diffstat for systemd-234 systemd-234 changelog | 373 ++++++++++ control | 3 extra/dhclient-enter-resolved-hook | 72 + extra/initramfs-tools/scripts/init-top/udev | 3 extra/units/systemd-resolved.service.d/resolvconf.conf | 8 extra/units/systemd-timesyncd.service.d/disable-with-time-daemon.conf | 6 extra/write_persistent_net_s390x_virtio | 40 + gbp.conf | 2 libnss-resolve.postrm | 4 patches/core-unlink-the-invocation-id-key-if-cannot-change-keyrin.patch | 81 ++ patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch | 27 patches/debian/Ubuntu-Ship-modprobe.d-drop-in-to-set-bonding-max_bonds-to-0.patch | 65 + patches/debian/Ubuntu-UseDomains-by-default.patch | 75 ++ patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch | 37 patches/debian/Ubuntu-resolved-resolvconf-integration.patch | 164 ++++ patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch | 22 patches/networkd-change-UseMTU-default-to-true.-6837.patch | 70 + patches/seccomp-arm64-does-not-have-mmap2.patch | 39 + patches/seccomp-arm64-x32-do-not-have-_sysctl.patch | 78 ++ patches/series | 12 patches/test-seccomp-arm64-does-not-have-access-and-poll.patch | 40 + patches/tests-ignore-router-state-in-networkd-test-6390.patch | 26 rules | 13 systemd.install | 1 systemd.postinst | 33 tests/boot-and-services | 11 tests/boot-smoke | 45 - tests/control | 18 tests/logind-kill-off | 5 tests/root-unittests | 9 udev.postinst | 8 31 files changed, 1347 insertions(+), 43 deletions(-) diff -Nru systemd-234/debian/changelog systemd-234/debian/changelog --- systemd-234/debian/changelog 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/changelog 2017-10-04 12:28:34.000000000 +0000 @@ -1,3 +1,175 @@ +systemd (234-2ubuntu12) artful; urgency=medium + + [ Dimitri John Ledkov ] + * debian/rules: do not strip test-copy. + This insures test-copy is large enough for test-copy tests to pass. + (LP: #1721203) + + [ Michael Biebl ] + * Drop systemd-timesyncd.service.d/disable-with-time-daemon.conf. + All major NTP implementations ship a native service file nowadays with a + Conflicts=systemd-timesyncd.service so this drop-in is no longer + necessary. (Closes: #873185) (LP: #1721204) + + -- Dimitri John Ledkov Wed, 04 Oct 2017 13:28:34 +0100 + +systemd (234-2ubuntu11) artful; urgency=medium + + * Ubuntu/extra: ship dhclient-enter hook. + This allows isc-dhcp dhclient to set search domains and nameservers via + resolved. + * Disable systemd-networkd-wait-online by default. + Currently it is not fit for purpose, as it leads to long boot times when + networking is unplugged or not yet configured on boot. (LP: #1714301) + * networkd: change UseMTU default to true. + Cherry-pick upstream change. (LP: #1717471) + * postinst: drop empty/stock /etc/rc.local (LP: #1716979) + * Imporve resolvconf integration. + Make the .path|.service unit that feed resolved data into resolvconf not + generate failures if resolvconf is not installed. + Add a check to make sure that resolved does not read /etc/resolv.conf when that + is symlinked to stub-resolv.conf. (LP: #1717995) + * core: gracefully bail out keyring operations when chown fails (LP: #1691096) + + -- Dimitri John Ledkov Tue, 26 Sep 2017 11:38:02 -0400 + +systemd (234-2ubuntu10) artful; urgency=medium + + * Do not fail debootstrap if /etc/resolv.conf is immutable. (LP: #1713212) + * Revert "Create /etc/resolv.conf on resolved start, if it is an empty file." + As it is ineffective, and correct creation of /etc/resolv.conf has been fixed. + This reverts commit ccba42504f216f6ffbc54eb2c9af347355f8d86b. + * initramfs-tools: trigger udevadm add actions with subsystems first. + This updates the initramfs-tools init-top udev script to trigger udevadm + actions with type specified. This mimicks the + systemd-udev-trigger.service. Without type specified only devices are + triggered, but triggering subsystems may also be required and should happen + before triggering the devices. This is the case for example on s390x with zdev + generated udev rules. (LP: #1713536) + + -- Dimitri John Ledkov Wed, 30 Aug 2017 11:22:41 +0100 + +systemd (234-2ubuntu9) artful; urgency=medium + + * boot-and-services: skip gdm3 tests when absent, as it is on s390x. + + -- Dimitri John Ledkov Wed, 23 Aug 2017 11:58:57 +0100 + +systemd (234-2ubuntu8) artful; urgency=medium + + * Enable systemd-networkd by default. + + -- Dimitri John Ledkov Tue, 22 Aug 2017 17:50:59 +0100 + +systemd (234-2ubuntu7) artful; urgency=medium + + * Always setup /etc/resolv.conf on new installations. + On new installations, /etc/resolv.conf will always exist. Move it to /run + and replace it with the desired final symlink. (LP: #1712283) + * Create /etc/resolv.conf on resolved start, if it is an empty file. + + -- Dimitri John Ledkov Tue, 22 Aug 2017 16:13:35 +0100 + +systemd (234-2ubuntu6) artful; urgency=medium + + * Disable KillUserProcesses, yet again, with meson this time. + * Re-enable reboot tests. + + -- Dimitri John Ledkov Thu, 17 Aug 2017 15:22:35 +0100 + +systemd (234-2ubuntu5) artful; urgency=medium + + * debian/tests: disable i386 & amd64 systemd-fsck test, and add environment + overrides to allow force execution of those tests locally. LP: #1708051. + + -- Dimitri John Ledkov Wed, 16 Aug 2017 13:04:48 +0100 + +systemd (234-2ubuntu4) artful; urgency=medium + + * debian/tests: disable i386 & amd64 boot-smoke, passes locally. LP: + #1708051. + + -- Dimitri John Ledkov Tue, 15 Aug 2017 14:20:12 +0100 + +systemd (234-2ubuntu3) artful; urgency=medium + + * debian/tests: Switch to gdm, enforce udev upgrade. + + -- Dimitri John Ledkov Mon, 14 Aug 2017 12:02:37 +0100 + +systemd (234-2ubuntu2) artful; urgency=medium + + * Ignore failures to set Nice priority on services in containers. + * Disable execute test on armhf. + * units: set ConditionVirtualization=!private-users on journald audit socket. + It fails to start in unprivileged containers. + * boot-smoke: refactor ADT test. + Wait for system to settle down and get to either running or degraded state, + then collect all metrics, and exit with an error if any of the tests failed. + + -- Dimitri John Ledkov Wed, 02 Aug 2017 03:02:03 +0100 + +systemd (234-2ubuntu1) artful; urgency=medium + + [ Dimitri John Ledkov ] + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * Set UseDomains to true, by default, on Ubuntu. + On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries + to a preset 3rd party by default. In resolved, dnssec is also disabled by + default, as too much of the internet is broken and using Ubuntu users to debug + the internet is not very productive - most of the time the end-user cannot fix + or know how to notify the site owners about the dnssec mistakes. Inherintally + the DHCP acquired DNS servers are therefore trusted, and are free to spoof + records. Not trusting DNS search domains, in such scenario, provides limited + security or privacy benefits. From user point of view, this also appears to be + a regression from previous Ubuntu releases which do trust DHCP acquired search + domains by default. + Therefore we are enabling UseDomains by default on Ubuntu. + Users may override this setting in the .network files by specifying + [DHCP|IPv6AcceptRA] UseDomains=no|route options. + * resolved: create private stub resolve file for integration with resolvconf. + The stub-resolve.conf file points at resolved stub resolver, but also lists the + available search domains. This is required to correctly resolve domains without + using resolve nss module. + * Enable systemd-resolved by default + * Create /etc/resolv.conf at postinst, pointing at the stub resolver. + The stub resolver file is dynamically managed by systemd-resolved. It points at + the stub resolver as the nameserver, however it also dynamically updates the + search stanza, thus non-nss dns tools work correctly with unqualified names and + correctly use the DHCP acquired search domains. + * libnss-resolve: do not disable and stop systemd-resolved + resolved is always used by default on ubuntu via stub resolver, therefore it + should continue to operate without libnss-resolve module installed. + * modprobe.d: set max_bonds=0 for bonding module to prevent bond0 creation. + This prevents confusing networkd, and allows networkd to manage bond0. + * Cherrypick upstream networkd-test.py assertion/check fixes. + This resolves ADT test suite failures, when running tests under lxc/lxd + providers. + * Cherrypick arm* seccomp fixes. + This should resolve ADT test failures, on arm64, when running as root. + * Re-enable seccomp and execute tests on arm. + + [ Balint Reczey ] + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + + [ Michael Biebl ] + * selinux: Enable labeling and access checks for unprivileged users. + Revert commit that inadvertently broke a lot of SELinux related + functionality for both unprivileged users and systemd instances running + as MANAGER_USER and instead deal with the auditd issue by checking for + the CAP_AUDIT_WRITE capability before opening an audit netlink socket. + (Closes: #863800) + + -- Dimitri John Ledkov Tue, 25 Jul 2017 13:30:58 +0100 + systemd (234-2) unstable; urgency=medium [ Martin Pitt ] @@ -18,6 +190,64 @@ -- Michael Biebl Thu, 20 Jul 2017 15:13:42 +0200 +systemd (234-1ubuntu2) artful; urgency=medium + + * Set UseDomains to true, by default, on Ubuntu. + On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries + to a preset 3rd party by default. In resolved, dnssec is also disabled by + default, as too much of the internet is broken and using Ubuntu users to debug + the internet is not very productive - most of the time the end-user cannot fix + or know how to notify the site owners about the dnssec mistakes. Inherintally + the DHCP acquired DNS servers are therefore trusted, and are free to spoof + records. Not trusting DNS search domains, in such scenario, provides limited + security or privacy benefits. From user point of view, this also appears to be + a regression from previous Ubuntu releases which do trust DHCP acquired search + domains by default. + Therefore we are enabling UseDomains by default on Ubuntu. + Users may override this setting in the .network files by specifying + [DHCP|IPv6AcceptRA] UseDomains=no|route options. + * resolved: create private stub resolve file for integration with resolvconf. + The stub-resolve.conf file points at resolved stub resolver, but also lists the + available search domains. This is required to correctly resolve domains without + using resolve nss module. + * Enable systemd-resolved by default + * Create /etc/resolv.conf at postinst, pointing at the stub resolver. + The stub resolver file is dynamically managed by systemd-resolved. It points at + the stub resolver as the nameserver, however it also dynamically updates the + search stanza, thus non-nss dns tools work correctly with unqualified names and + correctly use the DHCP acquired search domains. + * libnss-resolve: do not disable and stop systemd-resolved + resolved is always used by default on ubuntu via stub resolver, therefore it + should continue to operate without libnss-resolve module installed. + + -- Dimitri John Ledkov Fri, 21 Jul 2017 17:07:17 +0100 + +systemd (234-1ubuntu1) artful; urgency=medium + + [ Dimitri John Ledkov ] + * Merge with debian, outstanding delta below. + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + (LP: #1672499) + * Disable fallback DNS servers. + This causes resolved to call-home to google, attempt to access network when + none is available, and spams logs. (LP: #1449001, #1698734) + + [ Balint Reczey ] + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + + -- Dimitri John Ledkov Mon, 17 Jul 2017 10:59:34 +0100 + systemd (234-1) unstable; urgency=medium [ Michael Biebl ] @@ -99,6 +329,52 @@ -- Michael Biebl Mon, 19 Jun 2017 15:10:14 +0200 +systemd (233-8ubuntu2) artful; urgency=medium + + * Disable fallback DNS servers. + This causes resolved to call-home to google, attempt to access network when + none is available, and spams logs. (LP: #1449001, #1698734) + * SECURITY UPDATE: Out-of-bounds write in systemd-resolved. + CVE-2017-9445 (LP: #1695546) + + -- Dimitri John Ledkov Wed, 28 Jun 2017 13:27:28 +0100 + +systemd (233-8ubuntu1) artful; urgency=medium + + Merge from experimental. Existing Ubuntu cherry-picks: + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + * Cherrypick upstream commit to enable system use kernel maximum limit for RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + * Cherrypick upstream patch for vio predictable interface names. + * Cherrypick upstream patch for platform predictable interface names. + + Ubuntu cherry-picks, now also applied in Debian: + * resolved: fix null pointer dereference crash + + Remaining Ubuntu delta: + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. + + New Ubuntu cherry-picks: + * loginctl: Chrerry-pick upstream fix to not ignore multiple session ids. + (LP: #1682154) + + -- Dimitri John Ledkov Mon, 19 Jun 2017 15:24:30 +0100 + systemd (233-8) experimental; urgency=medium * Bump debhelper compatibility level to 10 @@ -137,6 +413,57 @@ -- Michael Biebl Wed, 24 May 2017 12:26:18 +0200 +systemd (233-6ubuntu3) artful; urgency=medium + + * resolved: fix null pointer dereference crash (LP: #1621396) + + -- Dimitri John Ledkov Mon, 22 May 2017 09:29:22 +0100 + +systemd (233-6ubuntu2) artful; urgency=medium + + [ Michael Biebl ] + * basic/journal-importer: Fix unaligned access in get_data_size() + (Closes: #862062) + + [ Dimitri John Ledkov ] + * ubuntu: disable dnssec on any ubuntu releases (LP: #1690605) + * Cherrypick upstream patch for vio predictable interface names. + * Cherrypick upstream patch for platform predictable interface names. + (LP: #1686784) + + [ Balint Reczey ] + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + + -- Dimitri John Ledkov Wed, 17 May 2017 19:24:03 +0100 + +systemd (233-6ubuntu1) artful; urgency=medium + + Merge from Debian, existing changes: + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + + New changes: + * Cherrypick upstream commit to enable system use kernel maximum limit for + RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361) + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + (LP: #1672499) + + -- Dimitri John Ledkov Tue, 02 May 2017 11:23:19 +0100 + systemd (233-6) experimental; urgency=medium [ Felipe Sateler ] @@ -177,6 +504,52 @@ -- Michael Biebl Fri, 28 Apr 2017 21:47:14 +0200 +systemd (233-5ubuntu1) artful; urgency=medium + + [ Felipe Sateler ] + * Backport upstream PR #5531. + This delays opening the mdns and llmnr sockets until a network has enabled them. + This silences annoying messages when networkd receives such packets without + expecting them: + Got mDNS UDP packet on unknown scope. + + [ Martin Pitt ] + * resolved: Disable DNSSEC by default on stretch and zesty. + Both Debian stretch and Ubuntu zesty are close to releasing, switch to + DNSSEC=off by default for those. Users can still turn it back on with + DNSSEC=allow-downgrade (or even "yes"). + + [ Michael Biebl ] + * Add Conflicts against hal. + Since v183, udev no longer supports RUN+="socket:". This feature is + still used by hal, but now generates vast amounts of errors in the + journal. Thus force the removal of hal by adding a Conflicts to the udev + package. This is safe, as hal is long dead and no longer useful. + * Drop systemd-ui Suggests + systemd-ui is unmaintained upstream and not particularly useful anymore. + * journal: fix up syslog facility when forwarding native messages. + Native journal messages (_TRANSPORT=journal) typically don't have a + syslog facility attached to it. As a result when forwarding the + messages to syslog they ended up with facility 0 (LOG_KERN). + Apply syslog_fixup_facility() so we use LOG_USER instead. (Closes: #837893) + * Split upstream tests into systemd-tests binary package (Closes: #859152) + * Get PACKAGE_VERSION from config.h. + This also works with meson and is not autotools specific. + + [ Dimitri John Ledkov ] + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + + -- Dimitri John Ledkov Fri, 21 Apr 2017 14:36:34 +0100 + systemd (233-5) experimental; urgency=medium * Do not throw a warning in emergency and rescue mode if plymouth is not diff -Nru systemd-234/debian/control systemd-234/debian/control --- systemd-234/debian/control 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/control 2017-10-03 03:24:05.000000000 +0000 @@ -1,7 +1,8 @@ Source: systemd Section: admin Priority: optional -Maintainer: Debian systemd Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian systemd Maintainers Uploaders: Michael Biebl , Marco d'Itri , Sjoerd Simons , diff -Nru systemd-234/debian/extra/dhclient-enter-resolved-hook systemd-234/debian/extra/dhclient-enter-resolved-hook --- systemd-234/debian/extra/dhclient-enter-resolved-hook 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/extra/dhclient-enter-resolved-hook 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,72 @@ +# +# Script fragment to make dhclient supply nameserver information to resolvconf +# + +# Tips: +# * Be careful about changing the environment since this is sourced +# * This script fragment uses bash features +# * As of isc-dhcp-client 4.2 the "reason" (for running the script) can be one of the following. +# (Listed on man page:) MEDIUM(0) PREINIT(0) BOUND(M) RENEW(M) REBIND(M) REBOOT(M) EXPIRE(D) FAIL(D) RELEASE(D) STOP(D) NBI(-) TIMEOUT(M) +# (Also used in master script:) ARPCHECK(0), ARPSEND(0) +# (Also used in master script:) PREINIT6(0) BOUND6(M) RENEW6(M) REBIND6(M) DEPREF6(0) EXPIRE6(D) RELEASE6(D) STOP6(D) +# (0) = master script does not run make_resolv_conf +# (M) = master script runs make_resolv_conf +# (D) = master script downs interface +# (-) = master script does nothing with this + +if [ -x /lib/systemd/systemd-resolved ] ; then + # For safety, first undefine the nasty default make_resolv_conf() + make_resolv_conf() { : ; } + case "$reason" in + BOUND|RENEW|REBIND|REBOOT|TIMEOUT|BOUND6|RENEW6|REBIND6) + # Define a resolvconf-compatible m_r_c() function + # It gets run later (or, in the TIMEOUT case, MAY get run later) + make_resolv_conf() { + local statedir + if [ ! "$interface" ] ; then + return + fi + statedir="/run/systemd/resolved.conf.d" + mkdir -p $statedir + if [ -n "$new_domain_name_servers" ] ; then + cat <$statedir/isc-dhcp-v4-$interface.conf +[Resolve] +DNS=$new_domain_name_servers +EOF + if [ -n "$new_domain_name" ] || [ -n "$new_domain_search" ] ; then + cat <>$statedir/isc-dhcp-v4-$interface.conf +Domains=$new_domain_search $new_domain_name +EOF + fi + fi + if [ -n "$new_dhcp6_name_servers" ] ; then + cat <$statedir/isc-dhcp-v6-$interface.conf +[Resolve] +DNS=$new_dhcp6_name_servers +EOF + if [ -n "$new_dhcp6_domain_search" ] ; then + cat <>$statedir/isc-dhcp-v6-$interface.conf +Domains=$new_dhcp6_domain_search +EOF + fi + fi + systemctl try-reload-or-restart systemd-resolved.service + } + ;; + + EXPIRE|FAIL|RELEASE|STOP) + if [ ! "$interface" ] ; then + return + fi + rm -f /run/systemd/resolved.conf.d/isc-dhcp-v4-$interface.conf + systemctl try-reload-or-restart systemd-resolved.service + ;; + EXPIRE6|RELEASE6|STOP6) + if [ ! "$interface" ] ; then + return + fi + rm -f /run/systemd/resolved.conf.d/isc-dhcp-v6-$interface.conf + systemctl try-reload-or-restart systemd-resolved.service + ;; + esac +fi diff -Nru systemd-234/debian/extra/initramfs-tools/scripts/init-top/udev systemd-234/debian/extra/initramfs-tools/scripts/init-top/udev --- systemd-234/debian/extra/initramfs-tools/scripts/init-top/udev 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/extra/initramfs-tools/scripts/init-top/udev 2017-10-03 03:24:05.000000000 +0000 @@ -23,7 +23,8 @@ SYSTEMD_LOG_LEVEL=$log_level /lib/systemd/systemd-udevd --daemon --resolve-names=never -udevadm trigger --action=add +udevadm trigger --type=subsystems --action=add +udevadm trigger --type=devices --action=add udevadm settle || true # Leave udev running to process events that come in out-of-band (like USB diff -Nru systemd-234/debian/extra/units/systemd-resolved.service.d/resolvconf.conf systemd-234/debian/extra/units/systemd-resolved.service.d/resolvconf.conf --- systemd-234/debian/extra/units/systemd-resolved.service.d/resolvconf.conf 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/extra/units/systemd-resolved.service.d/resolvconf.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,8 +0,0 @@ -# tell resolvconf about resolved's builtin DNS server, so that DNS servers -# picked up via networkd are respected when using resolvconf, and that software -# like Chrome that does not do NSS (libnss-resolve) still gets proper DNS -# resolution; do not remove the entry after stop though, as that leads to -# timeouts on shutdown via the resolvconf hooks (see LP: #1648068) -[Service] -ExecStartPost=+/bin/sh -c '[ ! -e /run/resolvconf/enable-updates ] || echo "nameserver 127.0.0.53" | /sbin/resolvconf -a systemd-resolved' -ReadWritePaths=-/run/resolvconf diff -Nru systemd-234/debian/extra/units/systemd-timesyncd.service.d/disable-with-time-daemon.conf systemd-234/debian/extra/units/systemd-timesyncd.service.d/disable-with-time-daemon.conf --- systemd-234/debian/extra/units/systemd-timesyncd.service.d/disable-with-time-daemon.conf 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/extra/units/systemd-timesyncd.service.d/disable-with-time-daemon.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,6 +0,0 @@ -[Unit] -# don't run timesyncd if we have another NTP daemon installed -ConditionFileIsExecutable=!/usr/sbin/ntpd -ConditionFileIsExecutable=!/usr/sbin/openntpd -ConditionFileIsExecutable=!/usr/sbin/chronyd -ConditionFileIsExecutable=!/usr/sbin/VBoxService diff -Nru systemd-234/debian/extra/write_persistent_net_s390x_virtio systemd-234/debian/extra/write_persistent_net_s390x_virtio --- systemd-234/debian/extra/write_persistent_net_s390x_virtio 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/extra/write_persistent_net_s390x_virtio 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,40 @@ +#!/bin/sh +set -e + +# +# udevd since 232-20 learned to generate stable interface names for network +# interfaces in kvm/qemu. However, existing machines upgrading will be using +# the ethX names instead. The most risk-averse action is to encode +# "persistent-net-rules" like rules to keep the ethX names on upgrades, since +# the interface names (ethX) may be in use not only in /etc/network/interfaces +# but in other configurations too (daemons, firewalls, etc). +# +# This is a one time action, and can be removed after the next stable & LTS +# releases. (~ May 2018) +# + +rulesfile=/etc/udev/rules.d/70-persistent-net.rules + +if [ `uname -m` != 's390x' ] +then + exit 0 +fi + +if [ `systemd-detect-virt` != 'kvm' ] +then + exit 0 +fi + +if [ -f $rulesfile ] +then + exit 0 +fi + +for interface in /sys/class/net/eth* +do + name=$(basename $interface) + address=$(cat $interface/address) + cat <>$rulesfile +SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="$address", KERNEL=="eth*", NAME="$name" +EOF +done diff -Nru systemd-234/debian/gbp.conf systemd-234/debian/gbp.conf --- systemd-234/debian/gbp.conf 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/gbp.conf 2017-10-03 03:24:05.000000000 +0000 @@ -1,7 +1,7 @@ [DEFAULT] pristine-tar = True patch-numbers = False -debian-branch = master +debian-branch = ubuntu-artful [dch] full = True diff -Nru systemd-234/debian/libnss-resolve.postrm systemd-234/debian/libnss-resolve.postrm --- systemd-234/debian/libnss-resolve.postrm 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/libnss-resolve.postrm 2017-10-03 03:24:05.000000000 +0000 @@ -23,10 +23,6 @@ if [ "$1" = remove ]; then remove_nss_entry /etc/nsswitch.conf libnss-resolve resolve - systemctl disable systemd-resolved.service - if [ -d /run/systemd/system ]; then - deb-systemd-invoke stop systemd-resolved.service || true - fi fi #DEBHELPER# diff -Nru systemd-234/debian/patches/core-unlink-the-invocation-id-key-if-cannot-change-keyrin.patch systemd-234/debian/patches/core-unlink-the-invocation-id-key-if-cannot-change-keyrin.patch --- systemd-234/debian/patches/core-unlink-the-invocation-id-key-if-cannot-change-keyrin.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/patches/core-unlink-the-invocation-id-key-if-cannot-change-keyrin.patch 2017-10-03 22:01:28.000000000 +0000 @@ -0,0 +1,81 @@ +From: Dimitri John Ledkov +Date: Tue, 26 Sep 2017 10:23:09 -0400 +Subject: core: unlink the invocation id key, if cannot change keyring owner + +KEYCTL_CHOWN fails under unpriviledged usernamespace containers that drop +CAP_SYS_ADMIN (eg. LXD, OpenVZ, etc). Because kernel checks the capability in +the initial namespace, rather than in the user namespace. Thus if KEYCTL_CHOWN +operation is required, but will be impossible to perform, unlink the key and +thus skip the keyring setup. + +Fixes #6281 + +(cherry picked from commit e4945f3a577ac9233c0e71349b6c139899e742fc) +--- + src/basic/missing.h | 8 ++++++++ + src/core/execute.c | 15 +++++++++++---- + 2 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/src/basic/missing.h b/src/basic/missing.h +index 7830a4f..9694792 100644 +--- a/src/basic/missing.h ++++ b/src/basic/missing.h +@@ -1102,6 +1102,14 @@ typedef int32_t key_serial_t; + #define KEYCTL_DESCRIBE 6 + #endif + ++#ifndef KEYCTL_LINK ++#define KEYCTL_LINK 8 ++#endif ++ ++#ifndef KEYCTL_UNLINK ++#define KEYCTL_UNLINK 9 ++#endif ++ + #ifndef KEYCTL_READ + #define KEYCTL_READ 11 + #endif +diff --git a/src/core/execute.c b/src/core/execute.c +index d72e5bf..4b02f5a 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -2071,10 +2071,14 @@ static int apply_working_directory( + + static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) { + key_serial_t keyring; ++ key_serial_t key; ++ int r; + + assert(u); + assert(p); + ++ key = -1; ++ + /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that + * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond + * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be +@@ -2101,8 +2105,6 @@ static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) + + /* Populate they keyring with the invocation ID by default. */ + if (!sd_id128_is_null(u->invocation_id)) { +- key_serial_t key; +- + key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING); + if (key == -1) + log_debug_errno(errno, "Failed to add invocation ID to keyring, ignoring: %m"); +@@ -2116,8 +2118,13 @@ static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) + + /* And now, make the keyring owned by the service's user */ + if (uid_is_valid(uid) || gid_is_valid(gid)) +- if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0) +- return log_error_errno(errno, "Failed to change ownership of session keyring: %m"); ++ if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0) { ++ log_error_errno(errno, "Failed to change ownership of session keyring: %m"); ++ /* well, the kernel didn't - cause the kernel is borked */ ++ if (keyctl(KEYCTL_UNLINK, key, keyring, 0, 0) < 0) ++ log_debug_errno(errno, "Failed to unlink (clean-up) key, after failing to change ownership: %m"); ++ return 0; ++ } + + return 0; + } diff -Nru systemd-234/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch systemd-234/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch --- systemd-234/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,27 @@ +From: Balint Reczey +Date: Mon, 8 May 2017 17:02:03 +0200 +Subject: Skip starting systemd-remount-fs.service in containers + +even when /etc/fstab is present. + +This allows entering fully running state even when /etc/fstab +lists / to be mounted from a device which is not present in the +container. + +LP: #1576341 +--- + units/systemd-remount-fs.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-remount-fs.service.in b/units/systemd-remount-fs.service.in +index 29d0674..7bb5477 100644 +--- a/units/systemd-remount-fs.service.in ++++ b/units/systemd-remount-fs.service.in +@@ -15,6 +15,7 @@ After=systemd-fsck-root.service + Before=local-fs-pre.target local-fs.target shutdown.target + Wants=local-fs-pre.target + ConditionPathExists=/etc/fstab ++ConditionVirtualization=!container + + [Service] + Type=oneshot diff -Nru systemd-234/debian/patches/debian/Ubuntu-Ship-modprobe.d-drop-in-to-set-bonding-max_bonds-to-0.patch systemd-234/debian/patches/debian/Ubuntu-Ship-modprobe.d-drop-in-to-set-bonding-max_bonds-to-0.patch --- systemd-234/debian/patches/debian/Ubuntu-Ship-modprobe.d-drop-in-to-set-bonding-max_bonds-to-0.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/patches/debian/Ubuntu-Ship-modprobe.d-drop-in-to-set-bonding-max_bonds-to-0.patch 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,65 @@ +From: Dimitri John Ledkov +Date: Tue, 25 Jul 2017 12:21:23 +0100 +Subject: Ship modprobe.d drop-in to set bonding max_bonds to 0 + +This allows networkd to correctly manage bond0 using networkd, when requested +by the user. + +Fixes #5971 #6184 + +(cherry picked from commit b272ba9230db94b7db73271c56e0b6771e2281b6) +--- + meson.build | 4 ++++ + modprobe.d/systemd.conf | 14 ++++++++++++++ + 2 files changed, 18 insertions(+) + create mode 100644 modprobe.d/systemd.conf + +diff --git a/meson.build b/meson.build +index eabf215..00ef5c3 100644 +--- a/meson.build ++++ b/meson.build +@@ -73,6 +73,7 @@ polkitpkladir = join_paths(localstatedir, 'lib/polkit-1/localauthority/10-vendor + varlogdir = join_paths(localstatedir, 'log') + xinitrcdir = join_paths(sysconfdir, 'X11/xinit/xinitrc.d') + rpmmacrosdir = get_option('rpmmacrosdir') ++modprobedir = join_paths(rootprefixdir, 'lib/modprobe.d') + + # Our own paths + pkgdatadir = join_paths(datadir, 'systemd') +@@ -2303,6 +2304,8 @@ install_data('xorg/50-systemd-user.sh', + install_dir : xinitrcdir) + install_data('system-preset/90-systemd.preset', + install_dir : systempresetdir) ++install_data('modprobe.d/systemd.conf', ++ install_dir : modprobedir) + install_data('README', + 'NEWS', + 'CODING_STYLE', +@@ -2389,6 +2392,7 @@ status = [ + 'PAM modules dir: @0@'.format(pamlibdir), + 'PAM configuration dir: @0@'.format(pamconfdir), + 'RPM macros dir: @0@'.format(rpmmacrosdir), ++ 'modprobe.d dir: @0@'.format(modprobedir), + 'D-Bus policy dir: @0@'.format(dbuspolicydir), + 'D-Bus session dir: @0@'.format(dbussessionservicedir), + 'D-Bus system dir: @0@'.format(dbussystemservicedir), +diff --git a/modprobe.d/systemd.conf b/modprobe.d/systemd.conf +new file mode 100644 +index 0000000..55a9a7d +--- /dev/null ++++ b/modprobe.d/systemd.conf +@@ -0,0 +1,14 @@ ++# This file is part of systemd. ++# ++# systemd is free software; you can redistribute it and/or modify it ++# under the terms of the GNU Lesser General Public License as published by ++# the Free Software Foundation; either version 2.1 of the License, or ++# (at your option) any later version. ++# ++# When bonding module is loaded, it creates bond0 by default due to max_bonds ++# option default value 1. This interferes with the network configuration ++# management / networkd, as it is not possible to detect whether this bond0 was ++# intentially configured by the user, or should be managed by ++# networkd/NM/etc. Therefore disable bond0 creation. ++ ++options bonding max_bonds=0 diff -Nru systemd-234/debian/patches/debian/Ubuntu-UseDomains-by-default.patch systemd-234/debian/patches/debian/Ubuntu-UseDomains-by-default.patch --- systemd-234/debian/patches/debian/Ubuntu-UseDomains-by-default.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/patches/debian/Ubuntu-UseDomains-by-default.patch 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,75 @@ +From: Dimitri John Ledkov +Date: Thu, 20 Jul 2017 13:48:31 +0100 +Subject: Set UseDomains to true, by default, on Ubuntu. + +On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries +to a preset 3rd party by default. In resolved, dnssec is also disabled by +default, as too much of the internet is broken and using Ubuntu users to debug +the internet is not very productive - most of the time the end-user cannot fix +or know how to notify the site owners about the dnssec mistakes. Inherintally +the DHCP acquired DNS servers are therefore trusted, and are free to spoof +records. Not trusting DNS search domains, in such scenario, provides limited +security or privacy benefits. From user point of view, this also appears to be +a regression from previous Ubuntu releases which do trust DHCP acquired search +domains by default. + +Therefore we are enabling UseDomains by default on Ubuntu. + +Users may override this setting in the .network files by specifying +[DHCP|IPv6AcceptRA] UseDomains=no|route options. +--- + man/systemd.network.xml | 6 +++--- + src/network/networkd-network.c | 2 ++ + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/man/systemd.network.xml b/man/systemd.network.xml +index 6b83a5b..6d3ff4e 100644 +--- a/man/systemd.network.xml ++++ b/man/systemd.network.xml +@@ -281,7 +281,7 @@ + IPv6AcceptRA=. + + Furthermore, note that by default the domain name +- specified through DHCP is not used for name resolution. ++ specified through DHCP, on Ubuntu, are used for name resolution. + See option below. + + See the [DHCP] section below for further configuration options for the DHCP client +@@ -984,7 +984,7 @@ + the setting. If set to route, the domain name received from + the DHCP server will be used for routing DNS queries only, but not for searching, similar to the effect of + the setting when the argument is prefixed with ~. Defaults to +- false. ++ true on Ubuntu. + + It is recommended to enable this option only on trusted networks, as setting this affects resolution + of all host names, in particular of single-label names. It is generally safer to use the supplied domain +@@ -1130,7 +1130,7 @@ + the effect of the setting. If set to route, the domain name + received via IPv6 RA will be used for routing DNS queries only, but not for searching, similar to the + effect of the setting when the argument is prefixed with +- ~. Defaults to false. ++ ~. Defaults to true on Ubuntu. + + It is recommended to enable this option only on trusted networks, as setting this affects resolution + of all host names, in particular of single-label names. It is generally safer to use the supplied domain +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index 6f2ae66..36cf873 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -163,6 +163,7 @@ static int network_load_one(Manager *manager, const char *filename) { + network->dhcp_use_hostname = true; + network->dhcp_use_routes = true; + network->dhcp_send_hostname = true; ++ network->dhcp_use_domains = DHCP_USE_DOMAINS_YES; + network->dhcp_route_metric = DHCP_ROUTE_METRIC; + network->dhcp_client_identifier = DHCP_CLIENT_ID_DUID; + network->dhcp_route_table = RT_TABLE_MAIN; +@@ -194,6 +195,7 @@ static int network_load_one(Manager *manager, const char *filename) { + network->proxy_arp = -1; + network->arp = -1; + network->ipv6_accept_ra_use_dns = true; ++ network->ipv6_accept_ra_use_domains = DHCP_USE_DOMAINS_YES; + network->ipv6_accept_ra_route_table = RT_TABLE_MAIN; + + dropin_dirname = strjoina(network->name, ".network.d"); diff -Nru systemd-234/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch systemd-234/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch --- systemd-234/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,37 @@ +From: Dimitri John Ledkov +Date: Tue, 1 Aug 2017 17:38:05 +0100 +Subject: core: in execute, soft fail setting Nice priority, + when permissions are denied + +In unpriviledged containers Nice priority setting may not be permitted. Thus +log and ignore permission failure to set Nice priority in such +environments. This is similar to how OOMScoreAdjust is treated. +--- + src/core/execute.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index f24625f..a7f4cd7 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -2477,11 +2477,18 @@ static int exec_child( + } + } + +- if (context->nice_set) +- if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) { ++ if (context->nice_set) { ++ r = setpriority(PRIO_PROCESS, 0, context->nice); ++ if (r == -EPERM || r == -EACCES) { ++ log_open(); ++ log_unit_debug_errno(unit, r, "Failed to adjust Nice setting, assuming containerized execution, ignoring: %m"); ++ log_close(); ++ } else if (r < 0) { + *exit_status = EXIT_NICE; ++ *error_message = strdup("Failed to adjust Nice setting"); + return -errno; + } ++ } + + if (context->cpu_sched_set) { + struct sched_param param = { diff -Nru systemd-234/debian/patches/debian/Ubuntu-resolved-resolvconf-integration.patch systemd-234/debian/patches/debian/Ubuntu-resolved-resolvconf-integration.patch --- systemd-234/debian/patches/debian/Ubuntu-resolved-resolvconf-integration.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/patches/debian/Ubuntu-resolved-resolvconf-integration.patch 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,164 @@ +From: Dimitri John Ledkov +Date: Thu, 20 Jul 2017 22:56:33 +0100 +Subject: resolved: create private stub resolve file for integration with + resolvconf + +This creates a second private resolve.conf file which lists the stub resolver +and the resolved acquired search domains. + +This file is then supplied to resolvconf, such that non-nss using software does +name resolution via stub resolver, with search domains information. + +In the future, this may become the default resolv.conf on Ubuntu. +--- + src/resolve/resolved-resolv-conf.c | 40 +++++++++++++++++++++++- + src/resolve/resolved-resolv-conf.h | 1 + + units/meson.build | 2 ++ + units/systemd-resolved-update-resolvconf.path | 2 ++ + units/systemd-resolved-update-resolvconf.service | 7 +++++ + units/systemd-resolved.service.m4.in | 1 + + 6 files changed, 52 insertions(+), 1 deletion(-) + create mode 100644 units/systemd-resolved-update-resolvconf.path + create mode 100644 units/systemd-resolved-update-resolvconf.service + +diff --git a/src/resolve/resolved-resolv-conf.c b/src/resolve/resolved-resolv-conf.c +index 3c62550..2fa45d3 100644 +--- a/src/resolve/resolved-resolv-conf.c ++++ b/src/resolve/resolved-resolv-conf.c +@@ -65,6 +65,12 @@ int manager_read_resolv_conf(Manager *m) { + st.st_ino == own.st_ino) + return 0; + ++ /* Is it symlinked to our own stub file? */ ++ if (stat(PRIVATE_STUB_RESOLV_CONF, &own) >= 0 && ++ st.st_dev == own.st_dev && ++ st.st_ino == own.st_ino) ++ return 0; ++ + f = fopen("/etc/resolv.conf", "re"); + if (!f) { + if (errno == ENOENT) +@@ -228,11 +234,27 @@ static int write_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet *doma + return fflush_and_check(f); + } + ++static int write_stub_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet *domains) { ++ Iterator i; ++ ++ fputs("# This file is managed by man:systemd-resolved(8). Do not edit.\n#\n" ++ "# 127.0.0.53 is the systemd-resolved stub resolver.\n" ++ "# run \"systemd-resolve --status\" to see details about the actual nameservers.\n" ++ "nameserver 127.0.0.53\n\n", f); ++ ++ if (!ordered_set_isempty(domains)) ++ write_resolv_conf_search(domains, f); ++ ++ return fflush_and_check(f); ++} ++ + int manager_write_resolv_conf(Manager *m) { + + _cleanup_ordered_set_free_ OrderedSet *dns = NULL, *domains = NULL; + _cleanup_free_ char *temp_path = NULL; ++ _cleanup_free_ char *temp_path_stub = NULL; + _cleanup_fclose_ FILE *f = NULL; ++ _cleanup_fclose_ FILE *f_stub = NULL; + int r; + + assert(m); +@@ -252,8 +274,11 @@ int manager_write_resolv_conf(Manager *m) { + r = fopen_temporary_label(PRIVATE_RESOLV_CONF, PRIVATE_RESOLV_CONF, &f, &temp_path); + if (r < 0) + return log_warning_errno(r, "Failed to open private resolv.conf file for writing: %m"); +- ++ r = fopen_temporary_label(PRIVATE_STUB_RESOLV_CONF, PRIVATE_STUB_RESOLV_CONF, &f_stub, &temp_path_stub); ++ if (r < 0) ++ return log_warning_errno(r, "Failed to open private stub-resolv.conf file for writing: %m"); + (void) fchmod(fileno(f), 0644); ++ (void) fchmod(fileno(f_stub), 0644); + + r = write_resolv_conf_contents(f, dns, domains); + if (r < 0) { +@@ -266,11 +291,24 @@ int manager_write_resolv_conf(Manager *m) { + goto fail; + } + ++ r = write_stub_resolv_conf_contents(f_stub, dns, domains); ++ if (r < 0) { ++ log_error_errno(r, "Failed to write private stub-resolv.conf contents: %m"); ++ goto fail; ++ } ++ ++ if (rename(temp_path_stub, PRIVATE_STUB_RESOLV_CONF) < 0) { ++ r = log_error_errno(errno, "Failed to move private stub-resolv.conf file into place: %m"); ++ goto fail; ++ } ++ + return 0; + + fail: + (void) unlink(PRIVATE_RESOLV_CONF); + (void) unlink(temp_path); ++ (void) unlink(PRIVATE_STUB_RESOLV_CONF); ++ (void) unlink(temp_path_stub); + + return r; + } +diff --git a/src/resolve/resolved-resolv-conf.h b/src/resolve/resolved-resolv-conf.h +index 75fa080..e2ddeb6 100644 +--- a/src/resolve/resolved-resolv-conf.h ++++ b/src/resolve/resolved-resolv-conf.h +@@ -22,6 +22,7 @@ + #include "resolved-manager.h" + + #define PRIVATE_RESOLV_CONF "/run/systemd/resolve/resolv.conf" ++#define PRIVATE_STUB_RESOLV_CONF "/run/systemd/resolve/stub-resolv.conf" + + int manager_read_resolv_conf(Manager *m); + int manager_write_resolv_conf(Manager *m); +diff --git a/units/meson.build b/units/meson.build +index 05cff0e..37d754a 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -91,6 +91,8 @@ units = [ + 'sockets.target.wants/'], + ['systemd-networkd.socket', '', + join_paths(pkgsysconfdir, 'system/sockets.target.wants/')], ++ ['systemd-resolved-update-resolvconf.path', '',], ++ ['systemd-resolved-update-resolvconf.service', '',], + ['systemd-rfkill.socket', 'ENABLE_RFKILL'], + ['systemd-tmpfiles-clean.timer', '', + 'timers.target.wants/'], +diff --git a/units/systemd-resolved-update-resolvconf.path b/units/systemd-resolved-update-resolvconf.path +new file mode 100644 +index 0000000..ae0d1af +--- /dev/null ++++ b/units/systemd-resolved-update-resolvconf.path +@@ -0,0 +1,2 @@ ++[Path] ++PathChanged=/run/systemd/resolve/stub-resolv.conf +diff --git a/units/systemd-resolved-update-resolvconf.service b/units/systemd-resolved-update-resolvconf.service +new file mode 100644 +index 0000000..ebec5d8 +--- /dev/null ++++ b/units/systemd-resolved-update-resolvconf.service +@@ -0,0 +1,7 @@ ++[Unit] ++ConditionPathExists=/run/resolvconf/enable-updates ++ConditionFileIsExecutable=/sbin/resolvconf ++ ++[Service] ++Type=oneshot ++ExecStart=+-/bin/sh -c 'cat /run/systemd/resolve/stub-resolv.conf | /sbin/resolvconf -a systemd-resolved' +diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in +index 931156a..8abc04a 100644 +--- a/units/systemd-resolved.service.m4.in ++++ b/units/systemd-resolved.service.m4.in +@@ -14,6 +14,7 @@ Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver + After=systemd-networkd.service network.target + Before=network-online.target nss-lookup.target + Wants=nss-lookup.target ++Wants=systemd-resolved-update-resolvconf.path + + # On kdbus systems we pull in the busname explicitly, because it + # carries policy that allows the daemon to acquire its name. diff -Nru systemd-234/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch systemd-234/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch --- systemd-234/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,22 @@ +From: Dimitri John Ledkov +Date: Wed, 2 Aug 2017 00:40:28 +0100 +Subject: units: set ConditionVirtualization=!private-users on journald audit + socket + +As it fails to start in an unpriviledged container. +--- + units/systemd-journald-audit.socket | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket +index 541f2cf..6ee8621 100644 +--- a/units/systemd-journald-audit.socket ++++ b/units/systemd-journald-audit.socket +@@ -12,6 +12,7 @@ DefaultDependencies=no + Before=sockets.target + ConditionSecurity=audit + ConditionCapability=CAP_AUDIT_READ ++ConditionVirtualization=!private-users + + [Socket] + Service=systemd-journald.service diff -Nru systemd-234/debian/patches/networkd-change-UseMTU-default-to-true.-6837.patch systemd-234/debian/patches/networkd-change-UseMTU-default-to-true.-6837.patch --- systemd-234/debian/patches/networkd-change-UseMTU-default-to-true.-6837.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/patches/networkd-change-UseMTU-default-to-true.-6837.patch 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,70 @@ +From: Dimitri John Ledkov +Date: Tue, 19 Sep 2017 12:44:37 +0100 +Subject: networkd: change UseMTU default to true. (#6837) + +Typically when DHCP server sets MTU it is a lower one. And a lower than usual +MTU is then thus required on said network to have operational networking. This +makes networkd's dhcp client to work in more similar way to other dhcp-clients +(e.g. isc-dhcp). In particular, in a cloud setting, without this default +instances have resulted in timing out talking to cloud metadata source and +failing to provision. + +This does not change this default for the Annonymize code path. +(cherry picked from commit 22043e4317ecd2bc7834b48a6d364de76bb26d91) +--- + NEWS | 16 ++++++++++++++++ + man/systemd.network.xml | 2 +- + src/network/networkd-network.c | 1 + + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index d56b7a6..00dd665 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,21 @@ + systemd System and Service Manager + ++CHANGES WITH 235: ++ ++ * modprobe.d drop-in is now shipped by default that sets bonding module ++ option max_bonds=0. This overrides the kernel default, to avoid ++ conflicts and ambiguity as to whether or not bond0 should be managed ++ by networkd or not. This resolves multiple bugs of bond0 properties ++ not being applied, when bond0 is configured with ++ networkd. Distributors may choose to not package this, however in ++ that case users will be prevented from correctly managing bond0 ++ interface using networkd. ++ ++ * systemd-networkd .network DHCP setting UseMTU default has changed ++ from false to true. Meaning, DHCP server advertised mtu setting is ++ now applied by default. This resolves networking issues on low-mtu ++ networks. ++ + CHANGES WITH 234: + + * Meson is now supported as build system in addition to Automake. It is +diff --git a/man/systemd.network.xml b/man/systemd.network.xml +index 6b83a5b..f1592b8 100644 +--- a/man/systemd.network.xml ++++ b/man/systemd.network.xml +@@ -951,7 +951,7 @@ + + When true, the interface maximum transmission unit + from the DHCP server will be used on the current link. +- Defaults to false. ++ Defaults to true. + + + +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index 6f2ae66..7144ffe 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -166,6 +166,7 @@ static int network_load_one(Manager *manager, const char *filename) { + network->dhcp_route_metric = DHCP_ROUTE_METRIC; + network->dhcp_client_identifier = DHCP_CLIENT_ID_DUID; + network->dhcp_route_table = RT_TABLE_MAIN; ++ network->dhcp_use_mtu = true; + + network->dhcp_server_emit_dns = true; + network->dhcp_server_emit_ntp = true; diff -Nru systemd-234/debian/patches/seccomp-arm64-does-not-have-mmap2.patch systemd-234/debian/patches/seccomp-arm64-does-not-have-mmap2.patch --- systemd-234/debian/patches/seccomp-arm64-does-not-have-mmap2.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/patches/seccomp-arm64-does-not-have-mmap2.patch 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,39 @@ +From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= +Date: Sat, 15 Jul 2017 19:30:01 +0000 +Subject: seccomp: arm64 does not have mmap2 + +I messed up when adding the definitions in 4278d1f5310f5acb4c6a6788233625234edb5145. +Unfortunately I didn't have the hardware at hand and went by +looking at the kernel headers. + +(cherry picked from commit 53196fafcb7b24b45ed4f48ab894d00a24a6d871) +(cherry picked from commit 79873bc850177050baa0c5165b119adafeebb891) +--- + src/shared/seccomp-util.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index 1a8bfbe..637ee85 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -1223,10 +1223,6 @@ int seccomp_memory_deny_write_execute(void) { + + break; + +- case SCMP_ARCH_AARCH64: +- block_syscall = SCMP_SYS(mmap); +- /* fall through */ +- + case SCMP_ARCH_ARM: + filter_syscall = SCMP_SYS(mmap2); /* arm has only mmap2 */ + shmat_syscall = SCMP_SYS(shmat); +@@ -1234,7 +1230,8 @@ int seccomp_memory_deny_write_execute(void) { + + case SCMP_ARCH_X86_64: + case SCMP_ARCH_X32: +- filter_syscall = SCMP_SYS(mmap); /* amd64 and x32 have only mmap */ ++ case SCMP_ARCH_AARCH64: ++ filter_syscall = SCMP_SYS(mmap); /* amd64, x32, and arm64 have only mmap */ + shmat_syscall = SCMP_SYS(shmat); + break; + diff -Nru systemd-234/debian/patches/seccomp-arm64-x32-do-not-have-_sysctl.patch systemd-234/debian/patches/seccomp-arm64-x32-do-not-have-_sysctl.patch --- systemd-234/debian/patches/seccomp-arm64-x32-do-not-have-_sysctl.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/patches/seccomp-arm64-x32-do-not-have-_sysctl.patch 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,78 @@ +From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= +Date: Sat, 15 Jul 2017 19:28:02 +0000 +Subject: seccomp: arm64/x32 do not have _sysctl + +So don't even try to added the filter to reduce noise. +The test is updated to skip calling _sysctl because the kernel prints +an oops-like message that is confusing and unhelpful: + +Jul 15 21:07:01 rpi3 kernel: test-seccomp[8448]: syscall -10080 +Jul 15 21:07:01 rpi3 kernel: Code: aa0503e4 aa0603e5 aa0703e6 d4000001 (b13ffc1f) +Jul 15 21:07:01 rpi3 kernel: CPU: 3 PID: 8448 Comm: test-seccomp Tainted: G W 4.11.8-300.fc26.aarch64 #1 +Jul 15 21:07:01 rpi3 kernel: Hardware name: raspberrypi rpi/rpi, BIOS 2017.05 06/24/2017 +Jul 15 21:07:01 rpi3 kernel: task: ffff80002bb0bb00 task.stack: ffff800036354000 +Jul 15 21:07:01 rpi3 kernel: PC is at 0xffff8669c7c4 +Jul 15 21:07:01 rpi3 kernel: LR is at 0xaaaac64b6750 +Jul 15 21:07:01 rpi3 kernel: pc : [<0000ffff8669c7c4>] lr : [<0000aaaac64b6750>] pstate: 60000000 +Jul 15 21:07:01 rpi3 kernel: sp : 0000ffffdc640fd0 +Jul 15 21:07:01 rpi3 kernel: x29: 0000ffffdc640fd0 x28: 0000000000000000 +Jul 15 21:07:01 rpi3 kernel: x27: 0000000000000000 x26: 0000000000000000 +Jul 15 21:07:01 rpi3 kernel: x25: 0000000000000000 x24: 0000000000000000 +Jul 15 21:07:01 rpi3 kernel: x23: 0000000000000000 x22: 0000000000000000 +Jul 15 21:07:01 rpi3 kernel: x21: 0000aaaac64b4940 x20: 0000000000000000 +Jul 15 21:07:01 rpi3 kernel: x19: 0000aaaac64b88f8 x18: 0000000000000020 +Jul 15 21:07:01 rpi3 kernel: x17: 0000ffff8669c7a0 x16: 0000aaaac64d2ee0 +Jul 15 21:07:01 rpi3 kernel: x15: 0000000000000000 x14: 0000000000000000 +Jul 15 21:07:01 rpi3 kernel: x13: 203a657275746365 x12: 0000000000000000 +Jul 15 21:07:01 rpi3 kernel: x11: 0000ffffdc640418 x10: 0000000000000000 +Jul 15 21:07:01 rpi3 kernel: x9 : 0000000000000005 x8 : 00000000ffffd8a0 +Jul 15 21:07:01 rpi3 kernel: x7 : 7f7f7f7f7f7f7f7f x6 : 7f7f7f7f7f7f7f7f +Jul 15 21:07:01 rpi3 kernel: x5 : 65736d68716f7277 x4 : 0000000000000000 +Jul 15 21:07:01 rpi3 kernel: x3 : 0000000000000008 x2 : 0000000000000000 +Jul 15 21:07:01 rpi3 kernel: x1 : 0000000000000000 x0 : 0000000000000000 +Jul 15 21:07:01 rpi3 kernel: + +(cherry picked from commit 1e20e640132c700c23494bb9e2619afb83878380) +(cherry picked from commit 2e64e8f46d726689a44d4084226fe3e0ea255c29) +--- + src/shared/seccomp-util.c | 4 ++++ + src/test/test-seccomp.c | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index 36843d4..1a8bfbe 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -899,6 +899,10 @@ int seccomp_protect_sysctl(void) { + + log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); + ++ if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64)) ++ /* No _sysctl syscall */ ++ continue; ++ + r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); + if (r < 0) + return r; +diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c +index efd145e..50fe24c 100644 +--- a/src/test/test-seccomp.c ++++ b/src/test/test-seccomp.c +@@ -244,13 +244,17 @@ static void test_protect_sysctl(void) { + assert_se(pid >= 0); + + if (pid == 0) { ++#if __NR__sysctl > 0 + assert_se(syscall(__NR__sysctl, NULL) < 0); + assert_se(errno == EFAULT); ++#endif + + assert_se(seccomp_protect_sysctl() >= 0); + ++#if __NR__sysctl > 0 + assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); + assert_se(errno == EPERM); ++#endif + + _exit(EXIT_SUCCESS); + } diff -Nru systemd-234/debian/patches/series systemd-234/debian/patches/series --- systemd-234/debian/patches/series 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/patches/series 2017-10-04 08:10:12.000000000 +0000 @@ -1,4 +1,10 @@ test-condition-don-t-assume-that-all-non-root-users-are-n.patch +tests-ignore-router-state-in-networkd-test-6390.patch +seccomp-arm64-x32-do-not-have-_sysctl.patch +seccomp-arm64-does-not-have-mmap2.patch +test-seccomp-arm64-does-not-have-access-and-poll.patch +networkd-change-UseMTU-default-to-true.-6837.patch +core-unlink-the-invocation-id-key-if-cannot-change-keyrin.patch debian/Use-Debian-specific-config-files.patch debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch @@ -25,3 +31,9 @@ debian/Mark-test-timesync-as-manual.patch debian/Avoid-requiring-a-kvm-system-group.patch debian/Revert-units-Tell-login-to-preserve-environment.patch +debian/Skip-starting-systemd-remount-fs.service-in-containers.patch +debian/Ubuntu-UseDomains-by-default.patch +debian/Ubuntu-resolved-resolvconf-integration.patch +debian/Ubuntu-Ship-modprobe.d-drop-in-to-set-bonding-max_bonds-to-0.patch +debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch +debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch diff -Nru systemd-234/debian/patches/test-seccomp-arm64-does-not-have-access-and-poll.patch systemd-234/debian/patches/test-seccomp-arm64-does-not-have-access-and-poll.patch --- systemd-234/debian/patches/test-seccomp-arm64-does-not-have-access-and-poll.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/patches/test-seccomp-arm64-does-not-have-access-and-poll.patch 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,40 @@ +From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= +Date: Sat, 15 Jul 2017 19:30:48 +0000 +Subject: test-seccomp: arm64 does not have access() and poll() + +glibc uses faccessat and ppoll, so just add a filters for that. + +(cherry picked from commit abc0213839fef92e2e2b98a434914f22ece48490) +(cherry picked from commit f60a865a496e1e6fde7436b4013dd8ff677f29a1) +--- + src/test/test-seccomp.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c +index 50fe24c..28fe206 100644 +--- a/src/test/test-seccomp.c ++++ b/src/test/test-seccomp.c +@@ -529,7 +529,11 @@ static void test_load_syscall_filter_set_raw(void) { + assert_se(poll(NULL, 0, 0) == 0); + + assert_se(s = set_new(NULL)); ++#if SCMP_SYS(access) >= 0 + assert_se(set_put(s, UINT32_TO_PTR(__NR_access + 1)) >= 0); ++#else ++ assert_se(set_put(s, UINT32_TO_PTR(__NR_faccessat + 1)) >= 0); ++#endif + + assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0); + +@@ -541,7 +545,11 @@ static void test_load_syscall_filter_set_raw(void) { + s = set_free(s); + + assert_se(s = set_new(NULL)); ++#if SCMP_SYS(poll) >= 0 + assert_se(set_put(s, UINT32_TO_PTR(__NR_poll + 1)) >= 0); ++#else ++ assert_se(set_put(s, UINT32_TO_PTR(__NR_ppoll + 1)) >= 0); ++#endif + + assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0); + diff -Nru systemd-234/debian/patches/tests-ignore-router-state-in-networkd-test-6390.patch systemd-234/debian/patches/tests-ignore-router-state-in-networkd-test-6390.patch --- systemd-234/debian/patches/tests-ignore-router-state-in-networkd-test-6390.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/patches/tests-ignore-router-state-in-networkd-test-6390.patch 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,26 @@ +From: Martin Pitt +Date: Tue, 18 Jul 2017 00:06:35 +0200 +Subject: tests: ignore router state in networkd test (#6390) + +In networkd-test.py, don't assert that the router state is "routable". +While it should eventually become that, we don't wait for it, and thus +at that point it often is "carrier" or "degrated" still. It is also not +really relevant as this only tests the "client" side interface. +(cherry picked from commit 23fa427d660be54ba3fa98842023dd9b7e77a1b0) +--- + test/networkd-test.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/networkd-test.py b/test/networkd-test.py +index eee8b65..9bf7ee0 100755 +--- a/test/networkd-test.py ++++ b/test/networkd-test.py +@@ -334,7 +334,7 @@ DHCP=%s + + # check networkctl state + out = subprocess.check_output(['networkctl']) +- self.assertRegex(out, (r'%s\s+ether\s+routable\s+unmanaged' % self.if_router).encode()) ++ self.assertRegex(out, (r'%s\s+ether\s+[a-z-]+\s+unmanaged' % self.if_router).encode()) + self.assertRegex(out, (r'%s\s+ether\s+routable\s+configured' % self.iface).encode()) + + out = subprocess.check_output(['networkctl', 'status', self.iface]) diff -Nru systemd-234/debian/rules systemd-234/debian/rules --- systemd-234/debian/rules 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/rules 2017-10-04 08:17:13.000000000 +0000 @@ -10,9 +10,11 @@ ifeq ($(DEB_VENDOR),Ubuntu) DEFAULT_NTP_SERVERS = ntp.ubuntu.com SUPPORT_URL = http://www.ubuntu.com/support + CONFFLAGS_DISTRO = -Ddns-servers='' else DEFAULT_NTP_SERVERS = 0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org SUPPORT_URL = https://www.debian.org/support + CONFFLAGS_DISTRO = endif # fail on missing files and symbols changes on distro builds, but not if we @@ -50,7 +52,7 @@ -Dzshcompletiondir=/usr/share/zsh/vendor-completions \ -Ddbuspolicydir=/usr/share/dbus-1/system.d/ \ -Dsupport-url=$(SUPPORT_URL) \ - -Dkill-user-processes=false \ + -Ddefault-kill-user-processes=false \ -Dpamconfdir=no \ -Dqrencode=false \ -Dvconsole=false \ @@ -146,10 +148,10 @@ override_dh_auto_configure: dh_auto_configure --builddirectory=build-deb \ - -- $(CONFFLAGS) $(CONFFLAGS_deb) + -- $(CONFFLAGS) $(CONFFLAGS_DISTRO) $(CONFFLAGS_deb) ifeq (, $(filter noudeb, $(DEB_BUILD_PROFILES))) dh_auto_configure --builddirectory=build-udeb \ - -- $(CONFFLAGS) $(CONFFLAGS_udeb) + -- $(CONFFLAGS) $(CONFFLAGS_DISTRO) $(CONFFLAGS_udeb) endif override_dh_auto_build: @@ -249,6 +251,8 @@ install --mode=644 debian/extra/rules-ubuntu/*.rules debian/udev/lib/udev/rules.d/ cp -a debian/extra/units-ubuntu/* debian/systemd/lib/systemd/system/ install --mode=755 debian/extra/set-cpufreq debian/systemd/lib/systemd/ + install -D --mode=755 debian/extra/write_persistent_net_s390x_virtio debian/udev/usr/share/systemd/write_persistent_net_s390x_virtio + install -D --mode=755 debian/extra/dhclient-enter-resolved-hook debian/systemd/etc/dhcp/dhclient-enter-hooks.d/resolved endif override_dh_installinit: @@ -268,7 +272,8 @@ dh_makeshlibs --remaining-packages -- -c$(GENSYMBOLS_LEVEL) override_dh_strip: - dh_strip --dbgsym-migration='systemd-dbg (<< 229-6~)' + # make sure test-copy is not too small for test-copy to fail LP: #1721203 + dh_strip -X test-copy --dbgsym-migration='systemd-dbg (<< 229-6~)' override_dh_auto_test: ifeq (, $(filter nocheck, $(DEB_BUILD_OPTIONS))) diff -Nru systemd-234/debian/systemd.install systemd-234/debian/systemd.install --- systemd-234/debian/systemd.install 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/systemd.install 2017-10-03 03:24:05.000000000 +0000 @@ -57,6 +57,7 @@ #usr/lib/sysusers.d/ usr/lib/systemd/ usr/lib/tmpfiles.d/ +lib/modprobe.d/ usr/lib/kernel usr/share/locale/ var/lib diff -Nru systemd-234/debian/systemd.postinst systemd-234/debian/systemd.postinst --- systemd-234/debian/systemd.postinst 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/systemd.postinst 2017-10-04 08:10:12.000000000 +0000 @@ -39,6 +39,32 @@ systemctl enable systemd-timesyncd.service || true fi +# Enable resolved by default on new installs installs and upgrades +if dpkg --compare-versions "$2" lt "234-1ubuntu2~"; then + systemctl enable systemd-resolved.service || true +fi + +# Drop stock /etc/rc.local on upgrades +if dpkg --compare-versions "$2" lt "234-2ubuntu11~"; then + if [ -f /etc/rc.local ]; then + if [ "10fd9f051accb6fd1f753f2d48371890" = "$(md5sum /etc/rc.local | cut -d\ -f1)" ]; then + echo Removing empty /etc/rc.local + rm -f /etc/rc.local || true + fi + fi +fi + +# Use stub resolve.conf by default on new installs +if [ -z "$2" ]; then + mkdir -p /run/systemd/resolve + if [ -e /etc/resolv.conf ]; then + cp /etc/resolv.conf /run/systemd/resolve/stub-resolv.conf + fi + # If /etc/resolv.conf is a bind-mount, moving or replacing + # /etc/resolv.conf may fail + ln -snf ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf || true +fi + # Enable ondemand by default on new installs installs and upgrades if [ -e /lib/systemd/system/ondemand.service ] && dpkg --compare-versions "$2" lt "231-7~"; then systemctl enable ondemand.service || true @@ -125,6 +151,13 @@ done $ADT_ARTIFACTS/running-jobs.txt || true + fi echo "checking that there are no running jobs" - TIMEOUT=10 - while [ $TIMEOUT -ge 0 ]; do - running="$(systemctl --no-pager --no-legend list-jobs || true)" - [ -n "$running" ] || break - TIMEOUT=$((TIMEOUT - 1)) - done + running="$(systemctl --no-pager --no-legend list-jobs || true)" if [ -n "$running" ]; then echo "running jobs after remaining timeout $TIMEOUT: $running" journalctl --sync journalctl -ab > $ADT_ARTIFACTS/journal.txt udevadm info --export-db > $ADT_ARTIFACTS/udevdb.txt - exit 1 + ret=1 + fi + + if [ "$ret" != "0" ]; then + exit $ret fi fi diff -Nru systemd-234/debian/tests/control systemd-234/debian/tests/control --- systemd-234/debian/tests/control 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/tests/control 2017-10-04 08:10:12.000000000 +0000 @@ -1,5 +1,6 @@ Tests: timedated, hostnamed, localed-locale, localed-x11-keymap Depends: systemd, + udev, libpam-systemd, acl, locales, @@ -7,6 +8,7 @@ Tests: logind Depends: systemd, + udev, libpam-systemd, acl, locales, @@ -15,6 +17,7 @@ Tests: unit-config Depends: systemd, + udev, libpam-systemd, acl, locales, @@ -25,6 +28,7 @@ Tests: storage Depends: systemd, + udev, libpam-systemd, acl, locales, @@ -37,6 +41,7 @@ Tests: networkd-test.py Tests-Directory: test Depends: systemd, + udev, libpam-systemd, acl, locales, @@ -51,6 +56,7 @@ Tests: build-login Depends: systemd, + udev, libpam-systemd, acl, locales, @@ -67,13 +73,14 @@ Tests: boot-and-services Depends: systemd-sysv, + systemd, + udev, systemd-container, systemd-coredump, libpam-systemd, xserver-xorg-video-dummy, xserver-xorg, - lightdm, - lightdm-gtk-greeter | lightdm-greeter, + gdm3 [!s390x], cron, network-manager, busybox-static, @@ -84,6 +91,7 @@ Tests: udev Depends: systemd-tests, + udev, tree, perl, xz-utils, @@ -91,6 +99,7 @@ Tests: root-unittests Depends: systemd-tests, + udev, tree, perl, xz-utils, @@ -125,6 +134,9 @@ systemd-container, Restrictions: needs-root, allow-stderr, isolation-machine +Tests: logind-kill-off +Depends: systemd + Tests: boot-smoke Depends: libsystemd-dev, tree, @@ -151,7 +163,7 @@ systemd-sysv, network-manager, policykit-1, - lightdm, + gdm3 [!s390x], xserver-xorg-video-dummy, Restrictions: needs-recommends, needs-root, isolation-container, allow-stderr, breaks-testbed diff -Nru systemd-234/debian/tests/logind-kill-off systemd-234/debian/tests/logind-kill-off --- systemd-234/debian/tests/logind-kill-off 1970-01-01 00:00:00.000000000 +0000 +++ systemd-234/debian/tests/logind-kill-off 2017-10-03 03:24:05.000000000 +0000 @@ -0,0 +1,5 @@ +#!/bin/sh +set -e +# Default KillUserProcesses should be off for debian/ubuntu builds +r=$(busctl get-property org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager KillUserProcesses) +[ "b false" = "$r" ] diff -Nru systemd-234/debian/tests/root-unittests systemd-234/debian/tests/root-unittests --- systemd-234/debian/tests/root-unittests 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/tests/root-unittests 2017-10-03 03:24:05.000000000 +0000 @@ -9,6 +9,15 @@ test-catalog " +# test-execute fail on armhf and are currently executed on arm64 kernels. +# https://github.com/systemd/systemd/issues/5851 +arch=$(dpkg --print-architecture) +if [ "$arch" = "armhf" ]; then + EXFAIL="$EXFAIL +test-execute +" +fi + res=0 for t in /usr/lib/systemd/tests/test-*; do tname=$(basename $t) diff -Nru systemd-234/debian/udev.postinst systemd-234/debian/udev.postinst --- systemd-234/debian/udev.postinst 2017-07-20 13:13:42.000000000 +0000 +++ systemd-234/debian/udev.postinst 2017-10-04 08:10:12.000000000 +0000 @@ -85,6 +85,14 @@ NamePolicy=onboard kernel EOF fi + + # 232-20 (232-21ubuntu3 in ubuntu) introduced predicable interface names on + # s390x for virtio However, we should preserve ethX names on upgrade. + if [ -x /usr/share/systemd/write_persistent_net_s390x_virtio ]; then + if dpkg --compare-versions "$2" lt-nl "232-21ubuntu3~"; then + /usr/share/systemd/write_persistent_net_s390x_virtio || true + fi + fi } update_hwdb() {