Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update systemd to v245 #916

Merged
merged 6 commits into from
Apr 21, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions packages/login/login.spec
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,11 @@ Requires: %{_cross_os}systemd-console
install -d %{buildroot}%{_cross_bindir}
install -p -m 0755 %{S:0} %{buildroot}%{_cross_bindir}/login

install -d %{buildroot}%{_cross_sbindir}
ln -s ../bin/login %{buildroot}%{_cross_sbindir}/sulogin

%files
%{_cross_bindir}/login
%{_cross_sbindir}/sulogin

%changelog
2 changes: 1 addition & 1 deletion packages/release/prepare-local.service
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ ExecStart=/usr/bin/mount \
ExecStart=/usr/lib/systemd/systemd-growfs ${LOCAL_DIR}
ExecStart=/usr/bin/mkdir -p ${LOCAL_DIR}/var ${LOCAL_DIR}/opt

RemainAfterExit=false
RemainAfterExit=true
StandardError=journal+console

[Install]
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
From 8862df96457fa790bb2dea414f89d1fe0a704716 Mon Sep 17 00:00:00 2001
From 4f14d52fb6951f3870bfbe6789471cd75a87c341 Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Sun, 15 Sep 2019 00:21:26 +0000
Subject: [PATCH 9001/9004] move stateful paths to ephemeral storage
Subject: [PATCH 9001/9005] move stateful paths to ephemeral storage

We reserve most of /var for persistent local storage controlled by
the administrator, and want to avoid depending on it for our own
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
From 1b3b7345d19a7877026690ef05852dbb4fb0efe8 Mon Sep 17 00:00:00 2001
From 8711db616a17523abcea9615c56233c68cf6a1e5 Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Sun, 15 Sep 2019 00:51:25 +0000
Subject: [PATCH 9002/9004] do not create unused state directories
Subject: [PATCH 9002/9005] do not create unused state directories

We do not use the coredump handler, and the private directories have
been relocated to `/run`.
Expand All @@ -12,11 +12,11 @@ Signed-off-by: Ben Cressey <bcressey@amazon.com>
1 file changed, 7 deletions(-)

diff --git a/tmpfiles.d/systemd.conf.m4 b/tmpfiles.d/systemd.conf.m4
index 9c57d3b..30a9bd9 100644
index 11d87d2..c8fb51a 100644
--- a/tmpfiles.d/systemd.conf.m4
+++ b/tmpfiles.d/systemd.conf.m4
@@ -70,10 +70,3 @@ a+ /var/log/journal/%m - - - - d:group:wheel:r-x
a+ /var/log/journal/%m - - - - group:wheel:r-x
@@ -65,10 +65,3 @@ a+ /var/log/journal - - - - d:group::r-x,d:group:wheel:r-x,group::r-x,group:w
a+ /var/log/journal/%m - - - - d:group:wheel:r-x,group:wheel:r-x
a+ /var/log/journal/%m/system.journal - - - - group:wheel:r--
'')')')m4_dnl
-
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
From 6c298326187075878688ac06f7d99e5b9822aaec Mon Sep 17 00:00:00 2001
From 3cb32d73e064c2f5a6fde71c279b0cfe99e1c6ec Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Tue, 17 Sep 2019 01:35:51 +0000
Subject: [PATCH 9003/9004] use absolute path for /var/run symlink
Subject: [PATCH 9003/9005] use absolute path for /var/run symlink

Otherwise the symlink may be broken if /var is a bind mount from
somewhere else.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
From 4d11f5d502ca4a61c491681cdfd99ebe24e3f58c Mon Sep 17 00:00:00 2001
From 2feddea6cbee14216e26a4312f5cb0e546a472ff Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Tue, 10 Mar 2020 20:30:10 +0000
Subject: [PATCH 9004/9004] core: add separate timeout for system shutdown
Subject: [PATCH 9004/9005] core: add separate timeout for system shutdown

There is an existing setting for this (DefaultTimeoutStopUSec), but
changing it has no effect because `reset_arguments()` is called just
Expand All @@ -19,7 +19,7 @@ Signed-off-by: Ben Cressey <bcressey@amazon.com>
2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/basic/def.h b/src/basic/def.h
index 970654a..b02f6f0 100644
index 970654a..9251bb9 100644
--- a/src/basic/def.h
+++ b/src/basic/def.h
@@ -13,6 +13,9 @@
Expand All @@ -33,7 +33,7 @@ index 970654a..b02f6f0 100644
#define DEFAULT_UNIX_MAX_DGRAM_QLEN 512UL

diff --git a/src/core/main.c b/src/core/main.c
index c24b696..8ffa09f 100644
index 3c6b66e..f2e9776 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -114,6 +114,7 @@ static ExecOutput arg_default_std_error;
Expand All @@ -44,7 +44,7 @@ index c24b696..8ffa09f 100644
static usec_t arg_default_timeout_abort_usec;
static bool arg_default_timeout_abort_set;
static usec_t arg_default_start_limit_interval;
@@ -1389,7 +1390,7 @@ static int become_shutdown(
@@ -1398,7 +1399,7 @@ static int become_shutdown(
env_block = strv_copy(environ);

xsprintf(log_level, "%d", log_get_max_level());
Expand All @@ -53,7 +53,7 @@ index c24b696..8ffa09f 100644

switch (log_get_target()) {

@@ -2124,6 +2125,7 @@ static void reset_arguments(void) {
@@ -2151,6 +2152,7 @@ static void reset_arguments(void) {
arg_default_restart_usec = DEFAULT_RESTART_USEC;
arg_default_timeout_start_usec = DEFAULT_TIMEOUT_USEC;
arg_default_timeout_stop_usec = DEFAULT_TIMEOUT_USEC;
Expand Down
178 changes: 178 additions & 0 deletions packages/systemd/9005-repart-always-use-random-UUIDs.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,178 @@
From b96a0d9b2449719a7152f4b3c2871fd3b18a8ebf Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Thu, 16 Apr 2020 15:10:41 +0000
Subject: [PATCH 9005/9005] repart: always use random UUIDs

We would like to avoid adding OpenSSL to the base OS, and for our use
case we do not need the UUIDs assigned to disks or partitions to be
reproducible.

The upstream implementation keys off machine ID, and we will almost
always be resizing the local data partition on first boot, when the
machine ID will be freshly generated and therefore also random.

This takes the fallback case of generating a random UUID in the event
of a collision and makes it the default behavior for both partition
and disk UUIDs.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
---
meson.build | 3 +-
src/partition/repart.c | 101 ++++++-----------------------------------
2 files changed, 14 insertions(+), 90 deletions(-)

diff --git a/meson.build b/meson.build
index fc216d2..eb28daa 100644
--- a/meson.build
+++ b/meson.build
@@ -1305,8 +1305,7 @@ substs.set('DEFAULT_DNS_OVER_TLS_MODE', default_dns_over_tls)

want_repart = get_option('repart')
if want_repart != 'false'
- have = (conf.get('HAVE_OPENSSL') == 1 and
- conf.get('HAVE_LIBFDISK') == 1)
+ have = (conf.get('HAVE_LIBFDISK') == 1)
if want_repart == 'true' and not have
error('repart support was requested, but dependencies are not available')
endif
diff --git a/src/partition/repart.c b/src/partition/repart.c
index 3e52f26..93f6834 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -13,9 +13,6 @@
#include <sys/ioctl.h>
#include <sys/stat.h>

-#include <openssl/hmac.h>
-#include <openssl/sha.h>
-
#include "sd-id128.h"

#include "alloc-util.h"
@@ -1143,26 +1140,18 @@ static int fdisk_set_disklabel_id_by_uuid(struct fdisk_context *c, sd_id128_t id
#define DISK_UUID_TOKEN "disk-uuid"

static int disk_acquire_uuid(Context *context, sd_id128_t *ret) {
- union {
- unsigned char md[SHA256_DIGEST_LENGTH];
- sd_id128_t id;
- } result;
+ sd_id128_t id;
+ int r;

assert(context);
assert(ret);

- /* Calculate the HMAC-SHA256 of the string "disk-uuid", keyed off the machine ID. We use the machine
- * ID as key (and not as cleartext!) since it's the machine ID we don't want to leak. */
-
- if (!HMAC(EVP_sha256(),
- &context->seed, sizeof(context->seed),
- (const unsigned char*) DISK_UUID_TOKEN, strlen(DISK_UUID_TOKEN),
- result.md, NULL))
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "HMAC-SHA256 calculation failed.");
+ /* Calculate a random UUID for the indicated disk. */
+ r = sd_id128_randomize(&id);
+ if (r < 0)
+ return log_error_errno(r, "Failed to generate randomized UUID: %m");

- /* Take the first half, mark it as v4 UUID */
- assert_cc(sizeof(result.md) == sizeof(result.id) * 2);
- *ret = id128_make_v4_uuid(result.id);
+ *ret = id;
return 0;
}

@@ -2073,83 +2062,19 @@ static int context_wipe_and_discard(Context *context, bool from_scratch) {
}

static int partition_acquire_uuid(Context *context, Partition *p, sd_id128_t *ret) {
- struct {
- sd_id128_t type_uuid;
- uint64_t counter;
- } _packed_ plaintext = {};
- union {
- unsigned char md[SHA256_DIGEST_LENGTH];
- sd_id128_t id;
- } result;
-
- uint64_t k = 0;
- Partition *q;
+ sd_id128_t id;
int r;

assert(context);
assert(p);
assert(ret);

- /* Calculate a good UUID for the indicated partition. We want a certain degree of reproducibility,
- * hence we won't generate the UUIDs randomly. Instead we use a cryptographic hash (precisely:
- * HMAC-SHA256) to derive them from a single seed. The seed is generally the machine ID of the
- * installation we are processing, but if random behaviour is desired can be random, too. We use the
- * seed value as key for the HMAC (since the machine ID is something we generally don't want to leak)
- * and the partition type as plaintext. The partition type is suffixed with a counter (only for the
- * second and later partition of the same type) if we have more than one partition of the same
- * time. Or in other words:
- *
- * With:
- * SEED := /etc/machine-id
- *
- * If first partition instance of type TYPE_UUID:
- * PARTITION_UUID := HMAC-SHA256(SEED, TYPE_UUID)
- *
- * For all later partition instances of type TYPE_UUID with INSTANCE being the LE64 encoded instance number:
- * PARTITION_UUID := HMAC-SHA256(SEED, TYPE_UUID || INSTANCE)
- */
-
- LIST_FOREACH(partitions, q, context->partitions) {
- if (p == q)
- break;
-
- if (!sd_id128_equal(p->type_uuid, q->type_uuid))
- continue;
-
- k++;
- }
-
- plaintext.type_uuid = p->type_uuid;
- plaintext.counter = htole64(k);
-
- if (!HMAC(EVP_sha256(),
- &context->seed, sizeof(context->seed),
- (const unsigned char*) &plaintext, k == 0 ? sizeof(sd_id128_t) : sizeof(plaintext),
- result.md, NULL))
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "SHA256 calculation failed.");
-
- /* Take the first half, mark it as v4 UUID */
- assert_cc(sizeof(result.md) == sizeof(result.id) * 2);
- result.id = id128_make_v4_uuid(result.id);
-
- /* Ensure this partition UUID is actually unique, and there's no remaining partition from an earlier run? */
- LIST_FOREACH(partitions, q, context->partitions) {
- if (p == q)
- continue;
-
- if (sd_id128_equal(q->current_uuid, result.id) ||
- sd_id128_equal(q->new_uuid, result.id)) {
- log_warning("Partition UUID calculated from seed for partition %" PRIu64 " exists already, reverting to randomized UUID.", p->partno);
-
- r = sd_id128_randomize(&result.id);
- if (r < 0)
- return log_error_errno(r, "Failed to generate randomized UUID: %m");
-
- break;
- }
- }
+ /* Calculate a random UUID for the indicated partition. */
+ r = sd_id128_randomize(&id);
+ if (r < 0)
+ return log_error_errno(r, "Failed to generate randomized UUID: %m");

- *ret = result.id;
+ *ret = id;
return 0;
}

--
2.21.0

4 changes: 2 additions & 2 deletions packages/systemd/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ build = "build.rs"
path = "pkg.rs"

[[package.metadata.build-package.external-files]]
url = "/~https://github.com/systemd/systemd/archive/v244/systemd-244.tar.gz"
sha512 = "08f260fb15b5eb273faafda826dd9154e9a02841b4c5911cc1c7e1445072ad51389f8cced7b9acf112737c20fd56b2fbf48b3f914733c934c774d38a23b616fb"
url = "/~https://github.com/systemd/systemd/archive/v245/systemd-245.tar.gz"
sha512 = "1b80d0e02472dfc4197f11dab4f56cf90e8a6e105ce19f837cb11335b6d8577ed49031dad94cdb41aa9bdc06ec8eec62c8e9246272b83935e7bb9dcd3cd8c012"

[build-dependencies]
glibc = { path = "../glibc" }
Expand Down
Loading