diffstat of debian/ for systemd_240-6 systemd_240-6ubuntu4 changelog | 1528 ++++++++++ control | 19 extra/dhclient-enter-resolved-hook | 72 extra/modprobe.d-udeb/scsi-mod-scan-sync.conf | 4 extra/start-udev | 6 extra/units/systemd-resolved.service.d/resolvconf.conf | 8 gbp.conf | 3 libnss-resolve.postrm | 4 patches/Install-routes-after-addresses-are-ready.patch | 93 patches/Move-link_check_ready-to-later-in-the-file.patch | 148 patches/Revert-namespace-be-more-careful-when-handling-namespacin.patch | 39 patches/core-when-we-uninstall-a-job-add-unit-to-dbus-queue.patch | 26 patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch | 27 patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch | 28 patches/debian/UBUNTU-Support-system-image-read-only-etc.patch | 84 patches/debian/UBUNTU-bump-selftest-timeouts.patch | 79 patches/debian/UBUNTU-core-set-run-size-to-10-like-initramfs-tools-does.patch | 30 patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch | 42 patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch | 22 patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch | 66 patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch | 40 patches/debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch | 23 patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch | 23 patches/debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch | 38 patches/debian/UBUNTU-units-disable-journald-watchdog.patch | 22 patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch | 42 patches/debian/Ubuntu-UseDomains-by-default.patch | 75 patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch | 39 patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch | 22 patches/llmnr-add-comment-why-we-install-no-complete-handler-on-s.patch | 21 patches/network-do-not-remove-rule-when-it-is-requested-by-e.patch | 58 patches/network-remove-routing-policy-rule-from-foreign-rule.patch | 51 patches/networkd-honour-LinkLocalAddressing.patch | 55 patches/pam-systemd-use-secure_getenv-rather-than-getenv.patch | 40 patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch | 74 patches/resolved-add-comment-to-dns_stream_complete-about-its-err.patch | 24 patches/resolved-keep-stub-stream-connections-up-for-as-long-as-c.patch | 196 + patches/resolved-only-call-complete-with-zero-argument-in-LLMNR-c.patch | 31 patches/resolved-restart-stream-timeout-whenever-we-managed-to-re.patch | 64 patches/series | 38 patches/stream-follow-coding-style-don-t-use-degrade-to-bool-for-.patch | 22 patches/stream-track-type-of-DnsStream-object.patch | 180 + patches/test-test-functions-on-PP64-use-vmlinux.patch | 33 patches/test-test-functions-on-PPC64-use-hvc0-console.patch | 39 patches/tests-Add-test-for-IPv6-source-routing.patch | 73 patches/transaction-simplify-handling-if-we-get-an-unexpected-DNS.patch | 40 patches/virt-detect-WSL-environment-as-a-container-id-wsl.patch | 116 rules | 5 systemd.postinst | 51 systemd.prerm | 15 tests/boot-and-services | 9 tests/boot-smoke | 49 tests/control | 13 tests/systemd-fsckd | 33 tests/upstream | 10 udev-udeb.install | 1 56 files changed, 3937 insertions(+), 56 deletions(-) diff -Nru systemd-240/debian/changelog systemd-240/debian/changelog --- systemd-240/debian/changelog 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/changelog 2019-04-10 00:06:03.000000000 +0000 @@ -1,3 +1,39 @@ +systemd (240-6ubuntu4) disco; urgency=medium + + * pam-systemd: use secure_getenv() rather than getenv() + CVE-2019-3842 + File: debian/patches/pam-systemd-use-secure_getenv-rather-than-getenv.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f3291e9e8c3eafd0c8921cb26a0d5ee0fd563b3c + + * core: queue jobs on uninstall to generate PropertiesChanged signal. + (LP: #1816812) + File: debian/patches/core-when-we-uninstall-a-job-add-unit-to-dbus-queue.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=241deca98fb9a0f1ba9a6ba781f738fb31a3bd80 + + -- Dimitri John Ledkov Wed, 10 Apr 2019 01:06:03 +0100 + +systemd (240-6ubuntu3) disco; urgency=medium + + * virt: detect WSL environment as a container (LP: #1816753) + * debian/control: Update Vcs-{Browser|Git} to Ubuntu's packaging repository + * debian/gbp.conf: Set tag format to ubuntu/* + + -- Balint Reczey Fri, 22 Mar 2019 18:39:48 +0100 + +systemd (240-6ubuntu2) disco; urgency=medium + + * d/p/network-remove-routing-policy-rule-from-foreign-rule.patch + * d/p/network-do-not-remove-rule-when-it-is-requested-by-e.patch + - Fix RoutingPolicyRule does not apply correctly (LP: #1818282) + + -- Ioanna Alifieraki Mon, 04 Mar 2019 10:32:19 +0000 + +systemd (240-6ubuntu1) disco; urgency=medium + + * Release to ubuntu. + + -- Dimitri John Ledkov Wed, 20 Feb 2019 21:41:03 +0100 + systemd (240-6) unstable; urgency=high * High urgency as this fixes a vulnerability. @@ -45,6 +81,113 @@ -- Martin Pitt Mon, 18 Feb 2019 13:54:04 +0000 +systemd (240-5ubuntu4) disco; urgency=medium + + * debian/tests/control: add socat to upstream tests for pull #11591 + File: debian/tests/control + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=7dff5196e23f50d15c0e0c4cb6742a1cc1cc704a + + * udevadm: Fix segfault with subsystem-match containing '/' (Closes: #919206) + Author: Martin Pitt + File: debian/patches/udevadm-fix-segfault.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=736973d38676301f276716f22a746aed2489baac + + * Blacklist TEST-10-ISSUE-2467 #11706 + File: debian/tests/upstream + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f93b9e46b54388370da7b0cd7f858031be3a2578 + + * Fix comment about why we disable hwclock.service. + Systemd nowadays doesn't do it itself because the kernel does it on its own when necessary, + and when not, it is not safe to save the hwclock (eg, there is no certainty the system clock + is correct) + Author: Felipe Sateler + File: debian/systemd.links + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=8473f88fffdb9db1f5ba547bb692a911997f2569 + + * udev: Backport upstream preventing mass killings when not running under systemd + (Closes: #918764) + Author: Felipe Sateler + File: debian/patches/udev-check-whether-systemd-is-running-and-do-not-use-cg_k.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=617ee70c31c45ea5d5c6c7b30766d47f0b89446c + + * debian/tests/storage: fix for LUKS2 and avoid interactive password prompts. + File: debian/tests/storage + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=5594ebf325816e76a8c58043c56fc94f2d52b2a6 + + -- Dimitri John Ledkov Thu, 14 Feb 2019 14:51:37 +0000 + +systemd (240-5ubuntu3) disco; urgency=medium + + * debian/tests: blacklist upstream test-24-unit-tests on ppc64le. + Fails, not a regression as it's a new test case, which was never before + executed on ppc64le. + File: debian/tests/upstream + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=8062b9a2712c390010d2948eaf764a1b52e68715 + + -- Dimitri John Ledkov Sat, 02 Feb 2019 11:05:12 +0100 + +systemd (240-5ubuntu2) disco; urgency=medium + + * core: Revert strict mount namespacing/sandboxing, until LXD allows the needed mounts. + (LP: #1813622) + File: debian/patches/Revert-namespace-be-more-careful-when-handling-namespacin.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=030919ba5e4931d6ee576d0259fae67fe4ed9770 + + * resolved: add support for pipelined requests. (LP: #1811471) + Files: + - debian/patches/llmnr-add-comment-why-we-install-no-complete-handler-on-s.patch + - debian/patches/resolved-add-comment-to-dns_stream_complete-about-its-err.patch + - debian/patches/resolved-keep-stub-stream-connections-up-for-as-long-as-c.patch + - debian/patches/resolved-only-call-complete-with-zero-argument-in-LLMNR-c.patch + - debian/patches/resolved-restart-stream-timeout-whenever-we-managed-to-re.patch + - debian/patches/stream-follow-coding-style-don-t-use-degrade-to-bool-for-.patch + - debian/patches/stream-track-type-of-DnsStream-object.patch + - debian/patches/transaction-simplify-handling-if-we-get-an-unexpected-DNS.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=8ad1db08c2135af098a33957ce7cffbe21fb683f + + * networkd: [Route] PreferredSource not working in *.network files. + (LP: #1812760) + Files: + - debian/patches/Install-routes-after-addresses-are-ready.patch + - debian/patches/Move-link_check_ready-to-later-in-the-file.patch + - debian/patches/tests-Add-test-for-IPv6-source-routing.patch + - debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b4e2ee0b2ac1be2ae78952890a56a2d5398df518 + + -- Dimitri John Ledkov Wed, 30 Jan 2019 11:46:53 +0000 + +systemd (240-5ubuntu1) disco; urgency=medium + + * Reenable pristine-tar in gbp.conf. + The pristine-tar bug has been fixed, so we can use it again. + This reverts commit 9fcfbbf6fea15eacfa3fad74240431c5f2c3300e. + Author: Felipe Sateler + File: debian/gbp.conf + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=045998b2a974f9322535fef6018b3c5fff6da342 + + * debian/tests/storage: improve cleanups. + On fast ppc64el machines, cryptsetup start job may not complete by the time + tearDown is executed. In that case stop, causes to simply cancel the start job + without actually cleaning up the dmsetup node. This leads to failing subsequent + test as it no longer starts with a clean device. Thus ensure the + systemd-cryptsetup unit is started, before stopping it. + Also rmmod scsi_debug module at the end, to allow re-running the test in a + loop. + File: debian/tests/storage + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=bfafb0924a59f2a93bcde00fc9eeea5c4d058977 + + * d/watch: add version mangle to transform -rc to ~rc. + Upstream has started releasing rcs, so let's account for that + Author: Felipe Sateler + File: debian/watch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=db2dbed693ac75c88ea6ed923537d18d30fc1cdf + + * debian/tests/upstream: Mark TEST-13-NSPAWN-SMOKE as flakey. + File: debian/tests/upstream + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=a106d9c60b7b9fc3e16e423ca6a4d376560927cc + + -- Dimitri John Ledkov Mon, 28 Jan 2019 13:52:58 +0000 + systemd (240-5) unstable; urgency=medium [ Felipe Sateler ] @@ -55,6 +198,337 @@ -- Martin Pitt Sun, 27 Jan 2019 21:33:07 +0000 +systemd (240-4ubuntu2) disco; urgency=medium + + * Import patches to support PPC64LE qemu based testing. + Files: + - debian/tests/control + - debian/patches/test-test-functions-on-PP64-use-vmlinux.patch + - debian/patches/test-test-functions-on-PPC64-use-hvc0-console.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=483a4daba07f809883883e8e8b9c365cfbf7256e + + -- Dimitri John Ledkov Thu, 24 Jan 2019 16:55:01 +0000 + +systemd (240-4ubuntu1) disco; urgency=medium + + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + Author: Balint Reczey + File: debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3bde262e129a9d2c60eeff37e63d3da7d58ce5dd + + * Set UseDomains to true, by default, on Ubuntu. + On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries + to a preset 3rd party by default. In resolved, dnssec is also disabled by + default, as too much of the internet is broken and using Ubuntu users to debug + the internet is not very productive - most of the time the end-user cannot fix + or know how to notify the site owners about the dnssec mistakes. Inherintally + the DHCP acquired DNS servers are therefore trusted, and are free to spoof + records. Not trusting DNS search domains, in such scenario, provides limited + security or privacy benefits. From user point of view, this also appears to be + a regression from previous Ubuntu releases which do trust DHCP acquired search + domains by default. + Therefore we are enabling UseDomains by default on Ubuntu. + Users may override this setting in the .network files by specifying + [DHCP|IPv6AcceptRA] UseDomains=no|route options. + File: debian/patches/debian/Ubuntu-UseDomains-by-default.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=1e5b00cdfd6b9317704e1383d26365a68c041c56 + + * Enable systemd-resolved by default + File: debian/systemd.postinst + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=05adfa0902115f51c1196ad623165a75bb8b4313 + + * Create /etc/resolv.conf at postinst, pointing at the stub resolver. + The stub resolver file is dynamically managed by systemd-resolved. It points at + the stub resolver as the nameserver, however it also dynamically updates the + search stanza, thus non-nss dns tools work correctly with unqualified names and + correctly use the DHCP acquired search domains. + File: debian/systemd.postinst + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ef4adf46bbbe2d22508b70b889d23da53b85039d + + * libnss-resolve: do not disable and stop systemd-resolved + resolved is always used by default on ubuntu via stub resolver, therefore it + should continue to operate without libnss-resolve module installed. + File: debian/libnss-resolve.postrm + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=95577d14e84e19b614b83b2e24985d89e8c2dac0 + + * Ignore failures to set Nice priority on services in containers. + File: debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=5b8e457f8d883fc6f55d33d46b3474926a495d29 + + * units: set ConditionVirtualization=!private-users on journald audit socket. + It fails to start in unprivileged containers. + File: debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=03ed18a9940731bbf794ad320fabf337488835c6 + + * debian/tests: Switch to gdm, enforce udev upgrade. + Files: + - debian/tests/boot-and-services + - debian/tests/control + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f350b43ccc1aa31c745b4ccebbb4084d5cea41ff + + * Always setup /etc/resolv.conf on new installations. + On new installations, /etc/resolv.conf will always exist. Move it to /run + and replace it with the desired final symlink. (LP: #1712283) + File: debian/systemd.postinst + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=20bc8a37fa3c9620bed21a56a4eabd71db71d861 + + * Enable systemd-networkd by default. + File: debian/systemd.postinst + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=e5ff45174306b17077b907bc25cfd763ac6934f1 + + * boot-and-services: skip gdm3 tests when absent, as it is on s390x. + Files: + - debian/tests/boot-and-services + - debian/tests/control + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=cf05ba013979f53ad69fd2c548ec01c7a5339f64 + + * initramfs-tools: trigger udevadm add actions with subsystems first. + This updates the initramfs-tools init-top udev script to trigger udevadm + actions with type specified. This mimicks the + systemd-udev-trigger.service. Without type specified only devices are + triggered, but triggering subsystems may also be required and should happen + before triggering the devices. This is the case for example on s390x with zdev + generated udev rules. (LP: #1713536) + File: debian/extra/initramfs-tools/scripts/init-top/udev + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4016ca5629b6c56b41a4f654e7a808c82e290cac + + * Ubuntu/extra: ship dhclient-enter hook. + This allows isc-dhcp dhclient to set search domains and nameservers via + resolved. + Files: + - debian/extra/dhclient-enter-resolved-hook + - debian/rules + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f3398a213f80b02bf3db0c1ce9e22d69f6d56764 + + * Disable systemd-networkd-wait-online by default. + Currently it is not fit for purpose, as it leads to long boot times when + networking is unplugged or not yet configured on boot. (LP: #1714301) + File: debian/systemd.postinst + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=694473d812b50d2fefd6494d494ca02b91bc8785 + + * postinst: drop empty/stock /etc/rc.local (LP: #1716979) + File: debian/systemd.postinst + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=e7d071a26a79558771303b0b87f007e650eaebbe + + * Improve resolvconf integration. + Make the .path|.service unit that feed resolved data into resolvconf not + generate failures if resolvconf is not installed. + Add a check to make sure that resolved does not read /etc/resolv.conf when that + is symlinked to stub-resolv.conf. (LP: #1717995) + File: debian/patches/debian/Ubuntu-resolved-resolvconf-integration.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=d9f0f89985a141c1588d67e4868ad68cff6956fb + + * Ship systemd sysctl settings. + Patch systemd's default sysctl settings to drop things that are set elsewhere + already. + The promote secondary IP addresses is required for networkd to successfully + renew DHCP leases with a change of an IP address. + Set default package scheduler to Fair Queue CoDel. (LP: #1721223) + Files: + - debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch + - debian/rules + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=7cd041a6d0ef459e4b2a82d8ea5fa1ce05184dfb + + * resolved.service: set DefaultDependencies=no (LP: #1734167) + File: debian/patches/resolved.service-set-DefaultDependencies-no.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=a6ced6331ff7f99704213547a0b94dc06935d508 + + * systemd.postinst: enable persistent journal. (LP: #1618188) + File: debian/systemd.postinst + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f94f18d9dbc085b6a9ff33c141a6e542142f85b5 + + * Disable LLMNR and MulticastDNS by default LP: #1739672 + Files: + - debian/changelog + - debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b4ec428e83696a5cd0405b677a35e97681867629 + + * Enable qemu tests on all architectures LP: #1749540 + Files: + - debian/changelog + - debian/tests/control + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b416d1bdfb4f5e33565178e01ba4c4e3939b6176 + + * Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file + (LP: #1749000) + Author: Michael Vogt + File: debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=5ad0879e10bbe3d641f940260b93c7eb2cf4624c + + * debian/tests/systemd-fsckd: update assertions expectations for v237 + fsck got rewritten to use "safe_fork" and whilst previously it would ignore the + error, when fsck is terminated by signal PIPE, it no longer does so. Thus one + should expect systemd-fsck-root.service to have failed in certain test cases. + File: debian/tests/systemd-fsckd + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=d5becd9a416b55dcdb7b9a7aba60c4e3d304e6a6 + + * test/test-functions: launch qemu-system with -vga none. + Should resolve booting qemu-system-ppc64 without seabios. + File: debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=90af1fa893cce5ed49999d16da0b793da6523394 + + * tests/boot-smoke: ignore udevd connection timeouts resolving colord group. + File: debian/tests/boot-smoke + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=e1477b764fa9ef23f5181ef3d31a1332191c3e0b + + * tests/systemd-fsckd: ignore systemd_fsck_with_plymouth_failure. + File: debian/tests/systemd-fsckd + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c392e1ca3da67dbf8a7dfe0dcad470f7636f7405 + + * tests/control: ensure boot-smoke uses latest systemd & udev. + File: debian/tests/control + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b7b66380641755bc21fd7dcbc307760b1d18b8af + + * Drop systemd.prerm safety check. + On Ubuntu, systemd is the only choice, and is essential, via init -> + systemd-sysv -> systemd dependency chain, thus removing systemd is already + quite hard, and appropriate warnings are emitted by dpkg. (LP: #1758438) + File: debian/systemd.prerm + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=0244c4d56556317f14eecc2f51871969ef02ba7b + + * wait-online: do not wait, if no links are managed (neither configured, or failed). + (LP: #1728181) + File: debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=31f04c3fc769dacb3cf2a78240a1710a99a865b8 + + * journald.service: set Nice=-1 to dodge watchdog on soft lockups. + (LP: #1696970) + File: debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=e0a9aeffac556492bf517ce2d23313ff7a277926 + + * Workaround captive portals not responding to EDNS0 queries (DVE-2018-0001). + (LP: #1727237) + File: debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=87d3fe81b7281687ecf3c0b9a8356e90cc714d0b + + * Recommend networkd-dispatcher (LP: #1762386) + File: debian/control + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=d1e3b2c7e4757119da0d550b0b3c0a6626a176dc + + * networkd: if RA was implicit, do not await ndisc_configured. + If RA was iplicit, meaning not otherwise requested, and a kernel default was in + use. Do not prevent link entering configured state, whilst ndisc configuration + is pending. Implicit kernel RA, is expected to be asynchronous and + non-blocking. (LP: #1765173) + File: debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2f749ff528d1b788aa4ca778e954c16b213ee629 + + * udev-udeb: ship modprobe.d snippet to force scsi_mod.scan=sync in d-i. + This ensures that all scans are completed, before installer reaches + partitioning stage. (LP: #1751813) + Files: + - debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf + - debian/udev-udeb.install + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=eb6d8a2b9504917abb7aa2c4035fdbb7b98227f7 + + * Disable dh_installinit generation of tmpfiles for the systemd package. + Replace with a manual safe call to systemd-tmpfiles which will process any + updates to the tmpfiles shipped by systemd package, taking into account any + overrides shipped by other packages, sysadmin, or specified in the runtime + directories. (LP: #1748147) + Files: + - debian/rules + - debian/systemd.postinst + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=1fd144cbe31cc7a9383cc76f21f4b84c22a9dd1b + + * Enable EFI/bootctl on armhf. + File: debian/control + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=043122f7d8a1487bfd357e815a6ece1ceea6e7d1 + + * boot-and-services: stderr is ok, for status command on the c1 container. + systemctl may print warnings on the stderr when checking the status of + completed units. This should not, overall fail the autopkgtest run. + File: debian/tests/boot-and-services + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=da14d34e7cc33c44ad67e64c9fd092f8cc1675f9 + + * Skip systemd-fsckd on arm64, because of broken/lack of clean shutdown. + File: debian/tests/systemd-fsckd + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=bf5b501ac934497dbef5f64908ff37643dc7288e + + * adt: boot-and-services: assert any kernel syslog messages. + It appears that on arm64 the syslog is truncated and is missing early kernel + messages. Print full one, and check for any kernel messages instead. + File: debian/tests/boot-and-services + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=29dc34f7a6e5dc505f6212c17c42e4420b47ed16 + + * debian/extra/start-udev: Set scsi_mod scan=sync even if it's builtin to the kernel (we previously only set it in modprobe.d) LP: #1779815 + Files: + - debian/changelog + - debian/extra/start-udev + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6b72628f8de991e2c67ac4289fc74daf3abe7d14 + + * units: conditionalize more units to not start in containers. + Files: + - debian/changelog + - debian/patches/debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3689afa1a782de8c19a757459b6360de1195ad55 + + * test-sleep: skip test_fiemap upon inapproriate ioctl for device. + On v4.4 kernels, on top of btrfs ephemeral lxd v3.0 containers generate this + other error code, instead of not supported. Skip the test for both error codes. + File: debian/patches/debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6ebb5b9f6b77760a5470e8a780d69875b1db76f7 + + * Re-add support for /etc/writable for core18. (LP: #1778936) + Author: Michael Vogt + File: debian/patches/debian/UBUNTU-Support-system-image-read-only-etc.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=a5b5fca66c1127068e4ce0cc9ab497814211f4f7 + + * debian/control: strengthen dependencies. + Make systemd-sysv depend on matching version of systemd. Autopkgtests at times + upgrade systemd-sysv without upgrading systemd. However, upgrading systemd-sysv + alone makes little sense. + Make systemd conflict, rather than just break, systemd-shim. As there are + upgrade failures cause by systemd-shim presence whilst upgrading to new + systemd. + File: debian/control + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=d1ecf0c372f5212129c85ae60fddf26b2271a1fe + + * Improve autopkgtest success rate, by bumping up timeouts. (LP: #1789841) + Author: Christian Ehrhardt + File: debian/patches/debian/UBUNTU-bump-selftest-timeouts.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c05586d9da033bbfd6b6a74e10b87520843c7c48 + + * units: Disable journald Watchdog (LP: #1773148) + File: debian/patches/debian/UBUNTU-units-disable-journald-watchdog.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=64d2b4f1d0d057073fba585f19823332e2a6eed5 + + * Add conflicts with upstart and systemd-shim. (LP: #1793092) + File: debian/control + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=83ed7496afc7c27be026014d109855f7d0ad1176 + + * Specify Ubuntu's Vcs-Git + File: debian/control + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=fd832930ef280c9a4a9dda2440d5a46a6fdb6232 + + * debian/systemd.postinst: Skip daemon-reexec and try-restarts during shutdown + (LP: #1803391) + Author: Balint Reczey + File: debian/systemd.postinst + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=51daab96ae79483b5e5fb62e1e0477c87ee11fd1 + + * Switch gbp.conf to disco. + File: debian/gbp.conf + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=fea585b259e3e766d8d3dbc9690e879c054ddc87 + + * core: set /run size to 10%, like initramfs-tools does. + Currently there is a difference between initrd and initrd-less boots, + w.r.t. size= mount option of /run. This yields different runtime journald caps + (1% vs 10%), and on dense deployments of containers may result in OOM kills. + (LP: #1799251) + File: debian/patches/debian/UBUNTU-core-set-run-size-to-10-like-initramfs-tools-does.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=1fac2568fe716dc1a41bada78293dc6327a6df0d + + * Cherrypick proposed patch to fix LinkLocalAddressing post-unify-MTU settings. + File: debian/patches/networkd-honour-LinkLocalAddressing.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=cd9ba0d0f47634c9e5d862b8208cdc3178f25496 + + -- Dimitri John Ledkov Mon, 21 Jan 2019 16:09:03 +0000 + systemd (240-4) unstable; urgency=medium [ Benjamin Drung ] @@ -346,6 +820,280 @@ -- Michael Biebl Fri, 07 Sep 2018 08:41:12 +0200 +systemd (239-7ubuntu15) disco; urgency=medium + + * core: set /run size to 10%, like initramfs-tools does. + Currently there is a difference between initrd and initrd-less boots, + w.r.t. size= mount option of /run. This yields different runtime journald caps + (1% vs 10%), and on dense deployments of containers may result in OOM kills. + (LP: #1799251) + File: debian/patches/debian/UBUNTU-core-set-run-size-to-10-like-initramfs-tools-does.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=1fac2568fe716dc1a41bada78293dc6327a6df0d + + * resolved: Increase size of TCP stub replies. + DNS_PACKET_PAYLOAD_SIZE_MAX is limiting the size of the stub replies to + 512 with EDNS off or 4096 with EDNS on, without checking the protocol + used. This makes TCP replies for clients without EDNS support to be + limited to 512, making the truncate flag useless if the query result is + bigger than 512 bytes. + This commit increases the size of TCP replies to DNS_PACKET_SIZE_MAX + Fixes: #10816 + (cherry picked from commit e6eed9445956cfa496e1db933bfd3530db23bfce) + (LP: #1804487) + Author: Victor Tapia + File: debian/patches/resolved-Increase-size-of-TCP-stub-replies.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=702a4566174c4d2bd84b70805107cfc1a7c128cc + + -- Dimitri John Ledkov Mon, 03 Dec 2018 13:49:24 +0000 + +systemd (239-7ubuntu14) disco; urgency=medium + + * Fix compat with new meson. + File: debian/patches/meson-rename-Ddebug-to-Ddebug-extra.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3b764ec1b76768a8c40635019fa5a8acb81b223e + + -- Dimitri John Ledkov Thu, 29 Nov 2018 16:53:00 +0000 + +systemd (239-7ubuntu13) disco; urgency=medium + + * Stop testing that gdm3 is up. + Ubuntu Desktop is only supported on amd64, and on real hardware. Testing that + gdm3 fails to start (yet continues to be running, with a half broken logind + session) is not useful on dummy xorg video cards in nested VMs. + (LP: #1805358) + File: debian/tests/control + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3006fedda1d1ca3f04c5f593e8018bb6d1196025 + + -- Dimitri John Ledkov Wed, 28 Nov 2018 16:02:25 +0000 + +systemd (239-7ubuntu12) disco; urgency=medium + + * hwdb: Revert wlan keycode changes, rely on xkeyboard-config fixes instead. + (LP: #1799364) + Author: seb128 + File: debian/patches/hwdb-revert-airplane-mode-keys-handling-on-Dell.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=cabc076fdd67ced21fc789e44e0366a2f561a5bc + + * test: Set executable bits on TEST-22-TMPFILES shell scripts. (LP: #1804864) + File: debian/patches/test-Set-executable-bits-on-TEST-22-TMPFILES-shell-script.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=0e5b6e44a962f299565949e1006a4ba86d171dc3 + + * Switch gbp.conf to disco. + File: debian/gbp.conf + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=fea585b259e3e766d8d3dbc9690e879c054ddc87 + + -- Dimitri John Ledkov Fri, 23 Nov 2018 18:38:43 +0000 + +systemd (239-7ubuntu11) disco; urgency=medium + + * hwdb: Fix wlan keycode for all Dell Latitude and Precision systems + (LP: #1799364) + Author: Shih-Yuan Lee (FourDollars) + File: debian/patches/hwdb-Fix-wlan-keycode-for-all-Dell-Latitude-and-Precision.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=d8ac9a5640be39ede9cebcd8c4cc44e8811e0e49 + + * hwdb: Update PNP IDs of Goldstar (now: LG Electronics) (LP: #1804584) + File: debian/patches/hwdb-Update-PNP-IDs-of-Goldstar-now-LG-Electronics-.-1005.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=10204fb5761c759be6ddf27dc43c851ef24c96cb + + * btrfs-util: unbreak tmpfiles' subvol creation + File: debian/patches/btrfs-util-unbreak-tmpfiles-subvol-creation.patch + https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4ab5b8275a0487e301553fb6de6a905abb7ea833 + + -- Dimitri John Ledkov Thu, 22 Nov 2018 16:30:28 +0000 + +systemd (239-7ubuntu10.4) cosmic-security; urgency=medium + + [ Chris Coulson ] + * SECURITY UPDATE: symlink mishandling in systemd-tmpfiles + - debian/patches/CVE-2018-6954_2.patch: backport the remaining patches to + resolve this completely + - CVE-2018-6954 + + [ Balint Reczey ] + * Fix LP: #1803391 - Skip daemon-reexec and try-restarts during shutdown + - update debian/systemd.postinst + + -- Chris Coulson Thu, 15 Nov 2018 20:42:32 +0000 + +systemd (239-7ubuntu10.3) cosmic-security; urgency=medium + + * SECURITY UPDATE: reexec state injection + - debian/patches/CVE-2018-15686.patch: when deserializing state always use + read_line(…, LONG_LINE_MAX, …) rather than fgets() + - CVE-2018-15686 + * SECURITY UPDATE: chown_one() can dereference symlinks + - debian/patches/CVE-2018-15687.patch: rework recursive logic to use O_PATH + - CVE-2018-15687 + + -- Chris Coulson Tue, 06 Nov 2018 20:52:41 +0000 + +systemd (239-7ubuntu10.1) cosmic-security; urgency=medium + + * SECURITY UPDATE: buffer overflow in dhcp6 client + - debian/patches/CVE-2018-15688.patch: make sure we have enough space + for the DHCP6 option header in src/libsystemd-network/dhcp6-option.c. + - CVE-2018-15688 + + -- Marc Deslauriers Wed, 31 Oct 2018 11:36:32 -0400 + +systemd (239-7ubuntu10) cosmic; urgency=medium + + * units: Disable journald Watchdog (LP: #1773148) + * Add conflicts with upstart and systemd-shim. (LP: #1773859) + + -- Dimitri John Ledkov Thu, 04 Oct 2018 15:58:51 +0100 + +systemd (239-7ubuntu9) cosmic; urgency=medium + + * core: export environment when running generators. + Ensure that manager's environment (including e.g. PATH) is exported when + running generators. Otherwise, one is at a mercy of running without PATH which + can lead to buggy generator behaviour. (LP: #1771858) + + -- Dimitri John Ledkov Wed, 26 Sep 2018 11:01:58 +0100 + +systemd (239-7ubuntu8) cosmic; urgency=medium + + [ Dimitri John Ledkov ] + * Cherrypick many bugfixes from master. + * systemctl: correctly proceed to immediate shutdown if scheduling fails + (LP: #1670291) + + [ Julian Andres Klode ] + * Improve networkd states documentation. + + -- Dimitri John Ledkov Wed, 12 Sep 2018 16:03:08 +0100 + +systemd (239-7ubuntu7) cosmic; urgency=medium + + * boot-and-services: skip gdm test, when gdm-x-session fails. + Across all architectures, gdm fails to come up reliably since cosmic. + (LP: #1790478) + + -- Dimitri John Ledkov Mon, 03 Sep 2018 16:33:00 +0100 + +systemd (239-7ubuntu6) cosmic; urgency=medium + + [ Dimitri John Ledkov ] + * debian/control: strengthen dependencies. + Make systemd-sysv depend on matching version of systemd. Autopkgtests at times + upgrade systemd-sysv without upgrading systemd. However, upgrading systemd-sysv + alone makes little sense. + Make systemd conflict, rather than just break, systemd-shim. As there are + upgrade failures cause by systemd-shim presence whilst upgrading to new + systemd. + * Correct gdm3 exclution on arm64, in boot-and-services test. + + [ Christian Ehrhardt ] + * Improve autopkgtest success rate, by bumping up timeouts. (LP: #1789841) + + -- Dimitri John Ledkov Fri, 31 Aug 2018 14:17:54 +0100 + +systemd (239-7ubuntu5) cosmic; urgency=medium + + [ Michael Biebl ] + * Clean up dbus-org.freedesktop.timesync1.service Alias on purge + (Closes: #904290) + + [ Martin Pitt ] + * timedated: Fix wrong PropertyChanged values and refcounting + + [ Dimitri John Ledkov ] + * autopkgtest: drop gdm3 on arm64 as well. + The cloud instances are configured without a graphics card, and thus X fails to + start, hence the gdm test fails. + * Revert "Workaround broken meson copying symlinked data files, as dangling symlinks." + This reverts commit 059bfb5349123fabc8c92324e0473193f01fc87c. + * Cherrypick v239-stable patches. + * cryptsetup: add support for sector-size= option (LP: #1776626) + * Cherrypick upstrem patches to fix ftbfs with new glibc. + + [ Michael Vogt ] + * Re-add support for /etc/writable for core18. (LP: #1778936) + + -- Dimitri John Ledkov Tue, 28 Aug 2018 17:35:51 +0100 + +systemd (239-7ubuntu4) cosmic; urgency=medium + + * Workaround broken meson copying symlinked data files, as dangling symlinks. + + -- Dimitri John Ledkov Wed, 22 Aug 2018 14:11:35 +0100 + +systemd (239-7ubuntu3) cosmic; urgency=medium + + * Revert "networkd: Unify set MTU" + This reverts commit 44b598a1c9d11c23420a5ef45ff11bcb0ed195eb due to regression + of ignoring LinkLocalAddressing=no. + Bug-Upstream: https://github.com/systemd/systemd/issues/9890 + + -- Dimitri John Ledkov Tue, 21 Aug 2018 21:51:31 +0100 + +systemd (239-7ubuntu2) cosmic; urgency=medium + + * test-sleep: skip test_fiemap upon inapproriate ioctl for device. + On v4.4 kernels, on top of btrfs ephemeral lxd v3.0 containers generate this + other error code, instead of not supported. Skip the test for both error codes. + + -- Dimitri John Ledkov Fri, 03 Aug 2018 16:49:10 +0100 + +systemd (239-7ubuntu1) cosmic; urgency=medium + + Merged from Debian Unstable, remaining changes are: + + * Set UseDomains to true, by default, on Ubuntu. + * Enable systemd-resolved by default. + * postinst: Create /etc/resolv.conf at postinst, pointing at the stub + resolver. + * postinst: drop empty/stock /etc/rc.local. + * postinst: enable persistent journal. + * Drop systemd.prerm safety check. + * Ship systemd sysctl settings. + * libnss-resolve: do not disable and stop systemd-resolved. + * boot-smoke: refactor ADT test. + * Fix test-functions failing with Ubuntu units. + * units: set ConditionVirtualization=!private-users on journald audit socket. + * units: drop resolvconf.conf drop-in, resolved integration moved to + resolvconf package. + * debian/tests: Switch to gdm3, enforce udev upgrade. + * Ubuntu/extra: ship dhclient-enter hook. + * Ignore failures to set Nice priority on services in containers. + * systemd-fsckd: Fix ADT tests to work on s390x too. + * Disable LLMNR and MulticastDNS by default. + * Enable qemu tests on most architectures. + * debian/tests/systemd-fsckd: update assertions expectations for v237. + * test/test-fs-util: detect container, in addition to root. + * test/test-functions: launch qemu-system with -vga none. + * Blacklist TEST-16-EXTEND-TIMEOUT. + * tests/boot-smoke: ignore udevd connection timeouts resolving colord group. + * tests/systemd-fsckd: ignore systemd_fsck_with_plymouth_failure. + * tests/control: ensure boot-smoke uses latest systemd & udev. + * wait-online: do not wait, if no links are managed (neither configured, or + failed). + * journald.service: set Nice=-1 to dodge watchdog on soft lockups. + * Workaround captive portals not responding to EDNS0 queries. + * resolved: Listen on both TCP and UDP by default. + * Recommend networkd-dispatcher + * networkd: if RA was implicit, do not await ndisc_configured. + * udev-udeb: ship modprobe.d snippet to force scsi_mod.scan=sync in d-i. + * Skip starting systemd-remount-fs.service in containers. + * Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file. + * Disable dh_installinit generation of tmpfiles for the systemd package. + Replace with a manual safe call to systemd-tmpfiles which will process any + updates to the tmpfiles shipped by systemd package, taking into account any + overrides shipped by other packages, sysadmin, or specified in the runtime + directories. (LP: #1748147) + * Enable EFI/bootctl on armhf. + * boot-and-services: stderr is ok, for status command on the c1 container. + * Skip systemd-fsckd on arm64, because of broken/lack of clean shutdown. + * adt: boot-and-services: assert any kernel syslog messages. + * debian/extra/start-udev: Set scsi_mod scan=sync even if it's builtin to the + kernel (we previously only set it in modprobe.d) LP: #1779815 + * units: conditionalize more units to not start in containers. + * tests: conditionalize more unit tests to pass in LXD container. + + -- Dimitri John Ledkov Thu, 26 Jul 2018 16:26:22 +0100 + systemd (239-7) unstable; urgency=medium * autopkgtest: Add iputils-ping dependency to root-unittests. @@ -504,6 +1252,83 @@ -- Michael Biebl Sat, 23 Jun 2018 00:18:08 +0200 +systemd (238-5ubuntu3) cosmic; urgency=medium + + * debian/extra/start-udev: Set scsi_mod scan=sync even if it's builtin + to the kernel (we previously only set it in modprobe.d) LP: #1779815 + + -- Adam Conrad Fri, 20 Jul 2018 11:13:58 -0600 + +systemd (238-5ubuntu2) cosmic; urgency=medium + + * Disable dh_installinit generation of tmpfiles for the systemd package. + Replace with a manual safe call to systemd-tmpfiles which will process any + updates to the tmpfiles shipped by systemd package, taking into account any + overrides shipped by other packages, sysadmin, or specified in the runtime + directories. (LP: #1748147) + * Re-cherrypick keyring setreuid/setregid tricks, as that was merged post-v238. + * Enable EFI/bootctl on armhf. + * boot-and-services: stderr is ok, for status command on the c1 container. + systemctl may print warnings on the stderr when checking the status of + completed units. This should not, overall fail the autopkgtest run. + + -- Dimitri John Ledkov 🌈 Tue, 26 Jun 2018 10:55:51 +0100 + +systemd (238-5ubuntu1) cosmic; urgency=medium + + Merged from Debian Unstable, remaining changes are: + + * Set UseDomains to true, by default, on Ubuntu. + * Enable systemd-resolved by default. + * postinst: Create /etc/resolv.conf at postinst, pointing at the stub + resolver. + * postinst: drop empty/stock /etc/rc.local. + * postinst: enable persistent journal. + * Drop systemd.prerm safety check. + * Ship systemd sysctl settings. + * libnss-resolve: do not disable and stop systemd-resolved. + * boot-smoke: refactor ADT test. + * Fix test-functions failing with Ubuntu units. + * units: set ConditionVirtualization=!private-users on journald audit socket. + * units: drop resolvconf.conf drop-in, resolved integration moved to + resolvconf package. + * debian/tests: Switch to gdm3, enforce udev upgrade. + * Ubuntu/extra: ship dhclient-enter hook. + * Ignore failures to set Nice priority on services in containers. + * tests: Do not use nested kvm during ADT tests. + * systemd-fsckd: Fix ADT tests to work on s390x too. + * Disable LLMNR and MulticastDNS by default. + * Enable qemu tests on most architectures. + * debian/tests/systemd-fsckd: update assertions expectations for v237. + * test/test-fs-util: detect container, in addition to root. + * test/test-functions: launch qemu-system with -vga none. + * Blacklist TEST-16-EXTEND-TIMEOUT. + * tests/boot-smoke: ignore udevd connection timeouts resolving colord group. + * tests/systemd-fsckd: ignore systemd_fsck_with_plymouth_failure. + * tests/control: ensure boot-smoke uses latest systemd & udev. + * wait-online: do not wait, if no links are managed (neither configured, or + failed). + * journald.service: set Nice=-1 to dodge watchdog on soft lockups. + * Workaround captive portals not responding to EDNS0 queries. + * resolved: Listen on both TCP and UDP by default. + * Recommend networkd-dispatcher + * networkd: if RA was implicit, do not await ndisc_configured. + * udev-udeb: ship modprobe.d snippet to force scsi_mod.scan=sync in d-i. + * Skip starting systemd-remount-fs.service in containers. + * Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file. + + * Apply systemd-stable/v238-stable patches. + + * Cherrypick feature to hibernate with disk offsets. + + * Remove dropped patches + * Drop merged keyring patch + * Drop write_persistent_net_s390x_virtio, as an LTS release was made. + * Revert debian/tests/upstream to be more like Debian's. + * Do not skip test-execute anymore, should be fixed on armhf now. + + -- Dimitri John Ledkov Wed, 30 May 2018 14:30:45 +0100 + systemd (238-5) unstable; urgency=medium [ Evgeny Vereshchagin ] @@ -629,6 +1454,138 @@ -- Michael Biebl Wed, 28 Feb 2018 19:18:34 +0100 +systemd (237-3ubuntu11) cosmic; urgency=medium + + [ Dimitri John Ledkov ] + * hwdb: Fix wlan/rfkill keycode on Dell systems. (LP: #1762385) + * Cherrypick upstream fix for corrected detection of Virtualbox & Xen. + (LP: #1768104) + * Further improve captive portal workarounds. + Retry any NXDOMAIN results with lower feature levels, instead of just those + with 'secure' in the domain name. (LP: #1766969) + * Bump gbp.conf to cosmic + + [ Michael Biebl ] + * Add dependencies of libsystemd-shared to Pre-Depends. + This is necessary so systemctl is functional at all times during a + dist-upgrade. (Closes: #897986) (LP: #1771791) + * basic/macros: Rename noreturn into _noreturn_ + "noreturn" is reserved and can be used in other header files we include. + (Closes: #893426) + + [ Mario Limonciello ] + * Fix hibernate disk offsets. + Configure resume offset via sysfs, to enable resume from a swapfile. + (LP: #1760106) + + [ Felipe Sateler ] + * Don't include libmount.h in a header file. + Kernel and glibc headers both use MS_* constants, but are not in sync, so + only one of them can be used at a time. Thus, only import them where needed + Works around #898743 + + -- Dimitri John Ledkov Sat, 19 May 2018 00:35:30 +0100 + +systemd (237-3ubuntu10) bionic; urgency=medium + + * Create tmpfiles for persistent journal in postinst only when running + systemd (LP: #1748659) + + -- Balint Reczey Fri, 20 Apr 2018 18:55:56 +0200 + +systemd (237-3ubuntu9) bionic; urgency=medium + + * networkd: if RA was implicit, do not await ndisc_configured. + If RA was iplicit, meaning not otherwise requested, and a kernel default was in + use. Do not prevent link entering configured state, whilst ndisc configuration + is pending. Implicit kernel RA, is expected to be asynchronous and + non-blocking. (LP: #1765173) + * udev-udeb: ship modprobe.d snippet to force scsi_mod.scan=sync in d-i. + This ensures that all scans are completed, before installer reaches + partitioning stage. (LP: #1751813) + + -- Dimitri John Ledkov Fri, 20 Apr 2018 04:35:33 +0100 + +systemd (237-3ubuntu8) bionic; urgency=medium + + * Workaround captive portals not responding to EDNS0 queries (DVE-2018-0001). + (LP: #1727237) + * resolved: Listen on both TCP and UDP by default. (LP: #1731522) + * Recommend networkd-dispatcher (LP: #1762386) + * Refresh patches + + -- Dimitri John Ledkov Thu, 12 Apr 2018 12:12:24 +0100 + +systemd (237-3ubuntu7) bionic; urgency=medium + + * Introduce suspend then hibernate (LP: #1756006) + + -- Mario Limonciello Mon, 02 Apr 2018 14:25:04 -0500 + +systemd (237-3ubuntu6) bionic; urgency=medium + + * Adjust the new dropin test, for v237 systemd. + * Refresh the keyring patch, to the one merged. + + -- Dimitri John Ledkov Tue, 27 Mar 2018 13:40:09 +0100 + +systemd (237-3ubuntu5) bionic; urgency=medium + + * Drop old keyring/invocation_id patch, which made keyring setup be skipped in containers. + * Use new patch, which sets up session keyring without relying on chown operation. + * Drop systemd.prerm safety check. + On Ubuntu, systemd is the only choice, and is essential, via init -> + systemd-sysv -> systemd dependency chain, thus removing systemd is already + quite hard, and appropriate warnings are emitted by dpkg. (LP: #1758438) + * Detect Masked unit with drop-ins. (LP: #1752722) + * wait-online: do not wait, if no links are managed (neither configured, or failed). + (LP: #1728181) + * journald.service: set Nice=-1 to dodge watchdog on soft lockups. + (LP: #1696970) + * Refresh all patches. + + -- Dimitri John Ledkov Mon, 26 Mar 2018 15:55:25 +0100 + +systemd (237-3ubuntu4) bionic; urgency=medium + + * systemd-sysv-install: fix name initialisation. + Only initialise NAME, after --root optional argument has been parsed, otherwise + NAME is initialized to e.g. `enable', instead of to the `unit-name`, resulting + in failures. (LP: #1752882) + + -- Dimitri John Ledkov Mon, 05 Mar 2018 09:57:58 +0100 + +systemd (237-3ubuntu3) bionic; urgency=medium + + * tests/control: drop qemu-system-ppc. + Whilst some tests pass, many regress / fail to boot. This is not a regression, + as qemu-based tests were not run previously. + + -- Dimitri John Ledkov Tue, 20 Feb 2018 17:40:02 +0000 + +systemd (237-3ubuntu2) bionic; urgency=medium + + * tests/boot-smoke: ignore udevd connection timeouts resolving colord group. + * tests/systemd-fsckd: ignore systemd_fsck_with_plymouth_failure. + * tests/control: ensure boot-smoke uses latest systemd & udev. + * test/test-functions: on PPC64 use hvc0 console. + + -- Dimitri John Ledkov Tue, 20 Feb 2018 12:03:14 +0000 + +systemd (237-3ubuntu1) bionic; urgency=medium + + [ Gunnar Hjalmarsson ] + * Fix PO template creation. + Cherry-pick upstream patches to build a correct systemd.pot including + the polkit policy files even without policykit-1 being installed. + (LP: #1707898) + + [ Dimitri John Ledkov ] + * Blacklist TEST-16-EXTEND-TIMEOUT + * test/test-functions: use vmlinux for ppc64 tests. + + -- Dimitri John Ledkov Mon, 19 Feb 2018 21:15:23 +0000 + systemd (237-3) unstable; urgency=medium [ Martin Pitt ] @@ -651,6 +1608,52 @@ -- Michael Biebl Wed, 14 Feb 2018 23:07:17 +0100 +systemd (237-2ubuntu3) bionic; urgency=medium + + * test/test-fs-util: detect container, in addition to root. + On armhf, during autopkgtests, whilst root is avilable, full capabilities in + parent namespace are not, since the tests are run in an LXD container. + This should resolve armhf autopkgtest failure. + * test/test-functions: launch qemu-system with -vga none. + Should resolve booting qemu-system-ppc64 without seabios. + * tests/upstream: skip parts of extend time out tests, regressed. + (LP: #1750364) + + -- Dimitri John Ledkov Mon, 19 Feb 2018 13:32:07 +0000 + +systemd (237-2ubuntu2) bionic; urgency=medium + + * Fix cryptsetup tests by shipping 95-dm-notify udev rule. (LP: #1749432) + * debian/tests/systemd-fsckd: update assertions expectations for v237 + fsck got rewritten to use "safe_fork" and whilst previously it would ignore the + error, when fsck is terminated by signal PIPE, it no longer does so. Thus one + should expect systemd-fsck-root.service to have failed in certain test cases. + + -- Dimitri John Ledkov Thu, 15 Feb 2018 00:32:54 +0000 + +systemd (237-2ubuntu1) bionic; urgency=medium + + [ Michael Vogt ] + * Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file + (LP: #1749000) + + [ Martin Pitt ] + * debian/tests/boot-smoke: More robust journal checking. + Also fail the test if calling journalctl fails, and avoid calling it + twice. See https://github.com/systemd/systemd/pull/8032 + + [ Gunnar Hjalmarsson ] + * Fix creation of translation template + - State the gettext package domain "systemd" explicitly, as with the + move to meson it ended up as "untitled.pot" + - Call xgettext to extract strings from polkit *.policy.in files, which + intltool-update ignores. (LP: #1707898) + + [ Dimitri John Ledkov ] + * Enable qemu tests on all architectures LP: #1749540 + + -- Dimitri John Ledkov Wed, 14 Feb 2018 16:43:12 +0000 + systemd (237-2) unstable; urgency=medium * Drop debian/extra/rules/70-debian-uaccess.rules. @@ -663,6 +1666,47 @@ -- Michael Biebl Fri, 09 Feb 2018 23:35:31 +0100 +systemd (237-1ubuntu3) bionic; urgency=medium + + * Re-enable gnu-efi on arm64, binutils is fixed + * Cherrpick PR8133 to resolve too strict PidFile handling, which breaks + services starting with potentially insecure pidfiles e.g. munin + * Disable LLMNR and MulticastDNS by default LP: #1739672 + + -- Dimitri John Ledkov Fri, 09 Feb 2018 15:49:01 +0000 + +systemd (237-1ubuntu2) bionic; urgency=medium + + * Disable gnu-efi on arm64, due to FTBFS. LP: #1746765 + + -- Dimitri John Ledkov Fri, 02 Feb 2018 23:30:05 +0000 + +systemd (237-1ubuntu1) bionic; urgency=medium + + * Remaining delta from Debian: + - ship dhclient enter hook for dhclient integration with resolved + - Use stub-resolv.conf as the default provider of /etc/resolv.conf + - ship s390x virtio interface names migration + - do not disable systemd-resolved upon libnss-resolve removal + - do not remount fs in containers, for non-degrated boot + - Unlink invocation id key, upon chown failure in containers + - Change default to UseDomains by default + - Do not treat failure to set Nice= setting as error in containers + - Add a condition to systemd-journald-audit.socet to not start in + containers (fails) + - Build without any built-in/fallback DNS server setting + - Enable resolved by default + - Update autopkgtests for reliability/raciness, and testing for typical + defaults + - Always upgrade udev, when running adt tests + - Skip test-execute on armhf + - Cherry-pick a few testsuite fixes + - Do not use nested kvm during ADT tests + - Fix ADT systemd-fsckd tests to work on s390x too + - Enable persistent journal by default + + -- Dimitri John Ledkov Tue, 30 Jan 2018 13:52:27 +0000 + systemd (237-1) unstable; urgency=medium * New upstream version 237 @@ -771,6 +1815,51 @@ -- Michael Biebl Sun, 17 Dec 2017 21:45:51 +0100 +systemd (235-3ubuntu3) bionic; urgency=medium + + * netwokrd: add support for RequiredForOnline stanza. (LP: #1737570) + * resolved.service: set DefaultDependencies=no (LP: #1734167) + * systemd.postinst: enable persistent journal. (LP: #1618188) + * core: add support for non-writable unified cgroup hierarchy for container support. + (LP: #1734410) + + -- Dimitri John Ledkov Tue, 12 Dec 2017 13:25:32 +0000 + +systemd (235-3ubuntu2) bionic; urgency=medium + + * systemd-fsckd: Fix ADT tests to work on s390x too. + + -- Dimitri John Ledkov Tue, 21 Nov 2017 16:41:15 +0000 + +systemd (235-3ubuntu1) bionic; urgency=medium + + * Merge 235-3 from debian: + - Drop UBUNTU-CVE-2017-15908 included in Debian. + + * Remaining delta from Debian: + - ship dhclient enter hook for dhclient integration with resolved + - ship resolvconf integration via stub-resolv.conf + - ship s390x virtio interface names migration + - do not disable systemd-resolved upon libnss-resolve removal + - do not remote fs in containers, for non-degrated boot + - CVE-2017-15908 in resolved fix loop on packets with pseudo dns types + - Unlink invocation id key, upon chown failure in containers + - Change default to UseDomains by default + - Do not treat failure to set Nice= setting as error in containers + - Add a condition to systemd-journald-audit.socet to not start in + containers (fails) + - Build without any built-in/fallback DNS server setting + - Enable resolved by default + - Update autopkgtests for reliability/raciness, and testing for typical + defaults + - Always upgrade udev, when running adt tests + - Skip test-execute on armhf + - Cherry-pick a few testsuite fixes + + * UBUNTU Do not use nested kvm during ADT tests. + + -- Dimitri John Ledkov Tue, 21 Nov 2017 09:34:14 +0000 + systemd (235-3) unstable; urgency=medium [ Michael Biebl ] @@ -811,6 +1900,63 @@ -- Martin Pitt Wed, 15 Nov 2017 09:34:00 +0100 +systemd (235-2ubuntu3) bionic; urgency=medium + + * Revert "Skip test-bpf in autopkgtest, currently is failing." + This reverts commit 75cf986e450e062a3d5780d1976e9efef41e6c4c. + * Fix test-bpf test case on ubuntu. + * Skip rename tests in containers, crude fix for now. + + -- Dimitri John Ledkov Mon, 13 Nov 2017 00:06:42 +0000 + +systemd (235-2ubuntu2) bionic; urgency=medium + + * Fix test-functions failing with Ubuntu units. + * tests: switch to using ext4 by default, instead of ext3. + * Skip test-bpf in autopkgtest, currently is failing. + + -- Dimitri John Ledkov Mon, 06 Nov 2017 18:33:39 +0000 + +systemd (235-2ubuntu1) bionic; urgency=medium + + [ Dimitri John Ledkov ] + * Merge 235-2 from debian: + - Drop all upstream cherry-picks + - Drop test-copy dh_strip size override, fixed upstream + + * Remaining delta from Debian: + - ship dhclient enter hook for dhclient integration with resolved + - ship resolvconf integration via stub-resolv.conf + - ship s390x virtio interface names migration + - do not disable systemd-resolved upon libnss-resolve removal + - do not remote fs in containers, for non-degrated boot + - CVE-2017-15908 in resolved fix loop on packets with pseudo dns types + - Unlink invocation id key, upon chown failure in containers + - Change default to UseDomains by default + - Do not treat failure to set Nice= setting as error in containers + - Add a condition to systemd-journald-audit.socet to not start in + containers (fails) + - Build without any built-in/fallback DNS server setting + - Enable resolved by default + - Update autopkgtests for reliability/raciness, and testing for typical + defaults + - Always upgrade udev, when running adt tests + - Skip test-execute on armhf + + * Fix up write_persistent_net_s390x for nullglob + + * Ship systemd sysctl settings. + Patch systemd's default sysctl settings to drop things that are set + elsewhere already. The promote secondary IP addresses is required for + networkd to successfully renew DHCP leases with a change of an IP address. + Set default package scheduler to Fair Queue CoDel. (LP: #1721223) + + [ Michael Biebl ] + * Install modprobe configuration file to /lib/modprobe.d. + Otherwise it is not read by kmod. (Closes: #879191) + + -- Dimitri John Ledkov Mon, 30 Oct 2017 17:20:54 +0000 + systemd (235-2) unstable; urgency=medium * Revert "tests: when running a manager object in a test, migrate to private @@ -920,6 +2066,187 @@ -- Cyril Brulebois Wed, 23 Aug 2017 20:41:33 +0200 +systemd (234-2ubuntu12.1) artful-security; urgency=medium + + * SECURITY UPDATE: remote DoS in resolve (LP: #1725351) + - debian/patches/CVE-2017-15908.patch: fix loop on packets with pseudo + dns types in src/resolve/resolved-dns-packet.c. + - CVE-2017-15908 + + -- Marc Deslauriers Thu, 26 Oct 2017 07:56:42 -0400 + +systemd (234-2ubuntu12) artful; urgency=medium + + [ Dimitri John Ledkov ] + * debian/rules: do not strip test-copy. + This insures test-copy is large enough for test-copy tests to pass. + (LP: #1721203) + + [ Michael Biebl ] + * Drop systemd-timesyncd.service.d/disable-with-time-daemon.conf. + All major NTP implementations ship a native service file nowadays with a + Conflicts=systemd-timesyncd.service so this drop-in is no longer + necessary. (Closes: #873185) (LP: #1721204) + + -- Dimitri John Ledkov Wed, 04 Oct 2017 13:28:34 +0100 + +systemd (234-2ubuntu11) artful; urgency=medium + + * Ubuntu/extra: ship dhclient-enter hook. + This allows isc-dhcp dhclient to set search domains and nameservers via + resolved. + * Disable systemd-networkd-wait-online by default. + Currently it is not fit for purpose, as it leads to long boot times when + networking is unplugged or not yet configured on boot. (LP: #1714301) + * networkd: change UseMTU default to true. + Cherry-pick upstream change. (LP: #1717471) + * postinst: drop empty/stock /etc/rc.local (LP: #1716979) + * Imporve resolvconf integration. + Make the .path|.service unit that feed resolved data into resolvconf not + generate failures if resolvconf is not installed. + Add a check to make sure that resolved does not read /etc/resolv.conf when that + is symlinked to stub-resolv.conf. (LP: #1717995) + * core: gracefully bail out keyring operations when chown fails (LP: #1691096) + + -- Dimitri John Ledkov Tue, 26 Sep 2017 11:38:02 -0400 + +systemd (234-2ubuntu10) artful; urgency=medium + + * Do not fail debootstrap if /etc/resolv.conf is immutable. (LP: #1713212) + * Revert "Create /etc/resolv.conf on resolved start, if it is an empty file." + As it is ineffective, and correct creation of /etc/resolv.conf has been fixed. + This reverts commit ccba42504f216f6ffbc54eb2c9af347355f8d86b. + * initramfs-tools: trigger udevadm add actions with subsystems first. + This updates the initramfs-tools init-top udev script to trigger udevadm + actions with type specified. This mimicks the + systemd-udev-trigger.service. Without type specified only devices are + triggered, but triggering subsystems may also be required and should happen + before triggering the devices. This is the case for example on s390x with zdev + generated udev rules. (LP: #1713536) + + -- Dimitri John Ledkov Wed, 30 Aug 2017 11:22:41 +0100 + +systemd (234-2ubuntu9) artful; urgency=medium + + * boot-and-services: skip gdm3 tests when absent, as it is on s390x. + + -- Dimitri John Ledkov Wed, 23 Aug 2017 11:58:57 +0100 + +systemd (234-2ubuntu8) artful; urgency=medium + + * Enable systemd-networkd by default. + + -- Dimitri John Ledkov Tue, 22 Aug 2017 17:50:59 +0100 + +systemd (234-2ubuntu7) artful; urgency=medium + + * Always setup /etc/resolv.conf on new installations. + On new installations, /etc/resolv.conf will always exist. Move it to /run + and replace it with the desired final symlink. (LP: #1712283) + * Create /etc/resolv.conf on resolved start, if it is an empty file. + + -- Dimitri John Ledkov Tue, 22 Aug 2017 16:13:35 +0100 + +systemd (234-2ubuntu6) artful; urgency=medium + + * Disable KillUserProcesses, yet again, with meson this time. + * Re-enable reboot tests. + + -- Dimitri John Ledkov Thu, 17 Aug 2017 15:22:35 +0100 + +systemd (234-2ubuntu5) artful; urgency=medium + + * debian/tests: disable i386 & amd64 systemd-fsck test, and add environment + overrides to allow force execution of those tests locally. LP: #1708051. + + -- Dimitri John Ledkov Wed, 16 Aug 2017 13:04:48 +0100 + +systemd (234-2ubuntu4) artful; urgency=medium + + * debian/tests: disable i386 & amd64 boot-smoke, passes locally. LP: + #1708051. + + -- Dimitri John Ledkov Tue, 15 Aug 2017 14:20:12 +0100 + +systemd (234-2ubuntu3) artful; urgency=medium + + * debian/tests: Switch to gdm, enforce udev upgrade. + + -- Dimitri John Ledkov Mon, 14 Aug 2017 12:02:37 +0100 + +systemd (234-2ubuntu2) artful; urgency=medium + + * Ignore failures to set Nice priority on services in containers. + * Disable execute test on armhf. + * units: set ConditionVirtualization=!private-users on journald audit socket. + It fails to start in unprivileged containers. + * boot-smoke: refactor ADT test. + Wait for system to settle down and get to either running or degraded state, + then collect all metrics, and exit with an error if any of the tests failed. + + -- Dimitri John Ledkov Wed, 02 Aug 2017 03:02:03 +0100 + +systemd (234-2ubuntu1) artful; urgency=medium + + [ Dimitri John Ledkov ] + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * Set UseDomains to true, by default, on Ubuntu. + On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries + to a preset 3rd party by default. In resolved, dnssec is also disabled by + default, as too much of the internet is broken and using Ubuntu users to debug + the internet is not very productive - most of the time the end-user cannot fix + or know how to notify the site owners about the dnssec mistakes. Inherintally + the DHCP acquired DNS servers are therefore trusted, and are free to spoof + records. Not trusting DNS search domains, in such scenario, provides limited + security or privacy benefits. From user point of view, this also appears to be + a regression from previous Ubuntu releases which do trust DHCP acquired search + domains by default. + Therefore we are enabling UseDomains by default on Ubuntu. + Users may override this setting in the .network files by specifying + [DHCP|IPv6AcceptRA] UseDomains=no|route options. + * resolved: create private stub resolve file for integration with resolvconf. + The stub-resolve.conf file points at resolved stub resolver, but also lists the + available search domains. This is required to correctly resolve domains without + using resolve nss module. + * Enable systemd-resolved by default + * Create /etc/resolv.conf at postinst, pointing at the stub resolver. + The stub resolver file is dynamically managed by systemd-resolved. It points at + the stub resolver as the nameserver, however it also dynamically updates the + search stanza, thus non-nss dns tools work correctly with unqualified names and + correctly use the DHCP acquired search domains. + * libnss-resolve: do not disable and stop systemd-resolved + resolved is always used by default on ubuntu via stub resolver, therefore it + should continue to operate without libnss-resolve module installed. + * modprobe.d: set max_bonds=0 for bonding module to prevent bond0 creation. + This prevents confusing networkd, and allows networkd to manage bond0. + * Cherrypick upstream networkd-test.py assertion/check fixes. + This resolves ADT test suite failures, when running tests under lxc/lxd + providers. + * Cherrypick arm* seccomp fixes. + This should resolve ADT test failures, on arm64, when running as root. + * Re-enable seccomp and execute tests on arm. + + [ Balint Reczey ] + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + + [ Michael Biebl ] + * selinux: Enable labeling and access checks for unprivileged users. + Revert commit that inadvertently broke a lot of SELinux related + functionality for both unprivileged users and systemd instances running + as MANAGER_USER and instead deal with the auditd issue by checking for + the CAP_AUDIT_WRITE capability before opening an audit netlink socket. + (Closes: #863800) + + -- Dimitri John Ledkov Tue, 25 Jul 2017 13:30:58 +0100 + systemd (234-2) unstable; urgency=medium [ Martin Pitt ] @@ -940,6 +2267,64 @@ -- Michael Biebl Thu, 20 Jul 2017 15:13:42 +0200 +systemd (234-1ubuntu2) artful; urgency=medium + + * Set UseDomains to true, by default, on Ubuntu. + On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries + to a preset 3rd party by default. In resolved, dnssec is also disabled by + default, as too much of the internet is broken and using Ubuntu users to debug + the internet is not very productive - most of the time the end-user cannot fix + or know how to notify the site owners about the dnssec mistakes. Inherintally + the DHCP acquired DNS servers are therefore trusted, and are free to spoof + records. Not trusting DNS search domains, in such scenario, provides limited + security or privacy benefits. From user point of view, this also appears to be + a regression from previous Ubuntu releases which do trust DHCP acquired search + domains by default. + Therefore we are enabling UseDomains by default on Ubuntu. + Users may override this setting in the .network files by specifying + [DHCP|IPv6AcceptRA] UseDomains=no|route options. + * resolved: create private stub resolve file for integration with resolvconf. + The stub-resolve.conf file points at resolved stub resolver, but also lists the + available search domains. This is required to correctly resolve domains without + using resolve nss module. + * Enable systemd-resolved by default + * Create /etc/resolv.conf at postinst, pointing at the stub resolver. + The stub resolver file is dynamically managed by systemd-resolved. It points at + the stub resolver as the nameserver, however it also dynamically updates the + search stanza, thus non-nss dns tools work correctly with unqualified names and + correctly use the DHCP acquired search domains. + * libnss-resolve: do not disable and stop systemd-resolved + resolved is always used by default on ubuntu via stub resolver, therefore it + should continue to operate without libnss-resolve module installed. + + -- Dimitri John Ledkov Fri, 21 Jul 2017 17:07:17 +0100 + +systemd (234-1ubuntu1) artful; urgency=medium + + [ Dimitri John Ledkov ] + * Merge with debian, outstanding delta below. + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + (LP: #1672499) + * Disable fallback DNS servers. + This causes resolved to call-home to google, attempt to access network when + none is available, and spams logs. (LP: #1449001, #1698734) + + [ Balint Reczey ] + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + + -- Dimitri John Ledkov Mon, 17 Jul 2017 10:59:34 +0100 + systemd (234-1) unstable; urgency=medium [ Michael Biebl ] @@ -1021,6 +2406,52 @@ -- Michael Biebl Mon, 19 Jun 2017 15:10:14 +0200 +systemd (233-8ubuntu2) artful; urgency=medium + + * Disable fallback DNS servers. + This causes resolved to call-home to google, attempt to access network when + none is available, and spams logs. (LP: #1449001, #1698734) + * SECURITY UPDATE: Out-of-bounds write in systemd-resolved. + CVE-2017-9445 (LP: #1695546) + + -- Dimitri John Ledkov Wed, 28 Jun 2017 13:27:28 +0100 + +systemd (233-8ubuntu1) artful; urgency=medium + + Merge from experimental. Existing Ubuntu cherry-picks: + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + * Cherrypick upstream commit to enable system use kernel maximum limit for RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + * Cherrypick upstream patch for vio predictable interface names. + * Cherrypick upstream patch for platform predictable interface names. + + Ubuntu cherry-picks, now also applied in Debian: + * resolved: fix null pointer dereference crash + + Remaining Ubuntu delta: + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. + + New Ubuntu cherry-picks: + * loginctl: Chrerry-pick upstream fix to not ignore multiple session ids. + (LP: #1682154) + + -- Dimitri John Ledkov Mon, 19 Jun 2017 15:24:30 +0100 + systemd (233-8) experimental; urgency=medium * Bump debhelper compatibility level to 10 @@ -1059,6 +2490,57 @@ -- Michael Biebl Wed, 24 May 2017 12:26:18 +0200 +systemd (233-6ubuntu3) artful; urgency=medium + + * resolved: fix null pointer dereference crash (LP: #1621396) + + -- Dimitri John Ledkov Mon, 22 May 2017 09:29:22 +0100 + +systemd (233-6ubuntu2) artful; urgency=medium + + [ Michael Biebl ] + * basic/journal-importer: Fix unaligned access in get_data_size() + (Closes: #862062) + + [ Dimitri John Ledkov ] + * ubuntu: disable dnssec on any ubuntu releases (LP: #1690605) + * Cherrypick upstream patch for vio predictable interface names. + * Cherrypick upstream patch for platform predictable interface names. + (LP: #1686784) + + [ Balint Reczey ] + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + + -- Dimitri John Ledkov Wed, 17 May 2017 19:24:03 +0100 + +systemd (233-6ubuntu1) artful; urgency=medium + + Merge from Debian, existing changes: + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + + New changes: + * Cherrypick upstream commit to enable system use kernel maximum limit for + RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361) + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + (LP: #1672499) + + -- Dimitri John Ledkov Tue, 02 May 2017 11:23:19 +0100 + systemd (233-6) experimental; urgency=medium [ Felipe Sateler ] @@ -1099,6 +2581,52 @@ -- Michael Biebl Fri, 28 Apr 2017 21:47:14 +0200 +systemd (233-5ubuntu1) artful; urgency=medium + + [ Felipe Sateler ] + * Backport upstream PR #5531. + This delays opening the mdns and llmnr sockets until a network has enabled them. + This silences annoying messages when networkd receives such packets without + expecting them: + Got mDNS UDP packet on unknown scope. + + [ Martin Pitt ] + * resolved: Disable DNSSEC by default on stretch and zesty. + Both Debian stretch and Ubuntu zesty are close to releasing, switch to + DNSSEC=off by default for those. Users can still turn it back on with + DNSSEC=allow-downgrade (or even "yes"). + + [ Michael Biebl ] + * Add Conflicts against hal. + Since v183, udev no longer supports RUN+="socket:". This feature is + still used by hal, but now generates vast amounts of errors in the + journal. Thus force the removal of hal by adding a Conflicts to the udev + package. This is safe, as hal is long dead and no longer useful. + * Drop systemd-ui Suggests + systemd-ui is unmaintained upstream and not particularly useful anymore. + * journal: fix up syslog facility when forwarding native messages. + Native journal messages (_TRANSPORT=journal) typically don't have a + syslog facility attached to it. As a result when forwarding the + messages to syslog they ended up with facility 0 (LOG_KERN). + Apply syslog_fixup_facility() so we use LOG_USER instead. (Closes: #837893) + * Split upstream tests into systemd-tests binary package (Closes: #859152) + * Get PACKAGE_VERSION from config.h. + This also works with meson and is not autotools specific. + + [ Dimitri John Ledkov ] + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + + -- Dimitri John Ledkov Fri, 21 Apr 2017 14:36:34 +0100 + systemd (233-5) experimental; urgency=medium * Do not throw a warning in emergency and rescue mode if plymouth is not diff -Nru systemd-240/debian/control systemd-240/debian/control --- systemd-240/debian/control 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/control 2019-04-09 23:55:45.000000000 +0000 @@ -1,7 +1,8 @@ Source: systemd Section: admin Priority: optional -Maintainer: Debian systemd Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian systemd Maintainers Uploaders: Michael Biebl , Marco d'Itri , Sjoerd Simons , @@ -9,8 +10,8 @@ Felipe Sateler Standards-Version: 4.2.1 Rules-Requires-Root: no -Vcs-Git: https://salsa.debian.org/systemd-team/systemd.git -Vcs-Browser: https://salsa.debian.org/systemd-team/systemd +Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd +Vcs-Browser: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd Homepage: https://www.freedesktop.org/wiki/Software/systemd Build-Depends: debhelper (>= 10.4~), pkg-config, @@ -21,7 +22,7 @@ meson (>= 0.49), gettext, gperf, - gnu-efi [amd64 i386 arm64], + gnu-efi [amd64 i386 arm64 armhf], libcap-dev (>= 1:2.24-9~), libpam0g-dev, libapparmor-dev (>= 2.9.0-3+exp2) , @@ -63,7 +64,8 @@ Section: admin Priority: important Recommends: libpam-systemd, - dbus + dbus, + networkd-dispatcher Suggests: systemd-container, policykit-1 Pre-Depends: ${shlibs:Pre-Depends}, @@ -75,9 +77,9 @@ mount (>= 2.26), adduser, Conflicts: consolekit, + systemd-shim, upstart, libpam-ck-connector, Breaks: apparmor (<< 2.9.2-1), - systemd-shim (<< 10-4~), ifupdown (<< 0.8.5~), udev (<< 228-5), laptop-mode-tools (<< 1.68~), @@ -113,7 +115,8 @@ upstart-sysv, Pre-Depends: systemd Depends: ${shlibs:Depends}, - ${misc:Depends} + ${misc:Depends}, + systemd (= ${binary:Version}), Recommends: libnss-systemd Description: system and service manager - SysV links systemd is a system and service manager for Linux. It provides aggressive @@ -209,7 +212,7 @@ systemd (= ${binary:Version}), libpam-runtime (>= 1.0.1-6), dbus, - systemd-shim (>= 10-4~) | systemd-sysv + systemd-sysv Description: system and service manager - PAM module This package contains the PAM module which registers user sessions in the systemd control group hierarchy for logind. diff -Nru systemd-240/debian/extra/dhclient-enter-resolved-hook systemd-240/debian/extra/dhclient-enter-resolved-hook --- systemd-240/debian/extra/dhclient-enter-resolved-hook 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/extra/dhclient-enter-resolved-hook 2019-04-09 23:55:29.000000000 +0000 @@ -0,0 +1,72 @@ +# +# Script fragment to make dhclient supply nameserver information to resolvconf +# + +# Tips: +# * Be careful about changing the environment since this is sourced +# * This script fragment uses bash features +# * As of isc-dhcp-client 4.2 the "reason" (for running the script) can be one of the following. +# (Listed on man page:) MEDIUM(0) PREINIT(0) BOUND(M) RENEW(M) REBIND(M) REBOOT(M) EXPIRE(D) FAIL(D) RELEASE(D) STOP(D) NBI(-) TIMEOUT(M) +# (Also used in master script:) ARPCHECK(0), ARPSEND(0) +# (Also used in master script:) PREINIT6(0) BOUND6(M) RENEW6(M) REBIND6(M) DEPREF6(0) EXPIRE6(D) RELEASE6(D) STOP6(D) +# (0) = master script does not run make_resolv_conf +# (M) = master script runs make_resolv_conf +# (D) = master script downs interface +# (-) = master script does nothing with this + +if [ -x /lib/systemd/systemd-resolved ] ; then + # For safety, first undefine the nasty default make_resolv_conf() + make_resolv_conf() { : ; } + case "$reason" in + BOUND|RENEW|REBIND|REBOOT|TIMEOUT|BOUND6|RENEW6|REBIND6) + # Define a resolvconf-compatible m_r_c() function + # It gets run later (or, in the TIMEOUT case, MAY get run later) + make_resolv_conf() { + local statedir + if [ ! "$interface" ] ; then + return + fi + statedir="/run/systemd/resolved.conf.d" + mkdir -p $statedir + if [ -n "$new_domain_name_servers" ] ; then + cat <$statedir/isc-dhcp-v4-$interface.conf +[Resolve] +DNS=$new_domain_name_servers +EOF + if [ -n "$new_domain_name" ] || [ -n "$new_domain_search" ] ; then + cat <>$statedir/isc-dhcp-v4-$interface.conf +Domains=$new_domain_search $new_domain_name +EOF + fi + fi + if [ -n "$new_dhcp6_name_servers" ] ; then + cat <$statedir/isc-dhcp-v6-$interface.conf +[Resolve] +DNS=$new_dhcp6_name_servers +EOF + if [ -n "$new_dhcp6_domain_search" ] ; then + cat <>$statedir/isc-dhcp-v6-$interface.conf +Domains=$new_dhcp6_domain_search +EOF + fi + fi + systemctl try-reload-or-restart systemd-resolved.service + } + ;; + + EXPIRE|FAIL|RELEASE|STOP) + if [ ! "$interface" ] ; then + return + fi + rm -f /run/systemd/resolved.conf.d/isc-dhcp-v4-$interface.conf + systemctl try-reload-or-restart systemd-resolved.service + ;; + EXPIRE6|RELEASE6|STOP6) + if [ ! "$interface" ] ; then + return + fi + rm -f /run/systemd/resolved.conf.d/isc-dhcp-v6-$interface.conf + systemctl try-reload-or-restart systemd-resolved.service + ;; + esac +fi diff -Nru systemd-240/debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf systemd-240/debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf --- systemd-240/debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf 2019-02-20 20:21:33.000000000 +0000 @@ -0,0 +1,4 @@ +# Use synchronous scanning, to block update-dev in d-i/hw-detect until after the scan is done +# This ensures that partitioning stage has all the drives detected + +options scsi_mod scan=sync diff -Nru systemd-240/debian/extra/start-udev systemd-240/debian/extra/start-udev --- systemd-240/debian/extra/start-udev 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/extra/start-udev 2019-04-09 23:55:29.000000000 +0000 @@ -8,6 +8,12 @@ mount -n -o mode=0755 -t devtmpfs devtmpfs /dev fi +# This covers the same case as lib/modprobe.d/scsi-mod-scan-sync.conf +# in the event that scsi_mod is built in to the kernel, not a module: +if [ -f /sys/module/scsi_mod/parameters/scan ]; then + echo sync > /sys/module/scsi_mod/parameters/scan +fi + SYSTEMD_LOG_LEVEL=notice /lib/systemd/systemd-udevd --daemon --resolve-names=never udevadm trigger --action=add diff -Nru systemd-240/debian/extra/units/systemd-resolved.service.d/resolvconf.conf systemd-240/debian/extra/units/systemd-resolved.service.d/resolvconf.conf --- systemd-240/debian/extra/units/systemd-resolved.service.d/resolvconf.conf 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/extra/units/systemd-resolved.service.d/resolvconf.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,8 +0,0 @@ -# tell resolvconf about resolved's builtin DNS server, so that DNS servers -# picked up via networkd are respected when using resolvconf, and that software -# like Chrome that does not do NSS (libnss-resolve) still gets proper DNS -# resolution; do not remove the entry after stop though, as that leads to -# timeouts on shutdown via the resolvconf hooks (see LP: #1648068) -[Service] -ExecStartPost=+/bin/sh -c '[ ! -e /run/resolvconf/enable-updates ] || echo "nameserver 127.0.0.53" | /sbin/resolvconf -a systemd-resolved' -ReadWritePaths=-/run/resolvconf diff -Nru systemd-240/debian/gbp.conf systemd-240/debian/gbp.conf --- systemd-240/debian/gbp.conf 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/gbp.conf 2019-04-09 23:55:45.000000000 +0000 @@ -1,7 +1,8 @@ [DEFAULT] pristine-tar = True patch-numbers = False -debian-branch = master +debian-branch = ubuntu-disco +debian-tag = ubuntu/%(version)s [dch] full = True diff -Nru systemd-240/debian/libnss-resolve.postrm systemd-240/debian/libnss-resolve.postrm --- systemd-240/debian/libnss-resolve.postrm 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/libnss-resolve.postrm 2019-02-20 20:21:33.000000000 +0000 @@ -23,10 +23,6 @@ if [ "$1" = remove ]; then remove_nss_entry /etc/nsswitch.conf libnss-resolve resolve - systemctl disable systemd-resolved.service - if [ -d /run/systemd/system ]; then - deb-systemd-invoke stop systemd-resolved.service || true - fi fi #DEBHELPER# diff -Nru systemd-240/debian/patches/Install-routes-after-addresses-are-ready.patch systemd-240/debian/patches/Install-routes-after-addresses-are-ready.patch --- systemd-240/debian/patches/Install-routes-after-addresses-are-ready.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/Install-routes-after-addresses-are-ready.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,93 @@ +From: Daniel Axtens +Date: Wed, 5 Dec 2018 21:49:35 +1100 +Subject: Install routes after addresses are ready + +If an IPv6 route is added with a source address that is still +tentative, the kernel will refuse to install it. + +Previously, once we sent the messages to the kernel to add the +addresses, we would immediately proceed to add the routes. The +addresses would usually still be tentative at this point, so +adding static IPv6 routes was broken - see issue #5882. + +Now, only begin to configure routes once the addresses are ready, +by restructuring the state machine, and tracking when addresses are +ready, not just added. + +Fixes: #5882 +Signed-off-by: Daniel Axtens +(cherry picked from commit 6aa5773bfff0a92d64da70426cae833df6f84daf) +--- + src/network/networkd-link.c | 18 ++++++++++++------ + src/network/networkd-link.h | 1 + + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index d778899..a9a1f89 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -884,6 +884,15 @@ void link_check_ready(Link *link) { + if (!link->neighbors_configured) + return; + ++ SET_FOREACH(a, link->addresses, i) ++ if (!address_is_ready(a)) ++ return; ++ ++ if (!link->addresses_ready) { ++ link->addresses_ready = true; ++ link_request_set_routes(link); ++ } ++ + if (!link->static_routes_configured) + return; + +@@ -913,10 +922,6 @@ void link_check_ready(Link *link) { + return; + } + +- SET_FOREACH(a, link->addresses, i) +- if (!address_is_ready(a)) +- return; +- + if (link->state != LINK_STATE_CONFIGURED) + link_enter_configured(link); + +@@ -977,7 +982,7 @@ static int address_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) + if (link->address_messages == 0) { + log_link_debug(link, "Addresses set"); + link->addresses_configured = true; +- link_request_set_routes(link); ++ link_check_ready(link); + } + + return 1; +@@ -1107,6 +1112,7 @@ static int link_request_set_addresses(Link *link) { + + /* Reset all *_configured flags we are configuring. */ + link->addresses_configured = false; ++ link->addresses_ready = false; + link->neighbors_configured = false; + link->static_routes_configured = false; + link->routing_policy_rules_configured = false; +@@ -1261,7 +1267,7 @@ static int link_request_set_addresses(Link *link) { + + if (link->address_messages == 0) { + link->addresses_configured = true; +- link_request_set_routes(link); ++ link_check_ready(link); + } else + log_link_debug(link, "Setting addresses"); + +diff --git a/src/network/networkd-link.h b/src/network/networkd-link.h +index 00e68fd..e417ea2 100644 +--- a/src/network/networkd-link.h ++++ b/src/network/networkd-link.h +@@ -82,6 +82,7 @@ typedef struct Link { + Set *routes_foreign; + + bool addresses_configured; ++ bool addresses_ready; + + sd_dhcp_client *dhcp_client; + sd_dhcp_lease *dhcp_lease; diff -Nru systemd-240/debian/patches/Move-link_check_ready-to-later-in-the-file.patch systemd-240/debian/patches/Move-link_check_ready-to-later-in-the-file.patch --- systemd-240/debian/patches/Move-link_check_ready-to-later-in-the-file.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/Move-link_check_ready-to-later-in-the-file.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,148 @@ +From: Daniel Axtens +Date: Wed, 5 Dec 2018 20:39:41 +1100 +Subject: Move link_check_ready() to later in the file + +We're about to need it to be later in the file for the next commit. +Moving it now means that when we change it in the next commit, it's +not intermingled with the move. + +No functional change intended. + +Signed-off-by: Daniel Axtens +(cherry picked from commit 6accfd3139a0ccef9859b742452c04926f52515c) +--- + src/network/networkd-link.c | 114 ++++++++++++++++++++++---------------------- + 1 file changed, 57 insertions(+), 57 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 5cd59c6..d778899 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -753,63 +753,6 @@ static void link_enter_configured(Link *link) { + link_dirty(link); + } + +-void link_check_ready(Link *link) { +- Address *a; +- Iterator i; +- +- assert(link); +- +- if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER)) +- return; +- +- if (!link->network) +- return; +- +- if (!link->addresses_configured) +- return; +- +- if (!link->neighbors_configured) +- return; +- +- if (!link->static_routes_configured) +- return; +- +- if (!link->routing_policy_rules_configured) +- return; +- +- if (link_ipv4ll_enabled(link)) +- if (!link->ipv4ll_address || +- !link->ipv4ll_route) +- return; +- +- if (!link->network->bridge) { +- +- if (link_ipv6ll_enabled(link)) +- if (in_addr_is_null(AF_INET6, (const union in_addr_union*) &link->ipv6ll_address) > 0) +- return; +- +- if ((link_dhcp4_enabled(link) && !link_dhcp6_enabled(link) && +- !link->dhcp4_configured) || +- (link_dhcp6_enabled(link) && !link_dhcp4_enabled(link) && +- !link->dhcp6_configured) || +- (link_dhcp4_enabled(link) && link_dhcp6_enabled(link) && +- !link->dhcp4_configured && !link->dhcp6_configured)) +- return; +- +- if (link_ipv6_accept_ra_enabled(link) && !link->ndisc_configured) +- return; +- } +- +- SET_FOREACH(a, link->addresses, i) +- if (!address_is_ready(a)) +- return; +- +- if (link->state != LINK_STATE_CONFIGURED) +- link_enter_configured(link); +- +- return; +-} +- + static int link_request_set_routing_policy_rule(Link *link) { + RoutingPolicyRule *rule, *rrule = NULL; + int r; +@@ -923,6 +866,63 @@ static int link_request_set_routes(Link *link) { + return 0; + } + ++void link_check_ready(Link *link) { ++ Address *a; ++ Iterator i; ++ ++ assert(link); ++ ++ if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER)) ++ return; ++ ++ if (!link->network) ++ return; ++ ++ if (!link->addresses_configured) ++ return; ++ ++ if (!link->neighbors_configured) ++ return; ++ ++ if (!link->static_routes_configured) ++ return; ++ ++ if (!link->routing_policy_rules_configured) ++ return; ++ ++ if (link_ipv4ll_enabled(link)) ++ if (!link->ipv4ll_address || ++ !link->ipv4ll_route) ++ return; ++ ++ if (!link->network->bridge) { ++ ++ if (link_ipv6ll_enabled(link)) ++ if (in_addr_is_null(AF_INET6, (const union in_addr_union*) &link->ipv6ll_address) > 0) ++ return; ++ ++ if ((link_dhcp4_enabled(link) && !link_dhcp6_enabled(link) && ++ !link->dhcp4_configured) || ++ (link_dhcp6_enabled(link) && !link_dhcp4_enabled(link) && ++ !link->dhcp6_configured) || ++ (link_dhcp4_enabled(link) && link_dhcp6_enabled(link) && ++ !link->dhcp4_configured && !link->dhcp6_configured)) ++ return; ++ ++ if (link_ipv6_accept_ra_enabled(link) && !link->ndisc_configured) ++ return; ++ } ++ ++ SET_FOREACH(a, link->addresses, i) ++ if (!address_is_ready(a)) ++ return; ++ ++ if (link->state != LINK_STATE_CONFIGURED) ++ link_enter_configured(link); ++ ++ return; ++} ++ + static int link_request_set_neighbors(Link *link) { + Neighbor *neighbor; + int r; diff -Nru systemd-240/debian/patches/Revert-namespace-be-more-careful-when-handling-namespacin.patch systemd-240/debian/patches/Revert-namespace-be-more-careful-when-handling-namespacin.patch --- systemd-240/debian/patches/Revert-namespace-be-more-careful-when-handling-namespacin.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/Revert-namespace-be-more-careful-when-handling-namespacin.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,39 @@ +From: Dimitri John Ledkov +Date: Wed, 30 Jan 2019 10:38:38 +0000 +Subject: Revert "namespace: be more careful when handling namespacing + failures gracefully" + +This partially reverts commit 1beab8b0d0ff2d7d1436b52d4a0c3d56dc908962. + +Until after +https://github.com/lxc/lxd/commit/a6b780703350faff8328f3d565f6bac7b6dcf59f is +released in the snap store. +--- + src/core/execute.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 18c4d06..245c82e 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -2452,14 +2452,18 @@ static int apply_mount_namespace( + log_unit_debug(u, "Failed to set up namespace, assuming containerized execution and ignoring."); + return 0; + } +- + log_unit_debug(u, "Failed to set up namespace, and refusing to continue since the selected namespacing options alter mount environment non-trivially.\n" + "Bind mounts: %zu, temporary filesystems: %zu, root directory: %s, root image: %s, dynamic user: %s", + n_bind_mounts, context->n_temporary_filesystems, yes_no(root_dir), yes_no(root_image), yes_no(context->dynamic_user)); + + return -EOPNOTSUPP; + } +- ++ /* If we couldn't set up the namespace this is probably due to a ++ * missing capability. In this case, silently proceeed. */ ++ if (IN_SET(r, -EPERM, -EACCES)) { ++ log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m"); ++ return 0; ++ } + return r; + } + diff -Nru systemd-240/debian/patches/core-when-we-uninstall-a-job-add-unit-to-dbus-queue.patch systemd-240/debian/patches/core-when-we-uninstall-a-job-add-unit-to-dbus-queue.patch --- systemd-240/debian/patches/core-when-we-uninstall-a-job-add-unit-to-dbus-queue.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/core-when-we-uninstall-a-job-add-unit-to-dbus-queue.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,26 @@ +From: =?utf-8?q?Alberts_Muktup=C4=81vels?= +Date: Tue, 12 Feb 2019 03:00:21 +0200 +Subject: core: when we uninstall a job, add unit to dbus queue + +Commit e6d05912cb1785d8c75eb40545beb8a7c6753cb9 added unit to dbus +queue on job install. Do same on job uninstall to make sure we get +PropertiesChanged signal. + +(cherry picked from commit 52c6c9eaecb493cc4d8a146bf67d93c8aea862c2) +--- + src/core/job.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/core/job.c b/src/core/job.c +index f635b7e..fc212d0 100644 +--- a/src/core/job.c ++++ b/src/core/job.c +@@ -151,6 +151,8 @@ void job_uninstall(Job *j) { + + unit_add_to_gc_queue(j->unit); + ++ unit_add_to_dbus_queue(j->unit); /* The Job property of the unit has changed now */ ++ + hashmap_remove_value(j->manager->jobs, UINT32_TO_PTR(j->id), j); + j->installed = false; + } diff -Nru systemd-240/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch systemd-240/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch --- systemd-240/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,27 @@ +From: Balint Reczey +Date: Mon, 8 May 2017 17:02:03 +0200 +Subject: Skip starting systemd-remount-fs.service in containers + +even when /etc/fstab is present. + +This allows entering fully running state even when /etc/fstab +lists / to be mounted from a device which is not present in the +container. + +LP: #1576341 +--- + units/systemd-remount-fs.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-remount-fs.service.in b/units/systemd-remount-fs.service.in +index 2e5b75e..fb3e30b 100644 +--- a/units/systemd-remount-fs.service.in ++++ b/units/systemd-remount-fs.service.in +@@ -17,6 +17,7 @@ After=systemd-fsck-root.service + Before=local-fs-pre.target local-fs.target shutdown.target + Wants=local-fs-pre.target + ConditionPathExists=/etc/fstab ++ConditionVirtualization=!container + + [Service] + Type=oneshot diff -Nru systemd-240/debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch systemd-240/debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch --- systemd-240/debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,28 @@ +From: Michael Vogt +Date: Wed, 14 Feb 2018 16:38:13 +0000 +Subject: Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file + +A change in apparmor mediates auto-activation attempts now through +AppArmor: https://cgit.freedesktop.org/dbus/dbus/commit/?id=dc25979eb + +This breaks the snapd time{zone,server}-control interfaces which limt +sending dbus message to a (label=unconfined) org.freedesktop.timedate1 +peers. + +By adding the AssumedApparmorLabel=unconfined label the snapd interfaces +work again. + +LP: #1749000 +--- + src/timedate/org.freedesktop.timedate1.service | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/timedate/org.freedesktop.timedate1.service b/src/timedate/org.freedesktop.timedate1.service +index d5f3a6e..c498b82 100644 +--- a/src/timedate/org.freedesktop.timedate1.service ++++ b/src/timedate/org.freedesktop.timedate1.service +@@ -12,3 +12,4 @@ Name=org.freedesktop.timedate1 + Exec=/bin/false + User=root + SystemdService=dbus-org.freedesktop.timedate1.service ++AssumedAppArmorLabel=unconfined diff -Nru systemd-240/debian/patches/debian/UBUNTU-Support-system-image-read-only-etc.patch systemd-240/debian/patches/debian/UBUNTU-Support-system-image-read-only-etc.patch --- systemd-240/debian/patches/debian/UBUNTU-Support-system-image-read-only-etc.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-Support-system-image-read-only-etc.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,84 @@ +From: Martin Pitt +Date: Sat, 26 Apr 2014 23:49:32 +0200 +Subject: Support system-image read-only /etc + +On Ubuntu Phone with readonly /etc we symlink +/etc/{adjtime,localtime,timezone,hostname,machine-info} to /etc/writable/, so +we need to update those files instead if the original files are symlinks into +/etc/writable/. + +Forwarded: OMGno, this is a rather nasty hack until we fix system-image to get a writable /etc +Bug-Ubuntu: https://launchpad.net/bugs/1227520 +--- + src/hostname/hostnamed.c | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c +index 7777450..36f4780 100644 +--- a/src/hostname/hostnamed.c ++++ b/src/hostname/hostnamed.c +@@ -22,6 +22,7 @@ + #include "os-util.h" + #include "parse-util.h" + #include "path-util.h" ++#include "fs-util.h" + #include "selinux-util.h" + #include "signal-util.h" + #include "strv.h" +@@ -71,6 +72,25 @@ static void context_clear(Context *c) { + bus_verify_polkit_async_registry_free(c->polkit_registry); + } + ++/* Hack for Ubuntu phone: check if path is an existing symlink to ++ * /etc/writable; if it is, update that instead */ ++static const char* writable_filename(const char *path) { ++ ssize_t r; ++ static char realfile_buf[PATH_MAX]; ++ _cleanup_free_ char *realfile = NULL; ++ const char *result = path; ++ int orig_errno = errno; ++ ++ r = readlink_and_make_absolute(path, &realfile); ++ if (r >= 0 && startswith(realfile, "/etc/writable")) { ++ snprintf(realfile_buf, sizeof(realfile_buf), "%s", realfile); ++ result = realfile_buf; ++ } ++ ++ errno = orig_errno; ++ return result; ++} ++ + static int context_read_data(Context *c) { + int r; + struct utsname u; +@@ -302,12 +322,12 @@ static int context_write_data_static_hostname(Context *c) { + + if (isempty(c->data[PROP_STATIC_HOSTNAME])) { + +- if (unlink("/etc/hostname") < 0) ++ if (unlink(writable_filename("/etc/hostname")) < 0) + return errno == ENOENT ? 0 : -errno; + + return 0; + } +- return write_string_file_atomic_label("/etc/hostname", c->data[PROP_STATIC_HOSTNAME]); ++ return write_string_file_atomic_label(writable_filename("/etc/hostname"), c->data[PROP_STATIC_HOSTNAME]); + } + + static int context_write_data_machine_info(Context *c) { +@@ -352,13 +372,13 @@ static int context_write_data_machine_info(Context *c) { + } + + if (strv_isempty(l)) { +- if (unlink("/etc/machine-info") < 0) ++ if (unlink(writable_filename("/etc/machine-info")) < 0) + return errno == ENOENT ? 0 : -errno; + + return 0; + } + +- return write_env_file_label("/etc/machine-info", l); ++ return write_env_file_label(writable_filename("/etc/machine-info"), l); + } + + static int property_get_icon_name( diff -Nru systemd-240/debian/patches/debian/UBUNTU-bump-selftest-timeouts.patch systemd-240/debian/patches/debian/UBUNTU-bump-selftest-timeouts.patch --- systemd-240/debian/patches/debian/UBUNTU-bump-selftest-timeouts.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-bump-selftest-timeouts.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,79 @@ +From: Christian Ehrhardt +Date: Wed, 12 Sep 2018 13:10:24 +0100 +Subject: Bump the self-test timeouts to increase autopkgtest success rate + +Especially on i386 tests the systemd selftests were flaky for quite a while. +It turned out that 5/8 tests checked seemed to have worked fine but were +killed early by the timeouts expiring. +It was brought up that spectre and L1TF mitigations might have further +opened the window for these issues to trigger more often now. +Lets in our package bump the timeout which will worst case make a real bad test +slightly longer but probably safes many hours of wasted tests especially +considering how often they are jsut retried these days. +. +We might forward that upstream if for a while this proves to increase +the success rate of systemd autopkgtests. +Forwarded: no +Forward-info: need to prove with test success rate +Author: Christian Ehrhardt +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1789841 +Last-Update: 2018-08-30 +--- + test/TEST-08-ISSUE-2730/test.sh | 2 +- + test/TEST-09-ISSUE-2691/test.sh | 2 +- + test/TEST-18-FAILUREACTION/test.sh | 2 +- + test/TEST-19-DELEGATE/test.sh | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/test/TEST-08-ISSUE-2730/test.sh b/test/TEST-08-ISSUE-2730/test.sh +index b01df36..5b74be1 100755 +--- a/test/TEST-08-ISSUE-2730/test.sh ++++ b/test/TEST-08-ISSUE-2730/test.sh +@@ -6,7 +6,7 @@ TEST_DESCRIPTION="https://github.com/systemd/systemd/issues/2730" + TEST_NO_NSPAWN=1 + + . $TEST_BASE_DIR/test-functions +-QEMU_TIMEOUT=180 ++QEMU_TIMEOUT=300 + FSTYPE=ext4 + + test_setup() { +diff --git a/test/TEST-09-ISSUE-2691/test.sh b/test/TEST-09-ISSUE-2691/test.sh +index 01eb4db..7a7b318 100755 +--- a/test/TEST-09-ISSUE-2691/test.sh ++++ b/test/TEST-09-ISSUE-2691/test.sh +@@ -6,7 +6,7 @@ TEST_DESCRIPTION="https://github.com/systemd/systemd/issues/2691" + TEST_NO_NSPAWN=1 + + . $TEST_BASE_DIR/test-functions +-QEMU_TIMEOUT=180 ++QEMU_TIMEOUT=300 + + test_setup() { + create_empty_image +diff --git a/test/TEST-18-FAILUREACTION/test.sh b/test/TEST-18-FAILUREACTION/test.sh +index 783b3aa..c62e121 100755 +--- a/test/TEST-18-FAILUREACTION/test.sh ++++ b/test/TEST-18-FAILUREACTION/test.sh +@@ -5,7 +5,7 @@ set -e + TEST_DESCRIPTION="FailureAction= operation" + + . $TEST_BASE_DIR/test-functions +-QEMU_TIMEOUT=180 ++QEMU_TIMEOUT=300 + + test_setup() { + create_empty_image +diff --git a/test/TEST-19-DELEGATE/test.sh b/test/TEST-19-DELEGATE/test.sh +index bb0c505..0d7793b 100755 +--- a/test/TEST-19-DELEGATE/test.sh ++++ b/test/TEST-19-DELEGATE/test.sh +@@ -6,7 +6,7 @@ TEST_DESCRIPTION="test cgroup delegation in the unified hierarchy" + TEST_NO_NSPAWN=1 + + . $TEST_BASE_DIR/test-functions +-QEMU_TIMEOUT=180 ++QEMU_TIMEOUT=300 + UNIFIED_CGROUP_HIERARCHY=yes + + test_setup() { diff -Nru systemd-240/debian/patches/debian/UBUNTU-core-set-run-size-to-10-like-initramfs-tools-does.patch systemd-240/debian/patches/debian/UBUNTU-core-set-run-size-to-10-like-initramfs-tools-does.patch --- systemd-240/debian/patches/debian/UBUNTU-core-set-run-size-to-10-like-initramfs-tools-does.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-core-set-run-size-to-10-like-initramfs-tools-does.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,30 @@ +From: Dimitri John Ledkov +Date: Mon, 3 Dec 2018 12:31:20 +0000 +Subject: core: set /run size to 10%, like initramfs-tools does. + +Currently there is a difference between initrd and initrd-less boots, +w.r.t. size= mount option of /run. This yields different runtime journald caps +(1% vs 10%), and on dense deployments of containers may result in OOM kills. + +LP: #1799251 +--- + src/core/mount-setup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c +index 3aae4c8..f098b0b 100644 +--- a/src/core/mount-setup.c ++++ b/src/core/mount-setup.c +@@ -78,10 +78,10 @@ static const MountPoint mount_table[] = { + { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, + NULL, MNT_IN_CONTAINER }, + #if ENABLE_SMACK +- { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, ++ { "tmpfs", "/run", "tmpfs", "mode=755,size=10%,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + mac_smack_use, MNT_FATAL }, + #endif +- { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, ++ { "tmpfs", "/run", "tmpfs", "mode=755,size=10%", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, + { "tmpfs", "/run/lock", "tmpfs", "mode=1777,size=5242880", MS_NOSUID|MS_NODEV|MS_NOEXEC, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, diff -Nru systemd-240/debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch systemd-240/debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch --- systemd-240/debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,42 @@ +From: Dimitri John Ledkov +Date: Wed, 11 Oct 2017 12:17:03 +0100 +Subject: UBUNTU: drop unrelated settings from sysctl defaults shipped by + systemd. + +--- + sysctl.d/50-default.conf | 20 -------------------- + 1 file changed, 20 deletions(-) + +diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf +index b0645f3..36ae524 100644 +--- a/sysctl.d/50-default.conf ++++ b/sysctl.d/50-default.conf +@@ -11,28 +11,8 @@ + # (e.g. /etc/sysctl.d/90-override.conf), and put any assignments + # there. + +-# System Request functionality of the kernel (SYNC) +-# +-# Use kernel.sysrq = 1 to allow all keys. +-# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html for a list +-# of values and keys. +-kernel.sysrq = 16 +- +-# Append the PID to the core filename +-kernel.core_uses_pid = 1 +- +-# Source route verification +-net.ipv4.conf.all.rp_filter = 2 +- +-# Do not accept source routing +-net.ipv4.conf.all.accept_source_route = 0 +- + # Promote secondary addresses when the primary address is removed + net.ipv4.conf.all.promote_secondaries = 1 + + # Fair Queue CoDel packet scheduler to fight bufferbloat + net.core.default_qdisc = fq_codel +- +-# Enable hard and soft link protection +-fs.protected_hardlinks = 1 +-fs.protected_symlinks = 1 diff -Nru systemd-240/debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch systemd-240/debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch --- systemd-240/debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,22 @@ +From: Dimitri John Ledkov +Date: Mon, 26 Mar 2018 13:41:15 +0100 +Subject: journald.service: set Nice=-1 to dodge watchdog on soft lockups. + +LP: #1696970 +(cherry picked from commit c5b77c35b4ec0e1812702240f272fbeea3ad4152) +--- + units/systemd-journald.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index 4684f09..059689d 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -25,6 +25,7 @@ MemoryDenyWriteExecute=yes + NoNewPrivileges=yes + Restart=always + RestartSec=0 ++Nice=-1 + RestrictAddressFamilies=AF_UNIX AF_NETLINK + RestrictNamespaces=yes + RestrictRealtime=yes diff -Nru systemd-240/debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch systemd-240/debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch --- systemd-240/debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,66 @@ +From: Dimitri John Ledkov +Date: Fri, 20 Apr 2018 03:24:13 +0100 +Subject: UBUNTU: networkd: if RA was implicit, do not await ndisc_configured. + +If RA was iplicit, meaning not otherwise requested, and a kernel default was in +use. Do not prevent link entering configured state, whilst ndisc configuration +is pending. Implicit kernel RA, is expected to be asynchronous and +non-blocking. + +LP: #1765173 +(cherry picked from commit 4b784890d000aab33a36f95e565469d5b76e6cbf) +--- + src/network/networkd-link.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index a9a1f89..1e00e8e 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -217,7 +217,7 @@ static bool link_proxy_arp_enabled(Link *link) { + return true; + } + +-static bool link_ipv6_accept_ra_enabled(Link *link) { ++static bool link_ipv6_accept_ra_enabled_implicit(Link *link, bool * implicit) { + assert(link); + + if (!socket_ipv6_is_supported()) +@@ -236,9 +236,12 @@ static bool link_ipv6_accept_ra_enabled(Link *link) { + * disabled if local forwarding is enabled). + * If set, ignore or enforce RA independent of local forwarding state. + */ +- if (link->network->ipv6_accept_ra < 0) ++ if (link->network->ipv6_accept_ra < 0) { + /* default to accept RA if ip_forward is disabled and ignore RA if ip_forward is enabled */ ++ if (implicit) ++ *implicit = true; + return !link_ipv6_forward_enabled(link); ++ } + else if (link->network->ipv6_accept_ra > 0) + /* accept RA even if ip_forward is enabled */ + return true; +@@ -247,6 +250,10 @@ static bool link_ipv6_accept_ra_enabled(Link *link) { + return false; + } + ++static bool link_ipv6_accept_ra_enabled(Link *link) { ++ return link_ipv6_accept_ra_enabled_implicit(link, NULL); ++} ++ + static IPv6PrivacyExtensions link_ipv6_privacy_extensions(Link *link) { + assert(link); + +@@ -918,8 +925,10 @@ void link_check_ready(Link *link) { + !link->dhcp4_configured && !link->dhcp6_configured)) + return; + +- if (link_ipv6_accept_ra_enabled(link) && !link->ndisc_configured) +- return; ++ bool implicit = false; ++ if (link_ipv6_accept_ra_enabled_implicit(link, &implicit) && !link->ndisc_configured) ++ if (!implicit) ++ return; + } + + if (link->state != LINK_STATE_CONFIGURED) diff -Nru systemd-240/debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch systemd-240/debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch --- systemd-240/debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,40 @@ +From: Dimitri John Ledkov +Date: Fri, 9 Feb 2018 15:57:54 +0000 +Subject: UBUNTU: resolved: disable global LLMNR and MulticastDNS by default. + +LP: #1739672 +--- + src/resolve/resolved-manager.c | 4 ++-- + src/resolve/resolved.conf.in | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c +index b7dc09a..173d710 100644 +--- a/src/resolve/resolved-manager.c ++++ b/src/resolve/resolved-manager.c +@@ -575,8 +575,8 @@ int manager_new(Manager **ret) { + .dns_stub_tcp_fd = -1, + .hostname_fd = -1, + +- .llmnr_support = RESOLVE_SUPPORT_YES, +- .mdns_support = RESOLVE_SUPPORT_YES, ++ .llmnr_support = RESOLVE_SUPPORT_NO, ++ .mdns_support = RESOLVE_SUPPORT_NO, + .dnssec_mode = DEFAULT_DNSSEC_MODE, + .dns_over_tls_mode = DEFAULT_DNS_OVER_TLS_MODE, + .enable_cache = true, +diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in +index 6898c78..d6dab77 100644 +--- a/src/resolve/resolved.conf.in ++++ b/src/resolve/resolved.conf.in +@@ -15,8 +15,8 @@ + #DNS= + #FallbackDNS=@DNS_SERVERS@ + #Domains= +-#LLMNR=yes +-#MulticastDNS=yes ++#LLMNR=no ++#MulticastDNS=no + #DNSSEC=@DEFAULT_DNSSEC_MODE@ + #DNSOverTLS=@DEFAULT_DNS_OVER_TLS_MODE@ + #Cache=yes diff -Nru systemd-240/debian/patches/debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch systemd-240/debian/patches/debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch --- systemd-240/debian/patches/debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,23 @@ +From: Dimitri John Ledkov +Date: Wed, 1 Aug 2018 20:09:39 +0100 +Subject: test-sleep: skip test_fiemap upon inapproriate ioctl for device. + +On v4.4 kernels, on top of btrfs ephemeral lxd v3.0 containers generate this +other error code, instead of not supported. Skip the test for both error codes. +--- + src/test/test-sleep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/test/test-sleep.c b/src/test/test-sleep.c +index 2a6d5e7..37eb88b 100644 +--- a/src/test/test-sleep.c ++++ b/src/test/test-sleep.c +@@ -31,7 +31,7 @@ static int test_fiemap(const char *path) { + if (fd < 0) + return log_error_errno(errno, "failed to open %s: %m", path); + r = read_fiemap(fd, &fiemap); +- if (r == -EOPNOTSUPP) ++ if (IN_SET(r, -EOPNOTSUPP, -ENOTTY)) + exit(log_tests_skipped("Not supported")); + if (r < 0) + return log_error_errno(r, "Unable to read extent map for '%s': %m", path); diff -Nru systemd-240/debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch systemd-240/debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch --- systemd-240/debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,23 @@ +From: Dimitri John Ledkov +Date: Fri, 16 Feb 2018 13:28:31 +0000 +Subject: test/test-functions: launch qemu with -vga none + +When booting ppc64el virtual machines, they require seabios, unless -vga none +is specified. Since we do a direct kernel & initrd boot, with -nographic, we +really have no need for vga or seabios in this case. +--- + test/test-functions | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/test-functions b/test/test-functions +index 3706939..83fd3dc 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -158,6 +158,7 @@ $KERNEL_APPEND \ + -net none \ + -m 512M \ + -nographic \ ++-vga none \ + -kernel $KERNEL_BIN \ + -drive format=raw,cache=unsafe,file=${TESTDIR}/rootdisk.img \ + " diff -Nru systemd-240/debian/patches/debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch systemd-240/debian/patches/debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch --- systemd-240/debian/patches/debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,38 @@ +From: Dimitri John Ledkov +Date: Thu, 26 Jul 2018 14:22:25 +0100 +Subject: units: block CAP_SYS_MODULE units in containers too + +lxd/lxc usually keep the usernamespace capabilities, whilst in practice one +does not have these in the initial namespace. Thus add additional condition +!container, such that sys-kernel-config.mount and systemd-modules.load.service +are not started in the lxd containers. This should make default lxd containers +start non-degraded. +--- + units/sys-kernel-config.mount | 1 + + units/systemd-modules-load.service.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/units/sys-kernel-config.mount b/units/sys-kernel-config.mount +index e213ca5..57ba0b1 100644 +--- a/units/sys-kernel-config.mount ++++ b/units/sys-kernel-config.mount +@@ -14,6 +14,7 @@ Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems + DefaultDependencies=no + ConditionPathExists=/sys/kernel/config + ConditionCapability=CAP_SYS_RAWIO ++ConditionVirtualization=!container + After=systemd-modules-load.service + Before=sysinit.target + +diff --git a/units/systemd-modules-load.service.in b/units/systemd-modules-load.service.in +index 26abe21..73a8d67 100644 +--- a/units/systemd-modules-load.service.in ++++ b/units/systemd-modules-load.service.in +@@ -14,6 +14,7 @@ DefaultDependencies=no + Conflicts=shutdown.target + Before=sysinit.target shutdown.target + ConditionCapability=CAP_SYS_MODULE ++ConditionVirtualization=!container + ConditionDirectoryNotEmpty=|/lib/modules-load.d + ConditionDirectoryNotEmpty=|/usr/lib/modules-load.d + ConditionDirectoryNotEmpty=|/usr/local/lib/modules-load.d diff -Nru systemd-240/debian/patches/debian/UBUNTU-units-disable-journald-watchdog.patch systemd-240/debian/patches/debian/UBUNTU-units-disable-journald-watchdog.patch --- systemd-240/debian/patches/debian/UBUNTU-units-disable-journald-watchdog.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-units-disable-journald-watchdog.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,22 @@ +From: Dimitri John Ledkov +Date: Thu, 4 Oct 2018 15:25:50 +0100 +Subject: units: Disable journald Watchdog + https://github.com/systemd/systemd/issues/9079 + +LP: #1773148 +--- + units/systemd-journald.service.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index 059689d..0d65bd7 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -35,7 +35,6 @@ SystemCallArchitectures=native + SystemCallErrorNumber=EPERM + SystemCallFilter=@system-service + Type=notify +-WatchdogSec=3min + + # If there are many split up journal files we need a lot of fds to access them + # all in parallel. diff -Nru systemd-240/debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch systemd-240/debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch --- systemd-240/debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,42 @@ +From: Dimitri John Ledkov +Date: Mon, 26 Mar 2018 13:17:01 +0100 +Subject: wait-online: exit, if no links are managed. + +(cherry picked from commit 19d11f607ac0f8b1e31f72a8e9d3d44371b9dadb) +--- + src/network/wait-online/manager.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/network/wait-online/manager.c b/src/network/wait-online/manager.c +index e1ccc9f..655fa0a 100644 +--- a/src/network/wait-online/manager.c ++++ b/src/network/wait-online/manager.c +@@ -37,6 +37,7 @@ bool manager_all_configured(Manager *m) { + Link *l; + char **ifname; + bool one_ready = false; ++ bool none_managed = true; + + /* wait for all the links given on the command line to appear */ + STRV_FOREACH(ifname, m->interfaces) { +@@ -67,6 +68,11 @@ bool manager_all_configured(Manager *m) { + return false; + } + ++ if (STR_IN_SET(l->state, "configured", "failed")) { ++ log_info("managing: %s", l->ifname); ++ none_managed = false; ++ } ++ + if (l->operational_state && + STR_IN_SET(l->operational_state, "degraded", "routable")) + /* we wait for at least one link to be ready, +@@ -74,7 +80,7 @@ bool manager_all_configured(Manager *m) { + one_ready = true; + } + +- return one_ready; ++ return one_ready || none_managed; + } + + static int manager_process_link(sd_netlink *rtnl, sd_netlink_message *mm, void *userdata) { diff -Nru systemd-240/debian/patches/debian/Ubuntu-UseDomains-by-default.patch systemd-240/debian/patches/debian/Ubuntu-UseDomains-by-default.patch --- systemd-240/debian/patches/debian/Ubuntu-UseDomains-by-default.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/Ubuntu-UseDomains-by-default.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,75 @@ +From: Dimitri John Ledkov +Date: Thu, 20 Jul 2017 13:48:31 +0100 +Subject: Set UseDomains to true, by default, on Ubuntu. + +On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries +to a preset 3rd party by default. In resolved, dnssec is also disabled by +default, as too much of the internet is broken and using Ubuntu users to debug +the internet is not very productive - most of the time the end-user cannot fix +or know how to notify the site owners about the dnssec mistakes. Inherintally +the DHCP acquired DNS servers are therefore trusted, and are free to spoof +records. Not trusting DNS search domains, in such scenario, provides limited +security or privacy benefits. From user point of view, this also appears to be +a regression from previous Ubuntu releases which do trust DHCP acquired search +domains by default. + +Therefore we are enabling UseDomains by default on Ubuntu. + +Users may override this setting in the .network files by specifying +[DHCP|IPv6AcceptRA] UseDomains=no|route options. +--- + man/systemd.network.xml | 6 +++--- + src/network/networkd-network.c | 2 ++ + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/man/systemd.network.xml b/man/systemd.network.xml +index ee464ff..b44eebd 100644 +--- a/man/systemd.network.xml ++++ b/man/systemd.network.xml +@@ -301,7 +301,7 @@ + IPv6AcceptRA=. + + Furthermore, note that by default the domain name +- specified through DHCP is not used for name resolution. ++ specified through DHCP, on Ubuntu, are used for name resolution. + See option below. + + See the [DHCP] section below for further configuration options for the DHCP client +@@ -1291,7 +1291,7 @@ + the setting. If set to route, the domain name received from + the DHCP server will be used for routing DNS queries only, but not for searching, similar to the effect of + the setting when the argument is prefixed with ~. Defaults to +- false. ++ true on Ubuntu. + + It is recommended to enable this option only on trusted networks, as setting this affects resolution + of all host names, in particular of single-label names. It is generally safer to use the supplied domain +@@ -1483,7 +1483,7 @@ + the effect of the setting. If set to route, the domain name + received via IPv6 RA will be used for routing DNS queries only, but not for searching, similar to the + effect of the setting when the argument is prefixed with +- ~. Defaults to false. ++ ~. Defaults to true on Ubuntu. + + It is recommended to enable this option only on trusted networks, as setting this affects resolution + of all host names, in particular of single-label names. It is generally safer to use the supplied domain +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index ccc1c3c..e05f385 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -137,6 +137,7 @@ int network_load_one(Manager *manager, const char *filename) { + .dhcp_use_routes = true, + /* NOTE: this var might be overwriten by network_apply_anonymize_if_set */ + .dhcp_send_hostname = true, ++ .dhcp_use_domains = DHCP_USE_DOMAINS_YES, + /* To enable/disable RFC7844 Anonymity Profiles */ + .dhcp_anonymize = false, + .dhcp_route_metric = DHCP_ROUTE_METRIC, +@@ -187,6 +188,7 @@ int network_load_one(Manager *manager, const char *filename) { + .multicast = -1, + .allmulticast = -1, + .ipv6_accept_ra_use_dns = true, ++ .ipv6_accept_ra_use_domains = DHCP_USE_DOMAINS_YES, + .ipv6_accept_ra_route_table = RT_TABLE_MAIN, + }; + diff -Nru systemd-240/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch systemd-240/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch --- systemd-240/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,39 @@ +From: Dimitri John Ledkov +Date: Tue, 1 Aug 2017 17:38:05 +0100 +Subject: core: in execute, soft fail setting Nice priority, + when permissions are denied + +In unpriviledged containers Nice priority setting may not be permitted. Thus +log and ignore permission failure to set Nice priority in such +environments. This is similar to how OOMScoreAdjust is treated. +--- + src/core/execute.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 595a3c6..18c4d06 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -3073,11 +3073,17 @@ static int exec_child( + } + } + +- if (context->nice_set) +- if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) { +- *exit_status = EXIT_NICE; +- return log_unit_error_errno(unit, errno, "Failed to set up process scheduling priority (nice level): %m"); +- } ++ if (context->nice_set) { ++ r = setpriority(PRIO_PROCESS, 0, context->nice); ++ if (r == -EPERM || r == -EACCES) { ++ log_open(); ++ log_unit_debug_errno(unit, r, "Failed to adjust Nice setting, assuming containerized execution, ignoring: %m"); ++ log_close(); ++ } else if (r < 0) { ++ *exit_status = EXIT_NICE; ++ return log_unit_error_errno(unit, errno, "Failed to set up process scheduling priority (nice level): %m"); ++ } ++ } + + if (context->cpu_sched_set) { + struct sched_param param = { diff -Nru systemd-240/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch systemd-240/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch --- systemd-240/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,22 @@ +From: Dimitri John Ledkov +Date: Wed, 2 Aug 2017 00:40:28 +0100 +Subject: units: set ConditionVirtualization=!private-users on journald audit + socket + +As it fails to start in an unpriviledged container. +--- + units/systemd-journald-audit.socket | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket +index cb8b774..6649934 100644 +--- a/units/systemd-journald-audit.socket ++++ b/units/systemd-journald-audit.socket +@@ -14,6 +14,7 @@ DefaultDependencies=no + Before=sockets.target + ConditionSecurity=audit + ConditionCapability=CAP_AUDIT_READ ++ConditionVirtualization=!private-users + + [Socket] + Service=systemd-journald.service diff -Nru systemd-240/debian/patches/llmnr-add-comment-why-we-install-no-complete-handler-on-s.patch systemd-240/debian/patches/llmnr-add-comment-why-we-install-no-complete-handler-on-s.patch --- systemd-240/debian/patches/llmnr-add-comment-why-we-install-no-complete-handler-on-s.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/llmnr-add-comment-why-we-install-no-complete-handler-on-s.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,21 @@ +From: Lennart Poettering +Date: Mon, 21 Jan 2019 18:36:14 +0100 +Subject: llmnr: add comment why we install no complete() handler on stream + +--- + src/resolve/resolved-llmnr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/resolve/resolved-llmnr.c b/src/resolve/resolved-llmnr.c +index d73f865..b7c37f1 100644 +--- a/src/resolve/resolved-llmnr.c ++++ b/src/resolve/resolved-llmnr.c +@@ -302,6 +302,8 @@ static int on_llmnr_stream(sd_event_source *s, int fd, uint32_t revents, void *u + } + + stream->on_packet = on_llmnr_stream_packet; ++ /* We don't configure a "complete" handler here, we rely on the default handler than simply drops the ++ * reference to the stream, thus freeing it */ + return 0; + } + diff -Nru systemd-240/debian/patches/network-do-not-remove-rule-when-it-is-requested-by-e.patch systemd-240/debian/patches/network-do-not-remove-rule-when-it-is-requested-by-e.patch --- systemd-240/debian/patches/network-do-not-remove-rule-when-it-is-requested-by-e.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/network-do-not-remove-rule-when-it-is-requested-by-e.patch 2019-04-10 00:05:15.000000000 +0000 @@ -0,0 +1,58 @@ +Description: Network-Do not remove rule when it is requested by existing links +Otherwise, the first link once removes all saved rules in the foreign +rule database, and the second or later links create again... + +Author: Yu Watanabe +Subject: [PATCH] network: do not remove rule when it is requested by existing + links +Origin: Upstream, https://github.com/systemd/systemd/pull/11795/commits/031fb59a984e5b51f3c72aa8125ecc50b08011fe +Bug: https://github.com/systemd/systemd/issues/11280 +Bug-Ubuntu: https://launchpad.net/bugs/1818282 +--- + src/network/networkd-routing-policy-rule.c | 26 ++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +Index: systemd-240/src/network/networkd-routing-policy-rule.c +=================================================================== +--- systemd-240.orig/src/network/networkd-routing-policy-rule.c ++++ systemd-240/src/network/networkd-routing-policy-rule.c +@@ -1250,6 +1250,26 @@ int routing_policy_load_rules(const char + return 0; + } + ++static bool manager_links_have_routing_policy_rule(Manager *m, RoutingPolicyRule *rule) { ++ RoutingPolicyRule *link_rule; ++ Iterator i; ++ Link *link; ++ ++ assert(m); ++ assert(rule); ++ ++ HASHMAP_FOREACH(link, m->links, i) { ++ if (!link->network) ++ continue; ++ ++ LIST_FOREACH(rules, link_rule, link->network->rules) ++ if (routing_policy_rule_compare_func(link_rule, rule) == 0) ++ return true; ++ } ++ ++ return false; ++} ++ + void routing_policy_rule_purge(Manager *m, Link *link) { + RoutingPolicyRule *rule, *existing; + Iterator i; +@@ -1263,6 +1283,12 @@ void routing_policy_rule_purge(Manager * + if (!existing) + continue; /* Saved rule does not exist anymore. */ + ++ if (manager_links_have_routing_policy_rule(m, existing)) ++ continue; /* Existing links have the saved rule. */ ++ ++ /* Existing links do not have the saved rule. Let's drop the rule now, and re-configure it ++ * later when it is requested. */ ++ + r = routing_policy_rule_remove(existing, link, NULL); + if (r < 0) { + log_warning_errno(r, "Could not remove routing policy rules: %m"); diff -Nru systemd-240/debian/patches/network-remove-routing-policy-rule-from-foreign-rule.patch systemd-240/debian/patches/network-remove-routing-policy-rule-from-foreign-rule.patch --- systemd-240/debian/patches/network-remove-routing-policy-rule-from-foreign-rule.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/network-remove-routing-policy-rule-from-foreign-rule.patch 2019-04-10 00:05:15.000000000 +0000 @@ -0,0 +1,51 @@ +Description: Network - remove routing policy from foreign rule database +Previously, When the first link configures rules, it removes all saved +rules, which were configured by networkd previously, in the foreign rule +database, but the rules themselves are still in the database. +Thus, when the second or later link configures rules, it errnously +treats the rules already exist. +This is the root of issue #11280. +This removes rules from the foreign database when they are removed. +Fixes #11280. + +Author: Yu Watanabe +Subject: [PATCH] network: remove routing policy rule from foreign rule + database when it is removed +Origin: Upstream, https://github.com/systemd/systemd/pull/11795/commits/92cd00b9749141907a1110044cc7d1f01caff545 +Bug: https://github.com/systemd/systemd/issues/11280 +Bug-Ubuntu: https://launchpad.net/bugs/1818282 +--- + src/network/networkd-routing-policy-rule.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +Index: systemd-240/src/network/networkd-routing-policy-rule.c +=================================================================== +--- systemd-240.orig/src/network/networkd-routing-policy-rule.c ++++ systemd-240/src/network/networkd-routing-policy-rule.c +@@ -1260,15 +1260,18 @@ void routing_policy_rule_purge(Manager * + + SET_FOREACH(rule, m->rules_saved, i) { + existing = set_get(m->rules_foreign, rule); +- if (existing) { ++ if (!existing) ++ continue; /* Saved rule does not exist anymore. */ + +- r = routing_policy_rule_remove(rule, link, NULL); +- if (r < 0) { +- log_warning_errno(r, "Could not remove routing policy rules: %m"); +- continue; +- } +- +- link->routing_policy_rule_remove_messages++; ++ r = routing_policy_rule_remove(existing, link, NULL); ++ if (r < 0) { ++ log_warning_errno(r, "Could not remove routing policy rules: %m"); ++ continue; + } ++ ++ link->routing_policy_rule_remove_messages++; ++ ++ assert_se(set_remove(m->rules_foreign, existing) == existing); ++ routing_policy_rule_free(existing); + } + } diff -Nru systemd-240/debian/patches/networkd-honour-LinkLocalAddressing.patch systemd-240/debian/patches/networkd-honour-LinkLocalAddressing.patch --- systemd-240/debian/patches/networkd-honour-LinkLocalAddressing.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/networkd-honour-LinkLocalAddressing.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,55 @@ +From: Susant Sahani +Date: Mon, 14 Jan 2019 22:46:09 +0530 +Subject: networkd: honour LinkLocalAddressing + +Closes #9890 + +(cherry picked from commit 158d98817f757e2a5904930a49d542acf324f8cc) +--- + src/network/networkd-link.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 5353b9d..5cd59c6 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -284,6 +284,29 @@ static int link_enable_ipv6(Link *link) { + return 0; + } + ++static int link_disable_ipv6_addr_gen_mode(Link *link) { ++ const char *p = NULL; ++ int r; ++ ++ /* Make this a NOP if IPv6 is not available */ ++ if (!socket_ipv6_is_supported()) ++ return 0; ++ ++ if (link->flags & IFF_LOOPBACK) ++ return 0; ++ ++ if (link_ipv6ll_enabled(link)) ++ return 0; ++ ++ p = strjoina("/proc/sys/net/ipv6/conf/", link->ifname, "/addr_gen_mode"); ++ ++ r = write_string_file(p, "1", WRITE_STRING_FILE_VERIFY_ON_FAILURE | WRITE_STRING_FILE_DISABLE_BUFFER); ++ if (r < 0) ++ log_link_warning_errno(link, r, "Cannot set IPv6 address gen mode for interface: %m"); ++ ++ return 0; ++} ++ + void link_update_operstate(Link *link) { + LinkOperationalState operstate; + assert(link); +@@ -1808,6 +1831,9 @@ int link_up(Link *link) { + if (r < 0) + return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m"); + ++ ++ (void) link_disable_ipv6_addr_gen_mode(link); ++ + if (link_ipv6_enabled(link)) { + /* if the kernel lacks ipv6 support setting IFF_UP fails if any ipv6 options are passed */ + r = sd_netlink_message_open_container(req, AF_INET6); diff -Nru systemd-240/debian/patches/pam-systemd-use-secure_getenv-rather-than-getenv.patch systemd-240/debian/patches/pam-systemd-use-secure_getenv-rather-than-getenv.patch --- systemd-240/debian/patches/pam-systemd-use-secure_getenv-rather-than-getenv.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/pam-systemd-use-secure_getenv-rather-than-getenv.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,40 @@ +From: Lennart Poettering +Date: Mon, 4 Feb 2019 10:23:43 +0100 +Subject: pam-systemd: use secure_getenv() rather than getenv() + +And explain why in a comment. + +(cherry picked from commit 83d4ab55336ff8a0643c6aa627b31e351a24040a) +--- + src/login/pam_systemd.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c +index cdec102..3b07ff6 100644 +--- a/src/login/pam_systemd.c ++++ b/src/login/pam_systemd.c +@@ -310,14 +310,21 @@ static const char* getenv_harder(pam_handle_t *handle, const char *key, const ch + assert(handle); + assert(key); + +- /* Looks for an environment variable, preferrably in the environment block associated with the specified PAM +- * handle, falling back to the process' block instead. */ ++ /* Looks for an environment variable, preferrably in the environment block associated with the ++ * specified PAM handle, falling back to the process' block instead. Why check both? Because we want ++ * to permit configuration of session properties from unit files that invoke PAM services, so that ++ * PAM services don't have to be reworked to set systemd-specific properties, but these properties ++ * can still be set from the unit file Environment= block. */ + + v = pam_getenv(handle, key); + if (!isempty(v)) + return v; + +- v = getenv(key); ++ /* We use secure_getenv() here, since we might get loaded into su/sudo, which are SUID. Ideally ++ * they'd clean up the environment before invoking foreign code (such as PAM modules), but alas they ++ * currently don't (to be precise, they clean up the environment they pass to their children, but ++ * not their own environ[]). */ ++ v = secure_getenv(key); + if (!isempty(v)) + return v; + diff -Nru systemd-240/debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch systemd-240/debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch --- systemd-240/debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,74 @@ +From: Dimitri John Ledkov +Date: Wed, 28 Mar 2018 23:05:17 +0100 +Subject: resolved: Mitigate DVE-2018-0001, + by retrying NXDOMAIN without EDNS0. + +Some captive portals, lie and do not respond with the captive portal IP +address, if the query is with EDNS0 enabled and DO bit set to zero. Thus retry +all domain name look ups with less secure methods, upon NXDOMAIN. + +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/bionic/+source/systemd/+bug/1766969 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/bionic/+source/systemd/+bug/1727237 +Bug-DNS: https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md +(cherry picked from commit cc0a0eb1a9379a81256d68d65f8450a487c0ab12) +--- + src/resolve/resolved-dns-transaction.c | 38 +++++++++++++++++++++++++++++----- + 1 file changed, 33 insertions(+), 5 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 4a2d2cc..d252347 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -377,12 +377,12 @@ static int dns_transaction_pick_server(DnsTransaction *t) { + if (!server) + return -ESRCH; + +- /* If we changed the server invalidate the feature level clamping, as the new server might have completely +- * different properties. */ +- if (server != t->server) ++ /* If we changed the server invalidate the current & clamp feature levels, as the new server might have ++ * completely different properties. */ ++ if (server != t->server) { + t->clamp_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID; +- +- t->current_feature_level = dns_server_possible_feature_level(server); ++ t->current_feature_level = dns_server_possible_feature_level(server); ++ } + + /* Clamp the feature level if that is requested. */ + if (t->clamp_feature_level != _DNS_SERVER_FEATURE_LEVEL_INVALID && +@@ -1024,6 +1024,34 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) { + return; + } + ++ /* Some captive portals are special in that the Aruba/Datavalet hardware will miss replacing the ++ * packets with the local server IP to point to the authenticated side of the network if EDNS0 is ++ * enabled. Instead they return NXDOMAIN, with DO bit set to zero... nothing to see here, yet respond ++ * with the captive portal IP, when using UDP level. ++ * ++ * Common portal names that fail like so are: ++ * secure.datavalet.io ++ * securelogin.arubanetworks.com ++ * securelogin.networks.mycompany.com ++ * ++ * Thus retry NXDOMAIN RCODES for "secure" things with a lower feature level. ++ * ++ * Do not "clamp" the feature level down, as the captive portal should not be lying for the wider ++ * internet (e.g. _other_ queries were observed fine with EDNS0 on these networks) ++ * ++ * This is reported as https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md ++ */ ++ if (DNS_PACKET_RCODE(p) == DNS_RCODE_NXDOMAIN && t->current_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) { ++ char key_str[DNS_RESOURCE_KEY_STRING_MAX]; ++ dns_resource_key_to_string(t->key, key_str, sizeof key_str); ++ t->current_feature_level = t->current_feature_level - 1; ++ log_warning("Server returned error %s, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level %s.", ++ dns_rcode_to_string(DNS_PACKET_RCODE(p)), ++ dns_server_feature_level_to_string(t->current_feature_level)); ++ dns_transaction_retry(t, false /* use the same server */); ++ return; ++ } ++ + if (DNS_PACKET_RCODE(p) == DNS_RCODE_REFUSED) { + /* This server refused our request? If so, try again, use a different server */ + log_debug("Server returned REFUSED, switching servers, and retrying."); diff -Nru systemd-240/debian/patches/resolved-add-comment-to-dns_stream_complete-about-its-err.patch systemd-240/debian/patches/resolved-add-comment-to-dns_stream_complete-about-its-err.patch --- systemd-240/debian/patches/resolved-add-comment-to-dns_stream_complete-about-its-err.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/resolved-add-comment-to-dns_stream_complete-about-its-err.patch 2019-04-10 00:03:48.000000000 +0000 @@ -0,0 +1,24 @@ +From: Lennart Poettering +Date: Mon, 21 Jan 2019 19:44:01 +0100 +Subject: resolved: add comment to dns_stream_complete() about its 'error' + argument + +--- + src/resolve/resolved-dns-stream.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c +index 45b06eb..3fd056b 100644 +--- a/src/resolve/resolved-dns-stream.c ++++ b/src/resolve/resolved-dns-stream.c +@@ -52,6 +52,10 @@ static int dns_stream_complete(DnsStream *s, int error) { + _cleanup_(dns_stream_unrefp) _unused_ DnsStream *ref = dns_stream_ref(s); /* Protect stream while we process it */ + + assert(s); ++ assert(error >= 0); ++ ++ /* Error is > 0 when the connection failed for some reason in the network stack. It's == 0 if we sent ++ * and receieved exactly one packet each (in the LLMNR client case). */ + + #if ENABLE_DNS_OVER_TLS + if (s->encrypted) { diff -Nru systemd-240/debian/patches/resolved-keep-stub-stream-connections-up-for-as-long-as-c.patch systemd-240/debian/patches/resolved-keep-stub-stream-connections-up-for-as-long-as-c.patch --- systemd-240/debian/patches/resolved-keep-stub-stream-connections-up-for-as-long-as-c.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/resolved-keep-stub-stream-connections-up-for-as-long-as-c.patch 2019-04-10 00:03:48.000000000 +0000 @@ -0,0 +1,196 @@ +From: Lennart Poettering +Date: Mon, 21 Jan 2019 19:44:30 +0100 +Subject: resolved: keep stub stream connections up for as long as client + wants + +This enables pipelining of queries from clients to our stub server. + +Fixes: #11332 +--- + src/resolve/resolved-dns-query.c | 6 ++-- + src/resolve/resolved-dns-stream.c | 8 ++++- + src/resolve/resolved-dns-stream.h | 2 +- + src/resolve/resolved-dns-stub.c | 63 +++++++++++++++++---------------------- + 4 files changed, 38 insertions(+), 41 deletions(-) + +diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c +index 7a4f977..248b06d 100644 +--- a/src/resolve/resolved-dns-query.c ++++ b/src/resolve/resolved-dns-query.c +@@ -387,10 +387,8 @@ DnsQuery *dns_query_free(DnsQuery *q) { + + if (q->request_dns_stream) { + /* Detach the stream from our query, in case something else keeps a reference to it. */ +- q->request_dns_stream->complete = NULL; +- q->request_dns_stream->on_packet = NULL; +- q->request_dns_stream->query = NULL; +- dns_stream_unref(q->request_dns_stream); ++ (void) set_remove(q->request_dns_stream->queries, q); ++ q->request_dns_stream = dns_stream_unref(q->request_dns_stream); + } + + free(q->request_address_string); +diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c +index 3fd056b..cb7b186 100644 +--- a/src/resolve/resolved-dns-stream.c ++++ b/src/resolve/resolved-dns-stream.c +@@ -11,6 +11,8 @@ + #define DNS_STREAM_TIMEOUT_USEC (10 * USEC_PER_SEC) + #define DNS_STREAMS_MAX 128 + ++#define DNS_QUERIES_PER_STREAM 32 ++ + static void dns_stream_stop(DnsStream *s) { + assert(s); + +@@ -36,7 +38,11 @@ static int dns_stream_update_io(DnsStream *s) { + s->n_written = 0; + f |= EPOLLOUT; + } +- if (!s->read_packet || s->n_read < sizeof(s->read_size) + s->read_packet->size) ++ ++ /* Let's read a packet if we haven't queued any yet. Except if we already hit a limit of parallel ++ * queries for this connection. */ ++ if ((!s->read_packet || s->n_read < sizeof(s->read_size) + s->read_packet->size) && ++ set_size(s->queries) < DNS_QUERIES_PER_STREAM) + f |= EPOLLIN; + + #if ENABLE_DNS_OVER_TLS +diff --git a/src/resolve/resolved-dns-stream.h b/src/resolve/resolved-dns-stream.h +index 2c6d9c0..780051b 100644 +--- a/src/resolve/resolved-dns-stream.h ++++ b/src/resolve/resolved-dns-stream.h +@@ -68,7 +68,7 @@ struct DnsStream { + + LIST_HEAD(DnsTransaction, transactions); /* when used by the transaction logic */ + DnsServer *server; /* when used by the transaction logic */ +- DnsQuery *query; /* when used by the DNS stub logic */ ++ Set *queries; /* when used by the DNS stub logic */ + + /* used when DNS-over-TLS is enabled */ + bool encrypted:1; +diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c +index 39ce42d..906bdc4 100644 +--- a/src/resolve/resolved-dns-stub.c ++++ b/src/resolve/resolved-dns-stub.c +@@ -126,14 +126,6 @@ static int dns_stub_finish_reply_packet( + return 0; + } + +-static void dns_stub_detach_stream(DnsStream *s) { +- assert(s); +- +- s->complete = NULL; +- s->on_packet = NULL; +- s->query = NULL; +-} +- + static int dns_stub_send(Manager *m, DnsStream *s, DnsPacket *p, DnsPacket *reply) { + int r; + +@@ -257,27 +249,27 @@ static void dns_stub_query_complete(DnsQuery *q) { + assert_not_reached("Impossible state"); + } + +- /* If there's a packet to write set, let's leave the stream around */ +- if (q->request_dns_stream && DNS_STREAM_QUEUED(q->request_dns_stream)) { +- +- /* Detach the stream from our query (make it an orphan), but do not drop the reference to it. The +- * default completion action of the stream will drop the reference. */ +- +- dns_stub_detach_stream(q->request_dns_stream); +- q->request_dns_stream = NULL; +- } +- + dns_query_free(q); + } + + static int dns_stub_stream_complete(DnsStream *s, int error) { + assert(s); + +- log_debug_errno(error, "DNS TCP connection terminated, destroying query: %m"); ++ log_debug_errno(error, "DNS TCP connection terminated, destroying queries: %m"); ++ ++ for (;;) { ++ DnsQuery *q; ++ ++ q = set_first(s->queries); ++ if (!q) ++ break; + +- assert(s->query); +- dns_query_free(s->query); ++ dns_query_free(q); ++ } + ++ /* This drops the implicit ref we keep around since it was allocated, as incoming stub connections ++ * should be kept as long as the client wants to. */ ++ dns_stream_unref(s); + return 0; + } + +@@ -289,8 +281,6 @@ static void dns_stub_process_query(Manager *m, DnsStream *s, DnsPacket *p) { + assert(p); + assert(p->protocol == DNS_PROTOCOL_DNS); + +- /* Takes ownership of the *s stream object */ +- + if (in_addr_is_localhost(p->family, &p->sender) <= 0 || + in_addr_is_localhost(p->family, &p->destination) <= 0) { + log_error("Got packet on unexpected IP range, refusing."); +@@ -351,9 +341,19 @@ static void dns_stub_process_query(Manager *m, DnsStream *s, DnsPacket *p) { + q->complete = dns_stub_query_complete; + + if (s) { +- s->on_packet = NULL; +- s->complete = dns_stub_stream_complete; +- s->query = q; ++ /* Remember which queries belong to this stream, so that we can cancel them when the stream ++ * is disconnected early */ ++ ++ r = set_ensure_allocated(&s->queries, &trivial_hash_ops); ++ if (r < 0) { ++ log_oom(); ++ goto fail; ++ } ++ ++ if (set_put(s->queries, q) < 0) { ++ log_oom(); ++ goto fail; ++ } + } + + r = dns_query_go(q); +@@ -367,9 +367,6 @@ static void dns_stub_process_query(Manager *m, DnsStream *s, DnsPacket *p) { + return; + + fail: +- if (s && DNS_STREAM_QUEUED(s)) +- dns_stub_detach_stream(s); +- + dns_query_free(q); + } + +@@ -451,10 +448,6 @@ static int on_dns_stub_stream_packet(DnsStream *s) { + } else + log_debug("Invalid DNS stub TCP packet, ignoring."); + +- /* Drop the reference to the stream. Either a query was created and added its own reference to the stream now, +- * or that didn't happen in which case we want to free the stream */ +- dns_stream_unref(s); +- + return 0; + } + +@@ -478,9 +471,9 @@ static int on_dns_stub_stream(sd_event_source *s, int fd, uint32_t revents, void + } + + stream->on_packet = on_dns_stub_stream_packet; ++ stream->complete = dns_stub_stream_complete; + +- /* We let the reference to the stream dangling here, it will either be dropped by the default "complete" action +- * of the stream, or by our packet callback, or when the manager is shut down. */ ++ /* We let the reference to the stream dangle here, it will be dropped later by the complete callback. */ + + return 0; + } diff -Nru systemd-240/debian/patches/resolved-only-call-complete-with-zero-argument-in-LLMNR-c.patch systemd-240/debian/patches/resolved-only-call-complete-with-zero-argument-in-LLMNR-c.patch --- systemd-240/debian/patches/resolved-only-call-complete-with-zero-argument-in-LLMNR-c.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/resolved-only-call-complete-with-zero-argument-in-LLMNR-c.patch 2019-04-10 00:03:48.000000000 +0000 @@ -0,0 +1,31 @@ +From: Lennart Poettering +Date: Mon, 21 Jan 2019 19:32:32 +0100 +Subject: resolved: only call complete() with zero argument in LLMNR client + cases + +In all other cases (i.e. classic DNS connection towards an upstream +server, or incoming stub connection, or incoming LMMNR connection) we +want long-running connections, hence keep the connection open for good. +Only in the LLMNR client case let's close the stream as soon as we are +done. +--- + src/resolve/resolved-dns-stream.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c +index ecc7e9f..45b06eb 100644 +--- a/src/resolve/resolved-dns-stream.c ++++ b/src/resolve/resolved-dns-stream.c +@@ -425,7 +425,11 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use + } + } + +- if ((s->write_packet && s->n_written >= sizeof(s->write_size) + s->write_packet->size) && ++ /* Call "complete" callback if finished reading and writing one packet, and there's nothing else left ++ * to write. */ ++ if (s->type == DNS_STREAM_LLMNR_SEND && ++ (s->write_packet && s->n_written >= sizeof(s->write_size) + s->write_packet->size) && ++ ordered_set_isempty(s->write_queue) && + (s->read_packet && s->n_read >= sizeof(s->read_size) + s->read_packet->size)) + return dns_stream_complete(s, 0); + diff -Nru systemd-240/debian/patches/resolved-restart-stream-timeout-whenever-we-managed-to-re.patch systemd-240/debian/patches/resolved-restart-stream-timeout-whenever-we-managed-to-re.patch --- systemd-240/debian/patches/resolved-restart-stream-timeout-whenever-we-managed-to-re.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/resolved-restart-stream-timeout-whenever-we-managed-to-re.patch 2019-04-10 00:03:48.000000000 +0000 @@ -0,0 +1,64 @@ +From: Lennart Poettering +Date: Mon, 21 Jan 2019 19:29:51 +0100 +Subject: resolved: restart stream timeout whenever we managed to read or + write something + +Previously we'd start the timeout once when we allocated the stream. +However, we'd now like to emphasize long-running connections hence let's +rework the timeout logic, and restart it whenever we see action ont the +stream. Thus, idle streams are eventually closed down, but those where +we read or write from are not. +--- + src/resolve/resolved-dns-stream.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c +index ebafaa5..ecc7e9f 100644 +--- a/src/resolve/resolved-dns-stream.c ++++ b/src/resolve/resolved-dns-stream.c +@@ -281,6 +281,7 @@ static int on_stream_timeout(sd_event_source *es, usec_t usec, void *userdata) { + + static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *userdata) { + _cleanup_(dns_stream_unrefp) DnsStream *s = dns_stream_ref(userdata); /* Protect stream while we process it */ ++ bool progressed = false; + int r; + + assert(s); +@@ -324,8 +325,10 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use + if (ss < 0) { + if (!IN_SET(-ss, EINTR, EAGAIN)) + return dns_stream_complete(s, -ss); +- } else ++ } else { ++ progressed = true; + s->n_written += ss; ++ } + + /* Are we done? If so, disable the event source for EPOLLOUT */ + if (s->n_written >= sizeof(s->write_size) + s->write_packet->size) { +@@ -348,8 +351,10 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use + return dns_stream_complete(s, -ss); + } else if (ss == 0) + return dns_stream_complete(s, ECONNRESET); +- else ++ else { ++ progressed = true; + s->n_read += ss; ++ } + } + + if (s->n_read >= sizeof(s->read_size)) { +@@ -424,6 +429,13 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use + (s->read_packet && s->n_read >= sizeof(s->read_size) + s->read_packet->size)) + return dns_stream_complete(s, 0); + ++ /* If we did something, let's restart the timeout event source */ ++ if (progressed && s->timeout_event_source) { ++ r = sd_event_source_set_time(s->timeout_event_source, now(clock_boottime_or_monotonic()) + DNS_STREAM_TIMEOUT_USEC); ++ if (r < 0) ++ log_warning_errno(errno, "Couldn't restart TCP connection timeout, ignoring: %m"); ++ } ++ + return 0; + } + diff -Nru systemd-240/debian/patches/series systemd-240/debian/patches/series --- systemd-240/debian/patches/series 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/patches/series 2019-04-10 00:03:48.000000000 +0000 @@ -45,6 +45,12 @@ udev-check-whether-systemd-is-running-and-do-not-use-cg_k.patch sd-bus-if-we-receive-an-invalid-dbus-message-ignore-and-p.patch sd-bus-enforce-a-size-limit-on-D-Bus-object-paths.patch +networkd-honour-LinkLocalAddressing.patch +Move-link_check_ready-to-later-in-the-file.patch +Install-routes-after-addresses-are-ready.patch +tests-Add-test-for-IPv6-source-routing.patch +pam-systemd-use-secure_getenv-rather-than-getenv.patch +core-when-we-uninstall-a-job-add-unit-to-dbus-queue.patch debian/Use-Debian-specific-config-files.patch debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch debian/Make-run-lock-tmpfs-an-API-fs.patch @@ -62,3 +68,35 @@ debian/Add-env-variable-for-machine-ID-path.patch debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch debian/Drop-seccomp-system-call-filter-for-udev.patch +debian/Skip-starting-systemd-remount-fs.service-in-containers.patch +debian/Ubuntu-UseDomains-by-default.patch +debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch +debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch +debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch +debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch +debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch +debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch +debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch +debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch +debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch +debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch +debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch +debian/UBUNTU-Support-system-image-read-only-etc.patch +debian/UBUNTU-bump-selftest-timeouts.patch +debian/UBUNTU-units-disable-journald-watchdog.patch +debian/UBUNTU-core-set-run-size-to-10-like-initramfs-tools-does.patch +resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch +test-test-functions-on-PP64-use-vmlinux.patch +test-test-functions-on-PPC64-use-hvc0-console.patch +Revert-namespace-be-more-careful-when-handling-namespacin.patch +stream-follow-coding-style-don-t-use-degrade-to-bool-for-.patch +stream-track-type-of-DnsStream-object.patch +transaction-simplify-handling-if-we-get-an-unexpected-DNS.patch +llmnr-add-comment-why-we-install-no-complete-handler-on-s.patch +resolved-restart-stream-timeout-whenever-we-managed-to-re.patch +resolved-only-call-complete-with-zero-argument-in-LLMNR-c.patch +resolved-add-comment-to-dns_stream_complete-about-its-err.patch +resolved-keep-stub-stream-connections-up-for-as-long-as-c.patch +network-remove-routing-policy-rule-from-foreign-rule.patch +network-do-not-remove-rule-when-it-is-requested-by-e.patch +virt-detect-WSL-environment-as-a-container-id-wsl.patch diff -Nru systemd-240/debian/patches/stream-follow-coding-style-don-t-use-degrade-to-bool-for-.patch systemd-240/debian/patches/stream-follow-coding-style-don-t-use-degrade-to-bool-for-.patch --- systemd-240/debian/patches/stream-follow-coding-style-don-t-use-degrade-to-bool-for-.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/stream-follow-coding-style-don-t-use-degrade-to-bool-for-.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,22 @@ +From: Lennart Poettering +Date: Mon, 21 Jan 2019 17:56:34 +0100 +Subject: stream: follow coding style, + don't use degrade-to-bool for checking numeric value + +--- + src/resolve/resolved-dns-stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c +index aee339a..e29c970 100644 +--- a/src/resolve/resolved-dns-stream.c ++++ b/src/resolve/resolved-dns-stream.c +@@ -41,7 +41,7 @@ static int dns_stream_update_io(DnsStream *s) { + + #if ENABLE_DNS_OVER_TLS + /* For handshake and clean closing purposes, TLS can override requested events */ +- if (s->dnstls_events) ++ if (s->dnstls_events != 0) + f = s->dnstls_events; + #endif + diff -Nru systemd-240/debian/patches/stream-track-type-of-DnsStream-object.patch systemd-240/debian/patches/stream-track-type-of-DnsStream-object.patch --- systemd-240/debian/patches/stream-track-type-of-DnsStream-object.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/stream-track-type-of-DnsStream-object.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,180 @@ +From: Lennart Poettering +Date: Mon, 21 Jan 2019 17:57:43 +0100 +Subject: stream: track type of DnsStream object + +We use stream objects in four different cases: let's track them. + +This in particular allows us to make sure the limit on outgoing streams +cannot be exhausted by having incoming streams as this means we can +neatly separate the counters for all four types. +--- + src/resolve/resolved-dns-stream.c | 11 ++++++++--- + src/resolve/resolved-dns-stream.h | 12 +++++++++++- + src/resolve/resolved-dns-stub.c | 2 +- + src/resolve/resolved-dns-transaction.c | 7 +++++-- + src/resolve/resolved-llmnr.c | 2 +- + src/resolve/resolved-manager.h | 2 +- + 6 files changed, 27 insertions(+), 9 deletions(-) + +diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c +index e29c970..ebafaa5 100644 +--- a/src/resolve/resolved-dns-stream.c ++++ b/src/resolve/resolved-dns-stream.c +@@ -437,7 +437,7 @@ static DnsStream *dns_stream_free(DnsStream *s) { + + if (s->manager) { + LIST_REMOVE(streams, s->manager->dns_streams, s); +- s->manager->n_dns_streams--; ++ s->manager->n_dns_streams[s->type]--; + } + + #if ENABLE_DNS_OVER_TLS +@@ -462,6 +462,7 @@ DEFINE_TRIVIAL_REF_UNREF_FUNC(DnsStream, dns_stream, dns_stream_free); + int dns_stream_new( + Manager *m, + DnsStream **ret, ++ DnsStreamType type, + DnsProtocol protocol, + int fd, + const union sockaddr_union *tfo_address) { +@@ -471,9 +472,13 @@ int dns_stream_new( + + assert(m); + assert(ret); ++ assert(type >= 0); ++ assert(type < _DNS_STREAM_TYPE_MAX); ++ assert(protocol >= 0); ++ assert(protocol < _DNS_PROTOCOL_MAX); + assert(fd >= 0); + +- if (m->n_dns_streams > DNS_STREAMS_MAX) ++ if (m->n_dns_streams[type] > DNS_STREAMS_MAX) + return -EBUSY; + + s = new(DnsStream, 1); +@@ -508,7 +513,7 @@ int dns_stream_new( + (void) sd_event_source_set_description(s->timeout_event_source, "dns-stream-timeout"); + + LIST_PREPEND(streams, m->dns_streams, s); +- m->n_dns_streams++; ++ m->n_dns_streams[type]++; + s->manager = m; + + s->fd = fd; +diff --git a/src/resolve/resolved-dns-stream.h b/src/resolve/resolved-dns-stream.h +index f18fc91..2c6d9c0 100644 +--- a/src/resolve/resolved-dns-stream.h ++++ b/src/resolve/resolved-dns-stream.h +@@ -5,6 +5,15 @@ + + typedef struct DnsStream DnsStream; + ++typedef enum DnsStreamType { ++ DNS_STREAM_LOOKUP, /* Outgoing connection to a classic DNS server */ ++ DNS_STREAM_LLMNR_SEND, /* Outgoing LLMNR TCP lookup */ ++ DNS_STREAM_LLMNR_RECV, /* Incoming LLMNR TCP lookup */ ++ DNS_STREAM_STUB, /* Incoming DNS stub connection */ ++ _DNS_STREAM_TYPE_MAX, ++ _DNS_STREAM_TYPE_INVALID = -1, ++} DnsStreamType; ++ + #include "resolved-dns-packet.h" + #include "resolved-dns-transaction.h" + #include "resolved-manager.h" +@@ -25,6 +34,7 @@ struct DnsStream { + Manager *manager; + unsigned n_ref; + ++ DnsStreamType type; + DnsProtocol protocol; + + int fd; +@@ -66,7 +76,7 @@ struct DnsStream { + LIST_FIELDS(DnsStream, streams); + }; + +-int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address); ++int dns_stream_new(Manager *m, DnsStream **s, DnsStreamType type, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address); + #if ENABLE_DNS_OVER_TLS + int dns_stream_connect_tls(DnsStream *s, void *tls_session); + #endif +diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c +index a00716c..39ce42d 100644 +--- a/src/resolve/resolved-dns-stub.c ++++ b/src/resolve/resolved-dns-stub.c +@@ -471,7 +471,7 @@ static int on_dns_stub_stream(sd_event_source *s, int fd, uint32_t revents, void + return -errno; + } + +- r = dns_stream_new(m, &stream, DNS_PROTOCOL_DNS, cfd, NULL); ++ r = dns_stream_new(m, &stream, DNS_STREAM_STUB, DNS_PROTOCOL_DNS, cfd, NULL); + if (r < 0) { + safe_close(cfd); + return r; +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index d252347..e71cc12 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -554,9 +554,10 @@ static uint16_t dns_port_for_feature_level(DnsServerFeatureLevel level) { + } + + static int dns_transaction_emit_tcp(DnsTransaction *t) { +- _cleanup_close_ int fd = -1; + _cleanup_(dns_stream_unrefp) DnsStream *s = NULL; ++ _cleanup_close_ int fd = -1; + union sockaddr_union sa; ++ DnsStreamType type; + int r; + + assert(t); +@@ -582,6 +583,7 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { + else + fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, dns_port_for_feature_level(t->current_feature_level), &sa); + ++ type = DNS_STREAM_LOOKUP; + break; + + case DNS_PROTOCOL_LLMNR: +@@ -607,6 +609,7 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { + fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT, &sa); + } + ++ type = DNS_STREAM_LLMNR_SEND; + break; + + default: +@@ -617,7 +620,7 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { + if (fd < 0) + return fd; + +- r = dns_stream_new(t->scope->manager, &s, t->scope->protocol, fd, &sa); ++ r = dns_stream_new(t->scope->manager, &s, type, t->scope->protocol, fd, &sa); + if (r < 0) + return r; + +diff --git a/src/resolve/resolved-llmnr.c b/src/resolve/resolved-llmnr.c +index dfa55c5..d73f865 100644 +--- a/src/resolve/resolved-llmnr.c ++++ b/src/resolve/resolved-llmnr.c +@@ -295,7 +295,7 @@ static int on_llmnr_stream(sd_event_source *s, int fd, uint32_t revents, void *u + return -errno; + } + +- r = dns_stream_new(m, &stream, DNS_PROTOCOL_LLMNR, cfd, NULL); ++ r = dns_stream_new(m, &stream, DNS_STREAM_LLMNR_RECV, DNS_PROTOCOL_LLMNR, cfd, NULL); + if (r < 0) { + safe_close(cfd); + return r; +diff --git a/src/resolve/resolved-manager.h b/src/resolve/resolved-manager.h +index 06c76f6..72171f8 100644 +--- a/src/resolve/resolved-manager.h ++++ b/src/resolve/resolved-manager.h +@@ -54,7 +54,7 @@ struct Manager { + unsigned n_dns_queries; + + LIST_HEAD(DnsStream, dns_streams); +- unsigned n_dns_streams; ++ unsigned n_dns_streams[_DNS_STREAM_TYPE_MAX]; + + /* Unicast dns */ + LIST_HEAD(DnsServer, dns_servers); diff -Nru systemd-240/debian/patches/test-test-functions-on-PP64-use-vmlinux.patch systemd-240/debian/patches/test-test-functions-on-PP64-use-vmlinux.patch --- systemd-240/debian/patches/test-test-functions-on-PP64-use-vmlinux.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/test-test-functions-on-PP64-use-vmlinux.patch 2019-04-10 00:05:15.000000000 +0000 @@ -0,0 +1,33 @@ +From: Dimitri John Ledkov +Date: Mon, 19 Feb 2018 20:47:41 +0000 +Subject: test/test-functions: on PP64 use vmlinux + +At least on Ubuntu, ppc64el uses vmlinux-, not vmlinuz. With this, it should be +possible to run qemu tests on ppc64el as part of Ubuntu autopkgtests. + +(cherry picked from commit a2ab2bdd5fcbd15c1f9daf4eb34c4dfb56c12e30) +--- + test/test-functions | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +Index: systemd-240/test/test-functions +=================================================================== +--- systemd-240.orig/test/test-functions ++++ systemd-240/test/test-functions +@@ -100,7 +100,15 @@ run_qemu() { + if [[ "$LOOKS_LIKE_ARCH" ]]; then + KERNEL_BIN=/boot/vmlinuz-linux + else +- KERNEL_BIN=/boot/vmlinuz-$KERNEL_VER ++ [ "$ARCH" ] || ARCH=$(uname -m) ++ case $ARCH in ++ ppc64*) ++ KERNEL_BIN=/boot/vmlinux-$KERNEL_VER ++ ;; ++ *) ++ KERNEL_BIN=/boot/vmlinuz-$KERNEL_VER ++ ;; ++ esac + fi + fi + diff -Nru systemd-240/debian/patches/test-test-functions-on-PPC64-use-hvc0-console.patch systemd-240/debian/patches/test-test-functions-on-PPC64-use-hvc0-console.patch --- systemd-240/debian/patches/test-test-functions-on-PPC64-use-hvc0-console.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/test-test-functions-on-PPC64-use-hvc0-console.patch 2019-04-10 00:05:15.000000000 +0000 @@ -0,0 +1,39 @@ +From: Dimitri John Ledkov +Date: Tue, 20 Feb 2018 12:01:40 +0000 +Subject: test/test-functions: on PPC64 use hvc0 console + +(cherry picked from commit 47709db0687f27c4a1de0826f2330ae147db6e01) +--- + test/test-functions | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +Index: systemd-240/test/test-functions +=================================================================== +--- systemd-240.orig/test/test-functions ++++ systemd-240/test/test-functions +@@ -96,6 +96,8 @@ run_qemu() { + && KERNEL_BIN="$EFI_MOUNT/$MACHINE_ID/$KERNEL_VER/linux" + fi + ++ CONSOLE=ttyS0 ++ + if [[ ! "$KERNEL_BIN" ]]; then + if [[ "$LOOKS_LIKE_ARCH" ]]; then + KERNEL_BIN=/boot/vmlinuz-linux +@@ -104,6 +106,7 @@ run_qemu() { + case $ARCH in + ppc64*) + KERNEL_BIN=/boot/vmlinux-$KERNEL_VER ++ CONSOLE=hvc0 + ;; + *) + KERNEL_BIN=/boot/vmlinuz-$KERNEL_VER +@@ -155,7 +158,7 @@ root=/dev/sda1 \ + raid=noautodetect \ + loglevel=2 \ + init=$PATH_TO_INIT \ +-console=ttyS0 \ ++console=$CONSOLE \ + selinux=0 \ + printk.devkmsg=on \ + $_cgroup_args \ diff -Nru systemd-240/debian/patches/tests-Add-test-for-IPv6-source-routing.patch systemd-240/debian/patches/tests-Add-test-for-IPv6-source-routing.patch --- systemd-240/debian/patches/tests-Add-test-for-IPv6-source-routing.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/tests-Add-test-for-IPv6-source-routing.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,73 @@ +From: Daniel Axtens +Date: Tue, 15 Jan 2019 01:15:15 +1100 +Subject: tests: Add test for IPv6 source routing + +The test is a bit messy because it must be done on a device that +enforces a tentative state for IPv6 addresses, and it appears +that the dummy device does not. So we use a bond instead. + +Signed-off-by: Daniel Axtens +(cherry picked from commit 20ca06a6692089c94d25f7a2eea0a65ce71970a8) +--- + test/test-network/conf/25-route-ipv6-src.network | 16 ++++++++++++++++ + test/test-network/systemd-networkd-tests.py | 17 +++++++++++++++++ + 2 files changed, 33 insertions(+) + create mode 100644 test/test-network/conf/25-route-ipv6-src.network + +diff --git a/test/test-network/conf/25-route-ipv6-src.network b/test/test-network/conf/25-route-ipv6-src.network +new file mode 100644 +index 0000000..4e551c0 +--- /dev/null ++++ b/test/test-network/conf/25-route-ipv6-src.network +@@ -0,0 +1,16 @@ ++# This test cannot use a dummy interface: IPv6 addresses ++# are added without having to go through tentative state ++ ++[Match] ++Name=bond199 ++ ++[Network] ++LinkLocalAddressing=ipv6 ++Address=2001:1234:56:8f63::1/64 ++Address=2001:1234:56:8f63::2/64 ++IPv6AcceptRA=no ++ ++[Route] ++Destination=abcd::/16 ++Gateway=2001:1234:56:8f63::1:1 ++PreferredSource=2001:1234:56:8f63::2 +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index 19572be..49592b8 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -539,6 +539,7 @@ class NetworkdNetWorkTests(unittest.TestCase, Utilities): + '25-link-section-unmanaged.network', + '25-route-gateway.network', + '25-route-gateway-on-link.network', ++ '25-route-ipv6-src.network', + '25-route-reverse-order.network', + '25-route-section.network', + '25-route-tcp-window-settings.network', +@@ -756,6 +757,22 @@ class NetworkdNetWorkTests(unittest.TestCase, Utilities): + self.assertRegex(output, 'scope') + self.assertRegex(output, 'link') + ++ def test_ip_route_ipv6_src_route(self): ++ # a dummy device does not make the addresses go through tentative state, so we ++ # reuse a bond from an earlier test, which does make the addresses go through ++ # tentative state, and do our test on that ++ self.copy_unit_to_networkd_unit_path('23-active-slave.network', '25-route-ipv6-src.network', '25-bond-active-backup-slave.netdev', '12-dummy.netdev') ++ self.start_networkd() ++ ++ self.assertTrue(self.link_exits('dummy98')) ++ self.assertTrue(self.link_exits('bond199')) ++ ++ output = subprocess.check_output(['ip', '-6', 'route', 'list', 'dev', 'bond199']).rstrip().decode('utf-8') ++ print(output) ++ self.assertRegex(output, 'abcd::/16') ++ self.assertRegex(output, 'src') ++ self.assertRegex(output, '2001:1234:56:8f63::2') ++ + def test_ip_link_mac_address(self): + self.copy_unit_to_networkd_unit_path('25-address-link-section.network', '12-dummy.netdev') + self.start_networkd() diff -Nru systemd-240/debian/patches/transaction-simplify-handling-if-we-get-an-unexpected-DNS.patch systemd-240/debian/patches/transaction-simplify-handling-if-we-get-an-unexpected-DNS.patch --- systemd-240/debian/patches/transaction-simplify-handling-if-we-get-an-unexpected-DNS.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/transaction-simplify-handling-if-we-get-an-unexpected-DNS.patch 2019-04-10 00:03:47.000000000 +0000 @@ -0,0 +1,40 @@ +From: Lennart Poettering +Date: Mon, 21 Jan 2019 18:34:00 +0100 +Subject: transaction: simplify handling if we get an unexpected DNS packet + via TCP + +There's no point in calling on_stream_complete() as it doesn't do +anything with the zero argument. Let's hence simplify this and just log. +--- + src/resolve/resolved-dns-transaction.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index e71cc12..738dd30 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -540,12 +540,8 @@ static int on_stream_packet(DnsStream *s) { + if (t) + return dns_transaction_on_stream_packet(t, p); + +- /* Ignore incorrect transaction id as transaction can have been canceled */ +- if (dns_packet_validate_reply(p) <= 0) { +- log_debug("Invalid TCP reply packet."); +- on_stream_complete(s, 0); +- } +- ++ /* Ignore incorrect transaction id as an old transaction can have been canceled. */ ++ log_debug("Received unexpected TCP reply packet with id %" PRIu16 ", ignoring.", t->id); + return 0; + } + +@@ -639,8 +635,8 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { + + if (t->server) { + dns_server_unref_stream(t->server); +- t->server->stream = dns_stream_ref(s); + s->server = dns_server_ref(t->server); ++ t->server->stream = dns_stream_ref(s); + } + + s->complete = on_stream_complete; diff -Nru systemd-240/debian/patches/virt-detect-WSL-environment-as-a-container-id-wsl.patch systemd-240/debian/patches/virt-detect-WSL-environment-as-a-container-id-wsl.patch --- systemd-240/debian/patches/virt-detect-WSL-environment-as-a-container-id-wsl.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/virt-detect-WSL-environment-as-a-container-id-wsl.patch 2019-04-10 00:03:48.000000000 +0000 @@ -0,0 +1,116 @@ +From: Balint Reczey +Date: Wed, 6 Mar 2019 18:46:04 +0100 +Subject: virt: detect WSL environment as a container (id: wsl) + +--- + man/systemd-detect-virt.xml | 13 ++++++++++++- + man/systemd.unit.xml | 3 ++- + src/basic/virt.c | 12 ++++++++++++ + src/basic/virt.h | 1 + + 4 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml +index c4763fd..9e37fd1 100644 +--- a/man/systemd-detect-virt.xml ++++ b/man/systemd-detect-virt.xml +@@ -126,7 +126,7 @@ + + + +- Container ++ Container + openvz + OpenVZ/Virtuozzo + +@@ -155,6 +155,11 @@ + rkt + rkt app container runtime + ++ ++ ++ wsl ++ Windows Subsystem for Linux ++ + + + +@@ -164,6 +169,12 @@ + machine and container virtualization are used in + conjunction, only the latter will be identified (unless + is passed). ++ Windows Subsystem for Linux is not a Linux container, ++ but an environment for running Linux userspace applications on ++ top of the Windows kernel using a Linux-compatible interface. ++ WSL is categorized as a container for practical purposes. ++ Multiple WSL environments share the same kernel and services ++ should generally behave like when being run in a container. + + + +diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml +index 7e1b3cb..6c86eba 100644 +--- a/man/systemd.unit.xml ++++ b/man/systemd.unit.xml +@@ -1093,7 +1093,8 @@ + lxc-libvirt, + systemd-nspawn, + docker, +- rkt to test ++ rkt, ++ wsl to test + against a specific implementation, or + private-users to check whether we are running in a user namespace. See + systemd-detect-virt1 +diff --git a/src/basic/virt.c b/src/basic/virt.c +index f63f15f..9e12069 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -436,10 +436,12 @@ int detect_container(void) { + { "systemd-nspawn", VIRTUALIZATION_SYSTEMD_NSPAWN }, + { "docker", VIRTUALIZATION_DOCKER }, + { "rkt", VIRTUALIZATION_RKT }, ++ { "wsl", VIRTUALIZATION_WSL }, + }; + + static thread_local int cached_found = _VIRTUALIZATION_INVALID; + _cleanup_free_ char *m = NULL; ++ _cleanup_free_ char *o = NULL; + const char *e = NULL; + unsigned j; + int r; +@@ -454,6 +456,15 @@ int detect_container(void) { + goto finish; + } + ++ /* "Official" way of detecting WSL https://github.com/Microsoft/WSL/issues/423#issuecomment-221627364 */ ++ r = read_one_line_file("/proc/sys/kernel/osrelease", &o); ++ if (r >= 0) { ++ if (strstr(o, "Microsoft") || strstr(o, "WSL")) { ++ r = VIRTUALIZATION_WSL; ++ goto finish; ++ } ++ } ++ + if (getpid_cached() == 1) { + /* If we are PID 1 we can just check our own environment variable, and that's authoritative. */ + +@@ -636,6 +647,7 @@ static const char *const virtualization_table[_VIRTUALIZATION_MAX] = { + [VIRTUALIZATION_OPENVZ] = "openvz", + [VIRTUALIZATION_DOCKER] = "docker", + [VIRTUALIZATION_RKT] = "rkt", ++ [VIRTUALIZATION_WSL] = "wsl", + [VIRTUALIZATION_CONTAINER_OTHER] = "container-other", + }; + +diff --git a/src/basic/virt.h b/src/basic/virt.h +index c4cf4bf..a603fd4 100644 +--- a/src/basic/virt.h ++++ b/src/basic/virt.h +@@ -31,6 +31,7 @@ enum { + VIRTUALIZATION_OPENVZ, + VIRTUALIZATION_DOCKER, + VIRTUALIZATION_RKT, ++ VIRTUALIZATION_WSL, + VIRTUALIZATION_CONTAINER_OTHER, + VIRTUALIZATION_CONTAINER_LAST = VIRTUALIZATION_CONTAINER_OTHER, + diff -Nru systemd-240/debian/rules systemd-240/debian/rules --- systemd-240/debian/rules 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/rules 2019-04-09 23:55:45.000000000 +0000 @@ -208,7 +208,6 @@ rm -f debian/install/*/usr/share/doc/systemd/LICENSE.* rm -f debian/install/*/var/log/README rm -f debian/install/*/etc/init.d/README - rm -f debian/install/*/usr/lib/sysctl.d/50-default.conf rm -f debian/install/*/etc/X11/xinit/xinitrc.d/50-systemd-user.sh rmdir -p --ignore-fail-on-non-empty debian/install/*/etc/X11/xinit/xinitrc.d/ rm -f debian/install/*/lib/systemd/system/halt-local.service @@ -264,13 +263,15 @@ install --mode=644 debian/extra/rules-ubuntu/*.rules debian/udev/lib/udev/rules.d/ cp -a debian/extra/units-ubuntu/* debian/systemd/lib/systemd/system/ install --mode=755 debian/extra/set-cpufreq debian/systemd/lib/systemd/ + install -D --mode=755 debian/extra/dhclient-enter-resolved-hook debian/systemd/etc/dhcp/dhclient-enter-hooks.d/resolved endif override_dh_missing: dh_missing --sourcedir debian/install/deb $(DH_MISSING) override_dh_installinit: - dh_installinit --no-start + dh_installinit --no-scripts -psystemd + dh_installinit --no-start -Nsystemd PROJECT_VERSION ?= $(shell awk '/(PROJECT|PACKAGE)_VERSION/ {print $$3}' build-deb/config.h | tr -d \") diff -Nru systemd-240/debian/systemd.postinst systemd-240/debian/systemd.postinst --- systemd-240/debian/systemd.postinst 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/systemd.postinst 2019-04-09 23:55:45.000000000 +0000 @@ -39,6 +39,32 @@ systemctl enable systemd-timesyncd.service || true fi +# Enable resolved by default on new installs installs and upgrades +if dpkg --compare-versions "$2" lt "234-1ubuntu2~"; then + systemctl enable systemd-resolved.service || true +fi + +# Drop stock /etc/rc.local on upgrades +if dpkg --compare-versions "$2" lt "234-2ubuntu11~"; then + if [ -f /etc/rc.local ]; then + if [ "10fd9f051accb6fd1f753f2d48371890" = "$(md5sum /etc/rc.local | cut -d\ -f1)" ]; then + echo Removing empty /etc/rc.local + rm -f /etc/rc.local || true + fi + fi +fi + +# Use stub resolve.conf by default on new installs +if [ -z "$2" ]; then + mkdir -p /run/systemd/resolve + if [ -e /etc/resolv.conf ]; then + cp /etc/resolv.conf /run/systemd/resolve/stub-resolv.conf + fi + # If /etc/resolv.conf is a bind-mount, moving or replacing + # /etc/resolv.conf may fail + ln -snf ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf || true +fi + # Enable ondemand by default on new installs installs and upgrades if [ -e /lib/systemd/system/ondemand.service ] && dpkg --compare-versions "$2" lt "231-7~"; then systemctl enable ondemand.service || true @@ -96,6 +122,15 @@ # Setup system users and groups addgroup --quiet --system systemd-journal +# Enable persistent journal, in auto-mode, by default on new installs installs and upgrades +if dpkg --compare-versions "$2" lt "235-3ubuntu3~"; then + mkdir -p /var/log/journal + # create tmpfiles only when running systemd, otherwise %b substitution fails + if [ -d /run/systemd/system ]; then + systemd-tmpfiles --create --prefix /var/log/journal + fi +fi + # We need to stop running services before we call adduser RESTART="" if dpkg --compare-versions "$2" lt-nl "239-6"; then @@ -125,7 +160,15 @@ # Initial update of the Message Catalogs database _update_catalog -if [ -n "$2" ]; then +# Disable networkd when upgrading from broken versions 8..10. Turns out +# enabling networkd unconditionally has long boot time side-effects +if dpkg --compare-versions "$2" gt "234-2ubuntu8~" && + dpkg --compare-versions "$2" lt "234-2ubuntu11~"; then + systemctl disable systemd-networkd-wait-online.service || true +fi + +# skip daemon-reexec and try-restarts during shutdown to avoid hitting LP: #1803391 +if [ -n "$2" ] && [ "$(systemctl is-system-running)" != "stopping" ]; then _systemctl daemon-reexec || true # don't restart logind; this can be done again once this gets implemented: # https://github.com/systemd/systemd/issues/1163 @@ -170,4 +213,10 @@ fi fi +# Process all tmpfiles that we ship, including any overrides in +# runtime-dir/sysadmin-dir/other packages (e.g. rsyslog) +# +# Ignore if this fails, because e.g. %b will fail on WSL +systemd-tmpfiles --create || : + #DEBHELPER# diff -Nru systemd-240/debian/systemd.prerm systemd-240/debian/systemd.prerm --- systemd-240/debian/systemd.prerm 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/systemd.prerm 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -#! /bin/sh - -set -e - -# -# Prevent systemd from being removed if it's the active init. That -# will not work. -# - -if [ "$1" = "remove" ] && [ -d /run/systemd/system ]; then - echo "systemd is the active init system, please switch to another before removing systemd." - exit 1 -fi - -#DEBHELPER# diff -Nru systemd-240/debian/tests/boot-and-services systemd-240/debian/tests/boot-and-services --- systemd-240/debian/tests/boot-and-services 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/tests/boot-and-services 2019-04-09 23:55:45.000000000 +0000 @@ -103,7 +103,12 @@ with open('/var/log/syslog') as f: log = f.read() # has kernel messages - self.assertRegex(log, 'kernel:.*[cC]ommand line:') + try: + self.assertRegex(log, 'kernel:.*[cC]ommand line:') + except AssertionError: + # hm syslog is trimmed, for some reason?! + subprocess.call(['journalctl', '-k']) + self.assertRegex(log, 'kernel:.*') # has init messages self.assertRegex(log, 'systemd.*Reached target Graphical Interface') # has other services @@ -243,7 +248,7 @@ subprocess.call(['journalctl', '--sync']) systemctl = subprocess.Popen( ['systemctl', 'status', '-overbose', '-l', 'systemd-nspawn@c1'], - stdout=subprocess.PIPE) + stdout=subprocess.PIPE, stderr=subprocess.PIPE) out = systemctl.communicate()[0].decode('UTF-8', 'replace') self.assertEqual(systemctl.returncode, 3, out) self.assertNotIn('failed', out) diff -Nru systemd-240/debian/tests/boot-smoke systemd-240/debian/tests/boot-smoke --- systemd-240/debian/tests/boot-smoke 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/tests/boot-smoke 2019-04-09 23:55:29.000000000 +0000 @@ -29,32 +29,59 @@ done fi else + ret=0 + + echo "waiting to boot..." + TIMEOUT=35 + while [ $TIMEOUT -ge 0 ]; do + state="$(systemctl is-system-running || true)" + case $state in + running|degraded) + break + ;; + *) + sleep 1 + TIMEOUT=$((TIMEOUT - 1)) + ;; + esac + done + echo "checking for failed unmounts for user systemd" JOURNAL=$(journalctl) if echo "$JOURNAL" | grep -E "systemd\[([2-9]|[1-9][0-9]+)\].*Failed unmounting"; then - exit 1 + ret=1 fi - echo "checking for connection timeouts" + echo "checking for connection timeouts (non fatal)" if echo "$JOURNAL" | grep "Connection timed out"; then - exit 1 + # systemd-udevd started to time out resolving group 'colord' + # yet, not reproducible locally, investigating + ret=0 fi echo "checking that polkitd runs" - pidof polkitd + if ! pidof polkitd; then + echo "polkitd is NOT running" + ret=1 + fi + + echo "checking failed jobs (non fatal)" + if [ "$state" != "running" ]; then + echo "systemctl is-system-running returns: $state" + systemctl --no-pager --no-legend list-jobs > $ADT_ARTIFACTS/running-jobs.txt || true + fi echo "checking that there are no running jobs" - TIMEOUT=10 - while [ $TIMEOUT -ge 0 ]; do - running="$(systemctl --no-pager --no-legend list-jobs || true)" - [ -n "$running" ] || break - TIMEOUT=$((TIMEOUT - 1)) - done + running="$(systemctl --no-pager --no-legend list-jobs || true)" if [ -n "$running" ]; then echo "running jobs after remaining timeout $TIMEOUT: $running" journalctl --sync journalctl -ab > $ADT_ARTIFACTS/journal.txt udevadm info --export-db > $ADT_ARTIFACTS/udevdb.txt - exit 1 + ret=1 + fi + + if [ "$ret" != "0" ]; then + exit $ret fi fi diff -Nru systemd-240/debian/tests/control systemd-240/debian/tests/control --- systemd-240/debian/tests/control 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/tests/control 2019-04-09 23:55:45.000000000 +0000 @@ -1,5 +1,6 @@ Tests: timedated, hostnamed, localed-locale, localed-x11-keymap Depends: systemd, + udev, libpam-systemd, libnss-systemd, acl, @@ -8,6 +9,7 @@ Tests: logind Depends: systemd, + udev, libpam-systemd, libnss-systemd, acl, @@ -17,6 +19,7 @@ Tests: unit-config Depends: systemd, + udev, libpam-systemd, libnss-systemd, acl, @@ -28,6 +31,7 @@ Tests: storage Depends: systemd, + udev, libpam-systemd, libnss-systemd, acl, @@ -41,6 +45,7 @@ Tests: networkd-test.py Tests-Directory: test Depends: systemd, + udev, libpam-systemd, libnss-systemd, acl, @@ -56,6 +61,7 @@ Tests: build-login Depends: systemd, + udev, libpam-systemd, libnss-systemd, acl, @@ -73,6 +79,8 @@ Tests: boot-and-services Depends: systemd-sysv, + systemd, + udev, systemd-container, systemd-coredump, libpam-systemd, @@ -89,6 +97,7 @@ Tests: udev Depends: systemd-tests, + udev, python3, tree, perl, @@ -97,6 +106,7 @@ Tests: root-unittests Depends: systemd-tests, + udev, libpam-systemd, tree, perl, @@ -127,6 +137,7 @@ qemu-system-x86 [amd64 i386], qemu-system-arm [arm64 armhf], qemu-system-s390x [s390x], + qemu-system-ppc [ppc64el], less, pkg-config, gcc, @@ -172,6 +183,8 @@ systemd-container, systemd-coredump, systemd-sysv, + systemd, + udev, fdisk | util-linux (<< 2.29.2-3~), netcat-openbsd, busybox-static, diff -Nru systemd-240/debian/tests/systemd-fsckd systemd-240/debian/tests/systemd-fsckd --- systemd-240/debian/tests/systemd-fsckd 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/tests/systemd-fsckd 2019-04-09 23:55:29.000000000 +0000 @@ -7,6 +7,7 @@ import inspect import fileinput import os +import platform import subprocess import shutil import stat @@ -44,6 +45,7 @@ # ensure we have our root fsck enabled by default (it detects it runs in a vm and doesn't pull the target) # note that it can already exists in case of a reboot (as there was no tearDown as we wanted) os.makedirs(os.path.dirname(SYSTEMD_FSCK_ROOT_ENABLE_PATH), exist_ok=True) + os.makedirs('/var/log/journal', exist_ok=True) with suppress(FileExistsError): os.symlink(SYSTEMD_FSCK_ROOT_PATH, SYSTEMD_FSCK_ROOT_ENABLE_PATH) enable_plymouth() @@ -96,7 +98,10 @@ self.assertFsckdStop() self.assertWasRunning('process-killer') self.assertFalse(self.is_failed_unit('process-killer')) - self.assertFsckProceeded() + self.assertWasRunning('systemd-fsckd') + self.assertFalse(self.is_failed_unit('systemd-fsckd')) + self.assertTrue(self.is_failed_unit('systemd-fsck-root')) + self.assertWasRunning('plymouth-start') self.assertSystemRunning() def test_systemd_fsck_with_failure(self): @@ -120,11 +125,12 @@ else: self.assertFsckdStop() self.assertProcessKilled() - self.assertFalse(self.is_failed_unit('systemd-fsck-root')) + self.assertTrue(self.is_failed_unit('systemd-fsck-root')) self.assertTrue(self.is_failed_unit('systemd-fsckd')) self.assertWasRunning('plymouth-start') self.assertSystemRunning() + @unittest.expectedFailure def test_systemd_fsck_with_plymouth_failure(self): '''Ensure that a failing plymouth doesn't prevent fsckd to reconnect/exit''' if not self._after_reboot: @@ -219,7 +225,7 @@ subprocess.check_call(['systemctl', 'enable', 'process-killer'], stderr=subprocess.DEVNULL) -def enable_plymouth(enable=True): +def enable_plymouth_grub(enable=True): '''ensure plymouth is enabled in grub config (doesn't reboot)''' plymouth_enabled = 'splash' in open('/boot/grub/grub.cfg').read() if enable and not plymouth_enabled: @@ -238,6 +244,23 @@ subprocess.check_call(['update-grub'], stderr=subprocess.DEVNULL) +def enable_plymouth_zipl(enable=True, ziplconf='/etc/zipl.conf'): + '''ensure plymouth is enabled in zipl config (doesn't reboot)''' + plymouth_enabled = 'splash' in open(ziplconf).read() + if enable and not plymouth_enabled: + subprocess.check_call(['sed', '-i', 's/^\(parameters.*\)/\\1 splash quiet/', ziplconf], stderr=subprocess.DEVNULL) + elif not enable and plymouth_enabled: + subprocess.check_call(['sed', '-i', 's/ splash quiet//g', ziplconf], stderr=subprocess.DEVNULL) + subprocess.check_call(['zipl'], stderr=subprocess.DEVNULL) + + +def enable_plymouth(enable=True): + if platform.processor() == 's390x': + enable_plymouth_zipl(enable) + else: + enable_plymouth_grub(enable) + + def boot_with_systemd_distro(): '''Reboot with systemd as init and distro setup for grub''' enable_plymouth() @@ -259,6 +282,10 @@ print('SKIP: root file system is being checked by initramfs already') sys.exit(0) + if platform.processor() == 'aarch64': + print('SKIP: cannot reboot properly on arm64, see https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1748280') + sys.exit(0) + all_tests = getAllTests(FsckdTest) reboot_marker = os.getenv('ADT_REBOOT_MARK') diff -Nru systemd-240/debian/tests/upstream systemd-240/debian/tests/upstream --- systemd-240/debian/tests/upstream 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/tests/upstream 2019-04-09 23:55:45.000000000 +0000 @@ -5,7 +5,7 @@ # even after installing policycoreutils this fails with # "Failed to install /usr/libexec/selinux/hll/pp" -BLACKLIST="TEST-06-SELINUX" +BLACKLIST="TEST-06-SELINUX TEST-16-EXTEND-TIMEOUT" # some tests are flaky BLACKLIST="$BLACKLIST @@ -16,6 +16,14 @@ TEST-17-UDEV-WANTS " +# passes on baremetal, fails in nested qemu +# https://github.com/systemd/systemd/issues/11612 +if [ $(dpkg --print-architecture) = "ppc64el" ]; then +BLACKLIST="$BLACKLIST +TEST-24-UNIT-TESTS +" +fi + # quiesce Makefile.guess; not really relevant as systemd/nspawn run from # installed packages export BUILD_DIR=. diff -Nru systemd-240/debian/udev-udeb.install systemd-240/debian/udev-udeb.install --- systemd-240/debian/udev-udeb.install 2019-02-18 13:54:04.000000000 +0000 +++ systemd-240/debian/udev-udeb.install 2019-04-09 23:55:29.000000000 +0000 @@ -18,3 +18,4 @@ ../../extra/rules/73-special-net-names.rules lib/udev/rules.d/ ../../extra/rules/73-usb-net-by-mac.rules lib/udev/rules.d/ ../../extra/start-udev lib/debian-installer/ +../../extra/modprobe.d-udeb/scsi-mod-scan-sync.conf lib/modprobe.d/