part that matters. (The setup is racy without the ordering.) If we drop the second check, the admin can just use After=tmp.mount to achieve the desired behaviour, without needing to explicitly pull in the unit. This is easier to configure and more robust. This changes the implementation introduced in 6156bec. Also actually describe the implemented behaviour in the man page.
With the previous changes the modes for /tmp/ and /var/tmp/ may come in arbitrary directions, i.e. we may downgrade one and upgrade another. Hence let's refactor the setup logic a bit so they're truly independent.
…7643371a822c * 23a1c1fed9 Install /usr/lib/systemd/boot/hwids/ in ukify package * 985170fdc6 Version 259.1 * 2e10d7da1e Revert getty changes a bit harder * 96c683c3de Revert all remaing changes to getty@.service * 24a305a398 Revert to previous handling of getty@.service * 6a500eb814 Create getty@tty1.service again and move autovt@.service alias to /usr/lib * 88bd4ab206 Properly enable systemd-tmpfiles-clear.service in scriptlets * d9f3f02206 Raise the number of placeholder sections in kernel and addon stubs * e301db0151 Stop enabling getty@tty1.service * a1c33507a2 Fix unit names in systemd-udev scriptlet * b7b3e024d6 Enable getty@.service through presets * ec5e1b1ed7 Move tpm2 and getty support to -udev subpackage * 9c9976a7f8 Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * f353d244fd Add 2 patches for automatic aarch64 DTB selection change * 399885597c Revert "Disable sysinit-path for upstream builds"
Will allow installing the actual hwids as a single subdir
Add hwids json files for Snapdragon devices that use of this feature since they don't ship with devie trees embedded in firmware. The json files were originally generated for Ubuntu stubble and are kown to work since they ship in all Ubuntu arm64 ISOs by default. Some of the devices might not be supported in mainline Linux yet and use preliminary compatible strings.
These are meant to ship with ukify, in the same package, so install them when ukify is enabled. Given they are hardware-specific, use a per-arch subdirectory to make it easier to enable them by default in ukify.
Follow-up for 098e44d
If the option is not manually specified, and the hwids directory exists for the target EFI architecture, default to it. Allow passing '' to skip. Fixes #40542
…them from ukify (#40541) The json files were originally generated for Ubuntu stubble and are kown to work since they ship in all Ubuntu arm64 ISOs by default. Some of the devices might not be supported in mainline Linux yet and use preliminary compatible strings.
Hopefully fixes: [ 154.500726] TEST-13-NSPAWN.sh[4351]: + tar -C /var/tmp/mangletest/ -cvzf /var/tmp/mangletest.tar.gz mangletest-0.1 [ 154.504485] TEST-13-NSPAWN.sh[5402]: mangletest-0.1/ [ 154.506908] TEST-13-NSPAWN.sh[5402]: mangletest-0.1/usr/ [ 154.508713] TEST-13-NSPAWN.sh[5402]: mangletest-0.1/usr/lib/ [ 154.509208] TEST-13-NSPAWN.sh[5402]: mangletest-0.1/usr/lib/os-release [ 154.509877] TEST-13-NSPAWN.sh[4351]: + run0 --pipe -u testuser importctl -m --user import-tar /var/tmp/mangletest.tar.gz [ 154.693870] TEST-13-NSPAWN.sh[5405]: Enqueued transfer job 9. Press C-c to continue download in background. [ 154.696371] TEST-13-NSPAWN.sh[5405]: Image 'mangletest' already exists. Fixes #40829 Follow-up for 4248b02
Follow-up for 23115ee
Without this, a warning is emitted on upgrades. Follow-up for c008f88.
oldstable is close to moving to LTS so switch to stable
Some dependency changed in testing and it's not pulled in anymore: ‣ Running build script /home/runner/work/systemd/systemd/mkosi/mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.build.chroot… /work/build-script: line 35: mount: command not found ‣ /work/build-script failed with non-zero exit code 127 ‣ (Maybe a program was not found or the script interpreter (e.g. bash) is not installed?) FAILED: [code=127] mkosi
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )