rebased onto upstreams stable v239 #24
Conversation
(cherry picked from commit 65d3426)
…pping NTP service is finished Before this, the property changed signal is emitted immediately after StartUnit/StopUnit method is called. So, the running state of the NTP client service may not updated. This makes the timing of emitting property changed signal is deferred until job of starting/stopping NTP client service is completed. Fixes systemd#9672. (cherry picked from commit 3af0a96)
When DynamicUser=yes and static User= are set, and the user has different uid and gid, then as the storage socket for the dynamic user does not contains gid, we need to obtain gid. Follow-up for 9ec655c. Fixes systemd#9702. (cherry picked from commit 25a1df7)
…are different (cherry picked from commit 9f82d68)
(cherry picked from commit c0df8f8)
(cherry picked from commit 14a6aee)
…nal handler (cherry picked from commit 1595b25)
As the variable 'line' is unsigned. (cherry picked from commit ca52812)
(cherry picked from commit 99521ca)
We would verify destination e.g. in sd_bus_message_new_call, but allow setting any value later on with sd_bus_message_set_destination. I assume this check was omitted not on purpose. (cherry picked from commit 3d51a01)
Prompted by systemd#9765 (cherry picked from commit e6c7c7f)
…gnore As the comments already say it might be quite likely that $XDG_RUNTIME_DIR is not set up as mount, and we shouldn't complain about that. Moreover, let's make this idempotent, so that a runtime dir that is already gone and is removed again doesn't cause failure. (cherry picked from commit 3a13442)
We order user@.service after it, hence we need to properly know when it finished starting up. (cherry picked from commit d06e8fb)
…rvice We use systemd-user-sessions.service as barrier when to allow login sessions. With this patch user@.service is ordered after that too, so that any login related code (which user-runtime-dir@.service is) is guaranteed to run after the barrier, and never before. (cherry picked from commit eb748ae)
This service won't use much resources, but it's certainly nicer to see it attached th the user's slice along with user@.service, so that everything we run for a specific user is properly bound into one unit. (cherry picked from commit 1193c11)
Fixes systemd#9773. (cherry picked from commit 68c597e)
…odules Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com> (cherry picked from commit 8e7ab35)
(cherry picked from commit 652e39a)
Even if built without gcrypt, show the relevant options in help message. Otherwise, the help message diverges from the man page or suggestions by the shell completion. (cherry picked from commit 7289c76)
Fixes systemd#9793. (cherry picked from commit b2776a6)
Fixes systemd#9833. (cherry picked from commit 3740146)
This replaces strndupa() by strndup() in socket_address_parse(), as input string may be too long. Fixes issue 10007 by ClusterFuzz-External: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10007 (cherry picked from commit 8d30fcb)
(cherry picked from commit 0367307)
Closes systemd#9479 (cherry picked from commit 708c425)
This GDB script was converted to use Python 3 along with all other Python scripts in commit b95f552, but still used the Python 2 print statement syntax instead of the Python 3 print function. Fix that. We also add the Python 2 compatibility statement, just in case some GDB still uses Python 2 instead of Python 3. (cherry picked from commit e12f397)
Log a warning message in case the network prefix delegated is shorter than /48. (cherry picked from commit 3ec8303)
When computing the next network prefix to assign, compute the next prefix to allocate based on the intended /64 assignment, not the given prefix length for the whole prefix, e.g. /48, given to systemd-networkd. Fixes systemd#9626. (cherry picked from commit 37f5240)
By default systemd should read all its configuration from /etc. Therefor we rely on -Dsysconfdir=/etc in meson as default value. Unfortunately this would also lead to installation of systemd's own configuration files to `/etc` whereas we are limited to /nix/store. To counter that this commit introduces two new configuration variables `factoryconfdir` and `factorypkgconfdir` to install systemd's own configuration into nix store again, while having executables looking up files in /etc.
| @@ -108,7 +108,7 @@ static int set_wireguard_interface(NetDev *netdev) { | |||
| if (r < 0) | |||
| break; | |||
|
|
|||
| r = sd_netlink_message_append_u32(message, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, peer->persistent_keepalive_interval); | |||
| r = sd_netlink_message_append_u16(message, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, peer->persistent_keepalive_interval); | |||
| @@ -25,9 +25,9 @@ RestartSec=0 | |||
| ExecStart=!!@rootlibexecdir@/systemd-networkd | |||
| WatchdogSec=3min | |||
| User=systemd-network | |||
| DynamicUser=yes | |||
There was a problem hiding this comment.
We have a systemd-network user right?
There was a problem hiding this comment.
I haven't seen were we define it. My guess right now is that systemd is creating that transparently for us? On the three machines I am running this it looks fine.
There was a problem hiding this comment.
Its in modules/system/boot/systemd.nix
|
Wow these are quite a few updates. I would suggest we have a grace period before we backport this. |
|
Trying this via {
systemd.package = (import (pkgs.fetchFromGitHub {
owner = "andir";
repo = "nixpkgs";
rev = "5fd9f68276f7b91f2b2d2336c2d1cc5c5f232adc";
sha256 = "1bj3xql0fw0a1qbxvvl02lsfpxhacg844p1qswp1y5vwp98xn5la";
}) {}).systemd;
}works fine |
|
Because of the severity of some of the improvements (RCE, …) I'd argue that the grace period shouldn't be too long. |
Fixes CVE-2018-15688 and updates latest upstream stable v239 branch. See NixOS/systemd#24 for details. Co-authored-by: Andreas Rammhold <andreas@rammhold.de>
Fixes CVE-2018-15688 and updates latest upstream stable v239 branch. See NixOS/systemd#24 for details. Co-authored-by: Andreas Rammhold <andreas@rammhold.de> (cherry picked from commit a7912ec)
|
Stable branches: we might better just apply important patches, if it's not too complex. Systemd still tends to do relatively intrusive changes – now the tests have caught 6789dca0a26df0 but I'm more afraid of breaking changes not caught by tests just getting to stable. |
|
I agree.. Right now I really like the idea of just reverting the changes in
nixokgs and working on a cleaner approach..
…On Sat, 3 Nov 2018, 13:36 Vladimír Čunát, ***@***.***> wrote:
Stable branches: we might better just apply important patches, if it's not
too complex. Systemd still tends to do relatively intrusive changes – now
the tests have caught 6789dca
<6789dca0a26df0> but I'm more
afraid of breaking changes *not* caught by tests just getting to stable.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#24 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAm_dFJI6mdMJb2rSy_wCIDUUkeaOtexks5urY3TgaJpZM4X_iSn>
.
|
|
Do they collect links to such important fixes somewhere? I don't see the security fix in |
|
Hmm, they publish "stable" branches, but I haven't read any statement about them. There still seems to be relatively lots of changed code lines between v239 and current v239-stable, so I don't expect we need to have even nixpkgs master on anything more unstable. |
|
Those The MLs are also not very noisy in regards to backports fixes... :/ |
|
Oh, I didn't realize. I see they have roughly 10% of line changes, compared to master, so they are much smaller but they still change a couple thousand lines of C code :-) |
|
I started iterating on the bugs that we found and (potentially haven't found) with #25. I think the patchset there can be made obsolete in favor of what I pushed to https://github.com/andir/systemd/commits/nixos-v239-test. The question for the intermediate time is: Should be risk using one of the fixed versions (#25 or https://github.com/andir/systemd/commits/nixos-v239-test) or revert nixpkgs for now and try to come up with a minimal fix for all the issues that we can identify? Given that the channels of 18.09 and master are blocked and we haven't been able to bump them since before firefox63, chromium70, … were merged I tend towards reverting for now. Even after reverting the current (failed) attempt on 18.09 & master we can try to run more tests against one of the proposed patch sets. The changes done will probably be required as soon as we decide to port systemd v240 to NixOS anyway... |
|
One way, for our stable releases at least, is to feed off some other packagers that we trust to get (all) important fixes. Well, we can also add some they don't have, if we notice, but doing all the work might be much work for us in systemd case. For example, Debian's stretch-backports is on 239 just as our 18.09. |
|
OK, let me test that approach for 18.09. Local rebuilds in progress. |
|
Tests were running fine, including hibernation, so I pushed that to 18.09 to unblock it. Shall I do the same for master, or do you have other plans? (e.g. keep the version and quickly fixup any regressions) |
|
Feel free to do the same there. I think it is the better approach for now.
…On Sat, 3 Nov 2018, 17:19 Vladimír Čunát, ***@***.***> wrote:
Tests were running fine, including hibernation, so I pushed that to 18.09
to unblock it.
Shall I do the same for master, or do you have other plans? (e.g. keep the
version and quickly fixup any regressions)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#24 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAm_dH1TR7neIt_9cy8-V5ZxQRMFvKSfks5urcIvgaJpZM4X_iSn>
.
|
This reverts commit d1de23b. The changes turned out to be too intrusive, so we'll patch instead. Discussion: NixOS/systemd#24
This updates our v239 branch to the latest upstream stable v239 version.
There are a few fixes in here. I initially was just aiming for fixing the DHCPv6 out out bounds access (CVE-2018-15688) but now we might have a bunch more.
I ran a bunch of VM tests (installers and others) from master against this version without any issues. I rebuild my desktop (18.03, local backport) with
config.systemd.packageset to the updated version. It booted fine and I am typing on it right now..The important thing to change in nixpkgs besides just updating the hashes is to also disable
dns-over-tlssince that requires gnutls. We can also pull in gnutls but I decided against introducing that as dependency when testing.cc @Mic92 @fpletz