Commit c72abb88 authored by Michael Biebl's avatar Michael Biebl

Merge tag 'debian/241-3' into stretch-backports

systemd Debian release 241-3
parents acf8fa2c 49f46e63
systemd (241-3) unstable; urgency=high
[ Michael Biebl ]
* Drop systemd-shim alternative from libpam-systemd.
A fixed systemd-shim package which works with newer versions of systemd
is unlikely to happen given that the systemd-shim package has been
removed from the archive. Drop the alternative dependency from
libpam-systemd accordingly.
* Properly remove duplicate directories from systemd package.
When removing duplicate directories from the systemd package, sort the
list of directories in reverse order so we properly delete nested
directories.
* udev: Run programs in the specified order (Closes: #925190)
* bash-completion: Use default completion for redirect operators
(Closes: #924541)
* networkd: Clarify that IPv6 RA uses our own stack, no the kernel's
(Closes: #815582)
* Revert "Drop systemd-timesyncd.service.d/disable-with-time-daemon.conf"
Apparently Conflicts= are not a reliable mechanism to ensure alternative
NTP implementations take precedence over systemd-timesyncd.
(Closes: #902026)
* network: Fix routing policy rule issue.
When multiple links request a routing policy, make sure they are all
applied correctly. (Closes: #924406)
* pam-systemd: Use secure_getenv() rather than getenv()
Fixes a vulnerability in the systemd PAM module which insecurely uses
the environment and lacks seat verification permitting spoofing an
active session to PolicyKit. (CVE-2019-3842)
[ Martin Pitt ]
* Enable udev autopkgtest in containers.
This test doesn't actually need udev.service (which is disabled in
containers) and works fine in LXC.
* Enable boot-and-service autopkgtest in containers
- Skip tests which can't work in containers.
- Add missing rsyslog test dependency.
- e2scrub_reap.service fails in containers, ignore (filed as #926138)
- Relax pgrep pattern for gdm, as there's no wayland session in
containers.
-- Michael Biebl <biebl@debian.org> Mon, 08 Apr 2019 12:59:32 +0200
systemd (241-2) unstable; urgency=medium
[ Martin Pitt ]
* debian/tests/boot-smoke: Create journal and udevdb artifacts on all
failures
* autopkgtests: Replace obsolete $ADT_* variables
* networkd-test: Ignore failures of test_route_only_dns* in containers.
This test exposes a race condition when running in LXC, see issue #11848
for details. Until that is understood and fixed, skip the test as it's
not a recent regression. (Closes: #924539)
* Bump Standards-Version to 4.3.0.
No changes necessary.
* debian/tests/boot-smoke: Only check current boot for connection timeouts.
Otherwise we'll catch some
Failed to resolve group 'render': Connection timed out
messages that happen in earlier boots during VM setup, before the
"render" group is created.
Fixes https://github.com/systemd/systemd/issues/11875
* timedated: Fix emitted value when ntp client is enabled/disabled.
Fixes a regression introduced in 241.
* debian/tests/timedated: Check enabling/disabling NTP.
Assert that `timedatectl set-ntp` correctly controls the service, sets
the `org.freedesktop.timedate1 NTP` property, and sends the right
`PropertiesChanged` signal.
This reproduces <https://github.com/systemd/systemd/issues/11944> and
also the earlier <https://github.com/systemd/systemd/issues/9672>.
[ Michael Biebl ]
* Disable fallback DNS servers in resolved (Closes: #923081)
* cgtop: Fix processing of controllers other than CPU (Closes: #921280)
* udev: Restore debug level when logging a failure in the external prog
called by IMPORT{program} (Closes: #924199)
* core: Remove "." path components from required mount paths.
Fixes mount related failures when a user's home directory contains "/./"
(Closes: #923881)
* udev.init: Use new s-s-d --notify-await to start udev daemon.
Fixes a race condition during startup under SysV init.
Add versioned dependency on dpkg (>= 1.19.3) to ensure that a version
of start-stop-daemon which supports --notify-await is installed.
(Closes: #908796)
* Make /dev/dri/renderD* accessible to group "render"
Follow upstream and make render nodes available to a dedicated system
group "render" instead of "video". Keep the uaccess tag for local,
active users.
-- Michael Biebl <biebl@debian.org> Fri, 15 Mar 2019 18:33:54 +0100
systemd (241-1~bpo9+1) stretch-backports; urgency=medium
* Rebuild for stretch-backports
......@@ -9,7 +98,7 @@ systemd (241-1) unstable; urgency=medium
[ Adam Borowski ]
* Make libpam-systemd Provide: logind, default-logind.
This allows alternate logind implementations such as elogind, without
having to recompile every dependant package -- as long as the client API
having to recompile every dependent package -- as long as the client API
remains compatible.
These new virtual packages got policy-approved in #917431. (Closes: #915407)
......
......@@ -7,7 +7,7 @@ Uploaders: Michael Biebl <biebl@debian.org>,
Sjoerd Simons <sjoerd@debian.org>,
Martin Pitt <mpitt@debian.org>,
Felipe Sateler <fsateler@debian.org>
Standards-Version: 4.2.1
Standards-Version: 4.3.0
Rules-Requires-Root: no
Vcs-Git: https://salsa.debian.org/systemd-team/systemd.git
Vcs-Browser: https://salsa.debian.org/systemd-team/systemd
......@@ -208,7 +208,7 @@ Depends: ${shlibs:Depends},
systemd (= ${binary:Version}),
libpam-runtime (>= 1.0.1-6),
dbus,
systemd-shim (>= 10-4~) | systemd-sysv
systemd-sysv
Provides: logind (= ${binary:Version}), default-logind (= ${binary:Version})
Description: system and service manager - PAM module
This package contains the PAM module which registers user sessions in
......@@ -329,6 +329,7 @@ Pre-Depends: ${misc:Pre-Depends}
Depends: ${shlibs:Depends},
${misc:Depends},
adduser,
dpkg (>= 1.19.3) | systemd-sysv,
libudev1 (= ${binary:Version}),
lsb-base (>= 3.0-6),
util-linux (>= 2.27.1),
......
From: Michael Biebl <biebl@debian.org>
Date: Wed, 13 Mar 2019 23:22:26 +0100
Subject: Re-add uaccess tag for /dev/dri/renderD*
Setting an access mode != 0666 is explicitly supported via -Dgroup-render-mode
In such a case, re-add the uaccess tag.
This is basically the same change that was done for /dev/kvm in
commit fa53e24130af3a389573acb9585eadbf7192955f and
ace5e3111c0b8d8bfd84b32f2c689b0a4d92c061
and partially reverts the changes from
4e15a7343cb389e97f3eb4f49699161862d8b8b2
(cherry picked from commit 055a083a47de968744c4988fe305592477118c86)
---
meson.build | 4 +++-
src/login/70-uaccess.rules.m4 | 4 ++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/meson.build b/meson.build
index 56c98b9..d340736 100644
--- a/meson.build
+++ b/meson.build
@@ -818,7 +818,9 @@ conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group'))
dev_kvm_mode = get_option('dev-kvm-mode')
substs.set('DEV_KVM_MODE', dev_kvm_mode)
conf.set10('DEV_KVM_UACCESS', dev_kvm_mode != '0666')
-substs.set('GROUP_RENDER_MODE', get_option('group-render-mode'))
+group_render_mode = get_option('group-render-mode')
+substs.set('GROUP_RENDER_MODE', group_render_mode)
+conf.set10('GROUP_RENDER_UACCESS', group_render_mode != '0666')
kill_user_processes = get_option('default-kill-user-processes')
conf.set10('KILL_USER_PROCESSES', kill_user_processes)
diff --git a/src/login/70-uaccess.rules.m4 b/src/login/70-uaccess.rules.m4
index d55e5bf..4bb144a 100644
--- a/src/login/70-uaccess.rules.m4
+++ b/src/login/70-uaccess.rules.m4
@@ -46,6 +46,10 @@ SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="uaccess"
# DRI video devices
SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess"
+m4_ifdef(`GROUP_RENDER_UACCESS',``
+# DRI render nodes
+SUBSYSTEM=="drm", KERNEL=="renderD*", TAG+="uaccess"''
+)m4_dnl
m4_ifdef(`DEV_KVM_UACCESS',``
# KVM
SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"''
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sat, 23 Mar 2019 21:49:17 +0100
Subject: bash-completion: use default completion for redirect operators
(cherry picked from commit 1413763ea540a897852494259cb949fe01e1e7e7)
---
shell-completion/bash/journalctl | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/shell-completion/bash/journalctl b/shell-completion/bash/journalctl
index bcd4533..5a6a3da 100644
--- a/shell-completion/bash/journalctl
+++ b/shell-completion/bash/journalctl
@@ -52,6 +52,13 @@ _journalctl() {
--vacuum-size --vacuum-time --vacuum-files --output-fields'
)
+ # Use the default completion for shell redirect operators
+ if __contains_word "$prev" '>' '>>' '&>'; then
+ compopt -o filenames
+ COMPREPLY=( $(compgen -f -- "$cur") )
+ return 0;
+ fi
+
if __contains_word "$prev" ${OPTS[ARG]} ${OPTS[ARGUNKNOWN]}; then
case $prev in
--boot|-b)
From: Szabolcs Fruhwald <sfruhwald@google.com>
Date: Wed, 20 Feb 2019 12:38:50 -0800
Subject: cgtop: Fix processing of controllers other than CPU
After debugging the issue with gdb, I found that the following change
94ddb08 "cgtop: Still try to get CPU statistics if controller-free"
has introduced a bug, which prevents process(..) method processing
memory and io controllers when cpu_accounting_is_cheap() is true.
The obvious fix is to move this branch to be the last one, keeping
the intended behavior of the above change, without having a negative
effect on the other controllers.
Fixes #11773 [systemd-cgtop no longer shows memory (and io) usage]
(cherry picked from commit 5fe74e893c7939a360dc4eb75dbf3f540526c968)
---
src/cgtop/cgtop.c | 130 +++++++++++++++++++++++++++---------------------------
1 file changed, 65 insertions(+), 65 deletions(-)
diff --git a/src/cgtop/cgtop.c b/src/cgtop/cgtop.c
index b3bda30..ab3b979 100644
--- a/src/cgtop/cgtop.c
+++ b/src/cgtop/cgtop.c
@@ -223,71 +223,6 @@ static int process(
if (g->n_tasks > 0)
g->n_tasks_valid = true;
- } else if (STR_IN_SET(controller, "cpu", "cpuacct") || cpu_accounting_is_cheap()) {
- _cleanup_free_ char *p = NULL, *v = NULL;
- uint64_t new_usage;
- nsec_t timestamp;
-
- if (is_root_cgroup(path)) {
- r = procfs_cpu_get_usage(&new_usage);
- if (r < 0)
- return r;
- } else if (all_unified) {
- _cleanup_free_ char *val = NULL;
-
- if (!streq(controller, "cpu"))
- return 0;
-
- r = cg_get_keyed_attribute("cpu", path, "cpu.stat", STRV_MAKE("usage_usec"), &val);
- if (IN_SET(r, -ENOENT, -ENXIO))
- return 0;
- if (r < 0)
- return r;
-
- r = safe_atou64(val, &new_usage);
- if (r < 0)
- return r;
-
- new_usage *= NSEC_PER_USEC;
- } else {
- if (!streq(controller, "cpuacct"))
- return 0;
-
- r = cg_get_path(controller, path, "cpuacct.usage", &p);
- if (r < 0)
- return r;
-
- r = read_one_line_file(p, &v);
- if (r == -ENOENT)
- return 0;
- if (r < 0)
- return r;
-
- r = safe_atou64(v, &new_usage);
- if (r < 0)
- return r;
- }
-
- timestamp = now_nsec(CLOCK_MONOTONIC);
-
- if (g->cpu_iteration == iteration - 1 &&
- (nsec_t) new_usage > g->cpu_usage) {
-
- nsec_t x, y;
-
- x = timestamp - g->cpu_timestamp;
- if (x < 1)
- x = 1;
-
- y = (nsec_t) new_usage - g->cpu_usage;
- g->cpu_fraction = (double) y / (double) x;
- g->cpu_valid = true;
- }
-
- g->cpu_usage = (nsec_t) new_usage;
- g->cpu_timestamp = timestamp;
- g->cpu_iteration = iteration;
-
} else if (streq(controller, "memory")) {
if (is_root_cgroup(path)) {
@@ -411,6 +346,71 @@ static int process(
g->io_output = wr;
g->io_timestamp = timestamp;
g->io_iteration = iteration;
+ } else if (STR_IN_SET(controller, "cpu", "cpuacct") || cpu_accounting_is_cheap()) {
+ _cleanup_free_ char *p = NULL, *v = NULL;
+ uint64_t new_usage;
+ nsec_t timestamp;
+
+ if (is_root_cgroup(path)) {
+ r = procfs_cpu_get_usage(&new_usage);
+ if (r < 0)
+ return r;
+ } else if (all_unified) {
+ _cleanup_free_ char *val = NULL;
+
+ if (!streq(controller, "cpu"))
+ return 0;
+
+ r = cg_get_keyed_attribute("cpu", path, "cpu.stat", STRV_MAKE("usage_usec"), &val);
+ if (IN_SET(r, -ENOENT, -ENXIO))
+ return 0;
+ if (r < 0)
+ return r;
+
+ r = safe_atou64(val, &new_usage);
+ if (r < 0)
+ return r;
+
+ new_usage *= NSEC_PER_USEC;
+ } else {
+ if (!streq(controller, "cpuacct"))
+ return 0;
+
+ r = cg_get_path(controller, path, "cpuacct.usage", &p);
+ if (r < 0)
+ return r;
+
+ r = read_one_line_file(p, &v);
+ if (r == -ENOENT)
+ return 0;
+ if (r < 0)
+ return r;
+
+ r = safe_atou64(v, &new_usage);
+ if (r < 0)
+ return r;
+ }
+
+ timestamp = now_nsec(CLOCK_MONOTONIC);
+
+ if (g->cpu_iteration == iteration - 1 &&
+ (nsec_t) new_usage > g->cpu_usage) {
+
+ nsec_t x, y;
+
+ x = timestamp - g->cpu_timestamp;
+ if (x < 1)
+ x = 1;
+
+ y = (nsec_t) new_usage - g->cpu_usage;
+ g->cpu_fraction = (double) y / (double) x;
+ g->cpu_valid = true;
+ }
+
+ g->cpu_usage = (nsec_t) new_usage;
+ g->cpu_timestamp = timestamp;
+ g->cpu_iteration = iteration;
+
}
if (ret)
......@@ -14,7 +14,7 @@ Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1141137
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index 24b14fb..694df72 100644
index 2a7359a..d55aba8 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4553,16 +4553,7 @@ int unit_kill_context(
......
......@@ -13,7 +13,7 @@ hack to make the renaming less likely to fail.
1 file changed, 46 insertions(+), 5 deletions(-)
diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c
index 07b7365..f67b295 100644
index faec4fc..0b295b8 100644
--- a/src/udev/udev-event.c
+++ b/src/udev/udev-event.c
@@ -680,6 +680,7 @@ static int rename_netif(UdevEvent *event) {
......
From: Michael Biebl <biebl@debian.org>
Date: Sun, 17 Dec 2017 00:31:20 +0100
Subject: Revert "udev-rules: Permission changes for /dev/dri/renderD*"
This would introduce a new system group "render". As the name is rather
generic, this needs further discussion first, so revert this change for
now.
This reverts commit 4e15a7343cb389e97f3eb4f49699161862d8b8b2.
---
meson.build | 2 --
meson_options.txt | 2 --
rules/50-udev-default.rules.in | 5 +----
src/login/70-uaccess.rules.m4 | 2 +-
4 files changed, 2 insertions(+), 9 deletions(-)
diff --git a/meson.build b/meson.build
index c539a00..1c00000 100644
--- a/meson.build
+++ b/meson.build
@@ -818,7 +818,6 @@ conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group'))
dev_kvm_mode = get_option('dev-kvm-mode')
substs.set('DEV_KVM_MODE', dev_kvm_mode)
conf.set10('DEV_KVM_UACCESS', dev_kvm_mode != '0666')
-substs.set('GROUP_RENDER_MODE', get_option('group-render-mode'))
kill_user_processes = get_option('default-kill-user-processes')
conf.set10('KILL_USER_PROCESSES', kill_user_processes)
@@ -3107,7 +3106,6 @@ status = [
'minimum container UID base: @0@'.format(container_uid_base_min),
'maximum container UID base: @0@'.format(container_uid_base_max),
'/dev/kvm access mode: @0@'.format(get_option('dev-kvm-mode')),
- 'render group access mode: @0@'.format(get_option('group-render-mode')),
'certificate root directory: @0@'.format(get_option('certificate-root')),
'support URL: @0@'.format(support_url),
'nobody user name: @0@'.format(nobody_user),
diff --git a/meson_options.txt b/meson_options.txt
index 044bb79..2dcfa3b 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -192,8 +192,6 @@ option('nobody-group', type : 'string',
value : 'nobody')
option('dev-kvm-mode', type : 'string', value : '0666',
description : '/dev/kvm access mode')
-option('group-render-mode', type : 'string', value : '0666',
- description : 'Access mode for devices owned by render group (e.g. /dev/dri/renderD*, /dev/kfd).')
option('default-kill-user-processes', type : 'boolean',
description : 'the default value for KillUserProcesses= setting')
option('gshadow', type : 'boolean',
diff --git a/rules/50-udev-default.rules.in b/rules/50-udev-default.rules.in
index 191f56f..63aa3db 100644
--- a/rules/50-udev-default.rules.in
+++ b/rules/50-udev-default.rules.in
@@ -31,14 +31,11 @@ SUBSYSTEM=="input", KERNEL=="js[0-9]*", MODE="0664"
SUBSYSTEM=="video4linux", GROUP="video"
SUBSYSTEM=="graphics", GROUP="video"
-SUBSYSTEM=="drm", KERNEL!="renderD*", GROUP="video"
+SUBSYSTEM=="drm", GROUP="video"
SUBSYSTEM=="dvb", GROUP="video"
SUBSYSTEM=="media", GROUP="video"
SUBSYSTEM=="cec", GROUP="video"
-SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="@GROUP_RENDER_MODE@"
-SUBSYSTEM=="kfd", GROUP="render", MODE="@GROUP_RENDER_MODE@"
-
SUBSYSTEM=="sound", GROUP="audio", \
OPTIONS+="static_node=snd/seq", OPTIONS+="static_node=snd/timer"
diff --git a/src/login/70-uaccess.rules.m4 b/src/login/70-uaccess.rules.m4
index d55e5bf..e46cacb 100644
--- a/src/login/70-uaccess.rules.m4
+++ b/src/login/70-uaccess.rules.m4
@@ -45,7 +45,7 @@ SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", TAG+="uaccess"
SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="uaccess"
# DRI video devices
-SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess"
+SUBSYSTEM=="drm", KERNEL=="card*|renderD*", TAG+="uaccess"
m4_ifdef(`DEV_KVM_UACCESS',``
# KVM
SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"''
......@@ -392,7 +392,7 @@ index 6b6b32a..cb63d45 100644
return r;
}
diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
index eeb17b6..e1bce1f 100644
index 324d4a4..4d54ac3 100644
--- a/src/timedate/timedated.c
+++ b/src/timedate/timedated.c
@@ -215,6 +215,7 @@ static int context_read_data(Context *c) {
......
......@@ -239,10 +239,10 @@ index 0000000..b7ad58d
+
+</refentry>
diff --git a/meson.build b/meson.build
index 56c98b9..c539a00 100644
index d340736..d4887d5 100644
--- a/meson.build
+++ b/meson.build
@@ -2393,6 +2393,14 @@ executable('systemd-makefs',
@@ -2395,6 +2395,14 @@ executable('systemd-makefs',
install : true,
install_dir : rootlibexecdir)
......@@ -268,7 +268,7 @@ index 029261c..d709ddb 100644
+src/fsckd/fsckd.c
diff --git a/src/fsckd/fsckd.c b/src/fsckd/fsckd.c
new file mode 100644
index 0000000..d48e53a
index 0000000..fffea29
--- /dev/null
+++ b/src/fsckd/fsckd.c
@@ -0,0 +1,690 @@
......
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 22 Feb 2019 13:32:47 +0900
Subject: network: do not remove rule when it is requested by existing links
Otherwise, the first link once removes all saved rules in the foreign
rule database, and the second or later links create again...
(cherry picked from commit 031fb59a984e5b51f3c72aa8125ecc50b08011fe)
---
src/network/networkd-routing-policy-rule.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/src/network/networkd-routing-policy-rule.c b/src/network/networkd-routing-policy-rule.c
index 21a40fa..65a9af2 100644
--- a/src/network/networkd-routing-policy-rule.c
+++ b/src/network/networkd-routing-policy-rule.c
@@ -1250,6 +1250,26 @@ int routing_policy_load_rules(const char *state_file, Set **rules) {
return 0;
}
+static bool manager_links_have_routing_policy_rule(Manager *m, RoutingPolicyRule *rule) {
+ RoutingPolicyRule *link_rule;
+ Iterator i;
+ Link *link;
+
+ assert(m);
+ assert(rule);
+
+ HASHMAP_FOREACH(link, m->links, i) {
+ if (!link->network)
+ continue;
+
+ LIST_FOREACH(rules, link_rule, link->network->rules)
+ if (routing_policy_rule_compare_func(link_rule, rule) == 0)
+ return true;
+ }
+
+ return false;
+}
+
void routing_policy_rule_purge(Manager *m, Link *link) {
RoutingPolicyRule *rule, *existing;
Iterator i;
@@ -1263,6 +1283,12 @@ void routing_policy_rule_purge(Manager *m, Link *link) {
if (!existing)
continue; /* Saved rule does not exist anymore. */
+ if (manager_links_have_routing_policy_rule(m, existing))
+ continue; /* Existing links have the saved rule. */
+
+ /* Existing links do not have the saved rule. Let's drop the rule now, and re-configure it
+ * later when it is requested. */
+
r = routing_policy_rule_remove(existing, link, NULL);
if (r < 0) {
log_warning_errno(r, "Could not remove routing policy rules: %m");
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 22 Feb 2019 13:27:44 +0900
Subject: network: remove routing policy rule from foreign rule database when
it is removed
Previously, When the first link configures rules, it removes all saved
rules, which were configured by networkd previously, in the foreign rule
database, but the rules themselves are still in the database.
Thus, when the second or later link configures rules, it errnously
treats the rules already exist.
This is the root of issue #11280.
This removes rules from the foreign database when they are removed.
Fixes #11280.
(cherry picked from commit 92cd00b9749141907a1110044cc7d1f01caff545)
---
src/network/networkd-routing-policy-rule.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/src/network/networkd-routing-policy-rule.c b/src/network/networkd-routing-policy-rule.c
index 2dc7862..21a40fa 100644
--- a/src/network/networkd-routing-policy-rule.c
+++ b/src/network/networkd-routing-policy-rule.c
@@ -1260,15 +1260,18 @@ void routing_policy_rule_purge(Manager *m, Link *link) {
SET_FOREACH(rule, m->rules_saved, i) {
existing = set_get(m->rules_foreign, rule);
- if (existing) {
+ if (!existing)
+ continue; /* Saved rule does not exist anymore. */
- r = routing_policy_rule_remove(rule, link, NULL);
- if (r < 0) {
- log_warning_errno(r, "Could not remove routing policy rules: %m");
- continue;
- }
-
- link->routing_policy_rule_remove_messages++;
+ r = routing_policy_rule_remove(existing, link, NULL);
+ if (r < 0) {
+ log_warning_errno(r, "Could not remove routing policy rules: %m");
+ continue;
}
+
+ link->routing_policy_rule_remove_messages++;
+
+ assert_se(set_remove(m->rules_foreign, existing) == existing);
+ routing_policy_rule_free(existing);
}
}
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 13 Mar 2019 17:00:56 +0100
Subject: networkd: clarify that IPv6 RA uses our own stack, no the kernel's
Fixes: #8906
(cherry picked from commit c4a05aa1a8338013108d099de805f3262a871c0f)
---
man/systemd.network.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index ee464ff..12be72a 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -632,6 +632,11 @@
url="https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt">ip-sysctl.txt</ulink> in the kernel
documentation regarding <literal>accept_ra</literal>, but note that systemd's setting of
<constant>1</constant> (i.e. true) corresponds to kernel's setting of <constant>2</constant>.</para>
+
+ <para>Note that if this option is enabled a userspace implementation of the IPv6 RA protocol is
+ used, and the kernel's own implementation remains disabled, since `networkd` needs to know all
+ details supplied in the advertisements, and these are not available from the kernel if the kernel's
+ own implemenation is used.</para>
</listitem>
</varlistentry>
<varlistentry>
From: Martin Pitt <martin@piware.de>
Date: Wed, 27 Feb 2019 23:15:31 +0100
Subject: networkd-test: ignore failures of test_route_only_dns* in containers
This test exposes a race condition when running in LXC, see issue #11848
for details. Until that is understood and fixed, skip the test as it's
not a recent regression.
(cherry picked from commit 09b8826ea371e027c76a573a226bfd8f8c5652a2)
---
test/networkd-test.py | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/test/networkd-test.py b/test/networkd-test.py
index 9487910..6efeef9 100755
--- a/test/networkd-test.py
+++ b/test/networkd-test.py
@@ -29,6 +29,7 @@ import time
import unittest
HAVE_DNSMASQ = shutil.which('dnsmasq') is not None
+IS_CONTAINER = subprocess.call(['systemd-detect-virt', '--quiet', '--container']) == 0
NETWORK_UNITDIR = '/run/systemd/network'
@@ -476,8 +477,15 @@ Address=192.168.42.100
DNS=192.168.42.1
Domains= ~company''')
- self.do_test(coldplug=True, ipv6=False,
- extra_opts='IPv6AcceptRouterAdvertisements=False')
+ try:
+ self.do_test(coldplug=True, ipv6=False,
+ extra_opts='IPv6AcceptRouterAdvertisements=False')
+ except subprocess.CalledProcessError as e:
+ # networkd often fails to start in LXC: https://github.com/systemd/systemd/issues/11848
+ if IS_CONTAINER and e.cmd == ['systemctl', 'start', 'systemd-networkd']:
+ raise unittest.SkipTest('https://github.com/systemd/systemd/issues/11848')
+ else:
+ raise
with open(RESOLV_CONF) as f:
contents = f.read()
@@ -500,8 +508,15 @@ Address=192.168.42.100
DNS=192.168.42.1
Domains= ~company ~.''')
- self.do_test(coldplug=True, ipv6=False,
- extra_opts='IPv6AcceptRouterAdvertisements=False')
+ try:
+ self.do_test(coldplug=True, ipv6=False,
+ extra_opts='IPv6AcceptRouterAdvertisements=False')
+ except subprocess.CalledProcessError as e:
+ # networkd often fails to start in LXC: https://github.com/systemd/systemd/issues/11848
+ if IS_CONTAINER and e.cmd == ['systemctl', 'start', 'systemd-networkd']:
+ raise unittest.SkipTest('https://github.com/systemd/systemd/issues/11848')
+ else:
+ raise
with open(RESOLV_CONF) as f:
contents = f.read()