Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock systemd 215-15 hit unstable two days ago. There have been no new RC bugs since 215-14, so for a change this is a "polishing" upload with small and safe fixes for some corner cases. One was already pre-approved. So far there have been no regression reports, and these changes have already been tested in experimental, Ubuntu, and upstream for a much longer time, so I'm quite confident in them. I attach the full debdiff between 215-14 and -15, but as usual I also link to the individual commits on anonscm. Note that there are zero changes for udev-udeb (for d-i). Annotated changelog: |systemd (215-15) unstable; urgency=medium | | [ Adam Conrad ] | * debian/systemd.{triggers,postinst}: Trigger a systemctl daemon-reload | when init scripts are installed or removed (Closes: #766429) http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=e32b9e9b8b Adam got this pre-ack'ed by the release team already. This doesn't actually affect any existing package in Jessie, but there were several reports about "I am packaging foo and stumbled over this". There might also be some third-party packages which are affected by this. After the update-rc.d fix in sysvinit for the same bug this really just covers some small corner cases, but systemctl daemon-reload is relatively cheap and quite safe (it's already called from update-rc.d, invoke-rc.d, and various maintscripts). | [ Martin Pitt ] | * Fix getty restart loop when PTS device is gone. (Closes: #780711) http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=72f6dc81 Backported from upstream, affects containers, simple declarative change. No practical effect on "real iron" and VM installs as PTYs don't just disappear there. | * Run timesyncd in virtual machines. (Closes: #762343) http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=3138dc8dc5 Backported from upstream, affects VMs only, simple declarative change. No practical effect on "real iron" installs. Also, in jessie timesyncd is *not* enabled by default anyway (only in experimental), so it does not even affect default installs in VMs. | * Make logind work in environments without CAP_SYS_ADMIN (mostly | containers). Thanks Christian Seiler for the backporting! | (Closes: #778608) http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=50446f97 Backported from upstream. Affects containers only (i. e. makes containers without CAP_SYS_ADMIN actually work). No practical effect on real-iron and VMs as they do have CAP_SYS_ADMIN and this code change only affects the fallback code paths in the error handling. | * Check for correct signatures when setting properties. Fixes systemd | getting stuck on trying to set invalid property types. (Closes: #781602) http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=bf86d1 Backported from upstream. Affects all kinds of installations. I'd like to get this in as without the type check it's very simple to send an ill-typed D-Bus property set request to essentially wreck pid 1. The code change is straightforward (just an additional type check). | -- Martin Pitt <mpitt@debian.org> Thu, 09 Apr 2015 10:12:37 +0200 Thanks for considering, Martin unblock systemd/215-15 -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
diff --git a/debian/changelog b/debian/changelog index b5ac97e..929502c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,20 @@ +systemd (215-15) unstable; urgency=medium + + [ Adam Conrad ] + * debian/systemd.{triggers,postinst}: Trigger a systemctl daemon-reload + when init scripts are installed or removed (Closes: #766429) + + [ Martin Pitt ] + * Fix getty restart loop when PTS device is gone. (Closes: #780711) + * Run timesyncd in virtual machines. (Closes: #762343) + * Make logind work in environments without CAP_SYS_ADMIN (mostly + containers). Thanks Christian Seiler for the backporting! + (Closes: #778608) + * Check for correct signatures when setting properties. Fixes systemd + getting stuck on trying to set invalid property types. (Closes: #781602) + + -- Martin Pitt <mpitt@debian.org> Thu, 09 Apr 2015 10:12:37 +0200 + systemd (215-14) unstable; urgency=medium [ Michael Biebl ] diff --git a/debian/patches/logind-handle-runtime-dir-without-CAP_SYS_ADMIN.patch b/debian/patches/logind-handle-runtime-dir-without-CAP_SYS_ADMIN.patch new file mode 100644 index 0000000..d5ab4ae --- /dev/null +++ b/debian/patches/logind-handle-runtime-dir-without-CAP_SYS_ADMIN.patch @@ -0,0 +1,56 @@ +From: Christian Seiler <christian@iwakd.de> +Date: Wed, 8 Apr 2015 11:11:46 +0200 +Subject: logind: handle runtime dir without CAP_SYS_ADMIN + +In (e.g. LXC) containers without CAP_SYS_ADMIN, logind fails to mount +a tmpfs over /run/user/$UID (lacking mount permissions). + +Now, logind will resort to chown+chmod of the directory instead. This +allows logind to still work in those environments, although without +the guarantees it provides (i.e. users not being able to DoS /run or +other users' /run/user/$UID space) when CAP_SYS_ADMIN is available. +--- + src/login/logind-user.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/src/login/logind-user.c b/src/login/logind-user.c +index fdbccb3..b5e58c1 100644 +--- a/src/login/logind-user.c ++++ b/src/login/logind-user.c +@@ -332,8 +332,21 @@ static int user_mkdir_runtime_path(User *u) { + + r = mount("tmpfs", p, "tmpfs", MS_NODEV|MS_NOSUID, t); + if (r < 0) { +- log_error("Failed to mount per-user tmpfs directory %s: %s", p, strerror(-r)); +- goto fail; ++ r = -errno; ++ if (r != -EPERM) { ++ log_error("Failed to mount per-user tmpfs directory %s: %m", p); ++ goto fail; ++ } ++ ++ /* Lacking permissions, maybe ++ * CAP_SYS_ADMIN-less container? In this case, ++ * just use a normal director. */ ++ ++ r = chmod_and_chown(p, 0700, u->uid, u->gid); ++ if (r < 0) { ++ log_error("Failed to change runtime directory ownership and mode: %s", strerror(-r)); ++ goto fail; ++ } + } + } + +@@ -341,7 +354,11 @@ static int user_mkdir_runtime_path(User *u) { + return 0; + + fail: +- free(p); ++ if (p) { ++ /* Try to clean up, but ignore errors */ ++ (void) rmdir(p); ++ free(p); ++ } + u->runtime_path = NULL; + return r; + } diff --git a/debian/patches/sd-bus-create-clean-error-when-a-property-Set-call-w.patch b/debian/patches/sd-bus-create-clean-error-when-a-property-Set-call-w.patch new file mode 100644 index 0000000..be4228f --- /dev/null +++ b/debian/patches/sd-bus-create-clean-error-when-a-property-Set-call-w.patch @@ -0,0 +1,37 @@ +From: Lennart Poettering <lennart@poettering.net> +Date: Thu, 20 Nov 2014 20:58:39 +0100 +Subject: sd-bus: create clean error when a property Set() call with incorrect + signature is passed in + +--- + src/libsystemd/sd-bus/bus-objects.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c +index dbb04e5..d8ee8ff 100644 +--- a/src/libsystemd/sd-bus/bus-objects.c ++++ b/src/libsystemd/sd-bus/bus-objects.c +@@ -619,6 +619,9 @@ static int property_get_set_callbacks_run( + return r; + + } else { ++ const char *signature = NULL; ++ char type = 0; ++ + if (c->vtable->type != _SD_BUS_VTABLE_WRITABLE_PROPERTY) + return sd_bus_reply_method_errorf(m, SD_BUS_ERROR_PROPERTY_READ_ONLY, "Property '%s' is not writable.", c->member); + +@@ -630,6 +633,13 @@ static int property_get_set_callbacks_run( + + c->last_iteration = bus->iteration_counter; + ++ r = sd_bus_message_peek_type(m, &type, &signature); ++ if (r < 0) ++ return r; ++ ++ if (type != 'v' || !streq(strempty(signature), strempty(c->vtable->x.property.signature))) ++ return sd_bus_reply_method_errorf(m, SD_BUS_ERROR_INVALID_ARGS, "Incorrect parameters for property '%s', expected '%s', got '%s'.", c->member, strempty(c->vtable->x.property.signature), strempty(signature)); ++ + r = sd_bus_message_enter_container(m, 'v', c->vtable->x.property.signature); + if (r < 0) + return r; diff --git a/debian/patches/series b/debian/patches/series index 450d093..1fdc97f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -144,6 +144,10 @@ scope-make-attachment-of-initial-PIDs-a-bit-more-rob.patch journald-also-increase-the-SendBuffer-of-dev-log-to-.patch list-add-macro-for-iterating-through-a-list-an-item-.patch core-if-two-start-jobs-for-the-same-swap-device-node.patch +units-make-sure-container-getty-.service-stops-resta.patch +timesyncd-enable-timesyncd-in-virtual-machines.patch +logind-handle-runtime-dir-without-CAP_SYS_ADMIN.patch +sd-bus-create-clean-error-when-a-property-Set-call-w.patch ## Debian specific patches: Add-back-support-for-Debian-specific-config-files.patch diff --git a/debian/patches/timesyncd-enable-timesyncd-in-virtual-machines.patch b/debian/patches/timesyncd-enable-timesyncd-in-virtual-machines.patch new file mode 100644 index 0000000..48752e9 --- /dev/null +++ b/debian/patches/timesyncd-enable-timesyncd-in-virtual-machines.patch @@ -0,0 +1,35 @@ +From: Kay Sievers <kay@vrfy.org> +Date: Sun, 15 Mar 2015 19:44:59 +0100 +Subject: timesyncd: enable timesyncd in virtual machines + +On Fri, Mar 13, 2015 at 8:25 PM, Michael Marineau <michael.marineau@coreos.com> wrote: +> Currently systemd-timesyncd.service includes +> ConditionVirtualization=no, disabling it in both containers and +> virtual machines. Each VM platform tends to deal with or ignore the +> time problem in their own special ways, KVM/QEMU has the kernel time +> source kvm-clock, Xen has had different schemes over the years, VMware +> expects a userspace daemon sync the clock, and other platforms are +> content to drift with the wind as far as I can tell. +> +> I don't know of a robust way to know if a platform needs a little +> extra help from userspace to keep the clock sane or not but it seems +> generally safer to try than to risk drifting. Does anyone know of a +> reason to leave timesyncd off by default? Otherwise switching to +> ConditionVirtualization=!container should be reasonable. +--- + units/systemd-timesyncd.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in +index 39edafc..8219c95 100644 +--- a/units/systemd-timesyncd.service.in ++++ b/units/systemd-timesyncd.service.in +@@ -9,7 +9,7 @@ + Description=Network Time Synchronization + Documentation=man:systemd-timesyncd.service(8) + ConditionCapability=CAP_SYS_TIME +-ConditionVirtualization=no ++ConditionVirtualization=!container + DefaultDependencies=no + RequiresMountsFor=/var/lib/systemd/clock + After=systemd-remount-fs.service systemd-tmpfiles-setup.service systemd-sysusers.service diff --git a/debian/patches/units-make-sure-container-getty-.service-stops-resta.patch b/debian/patches/units-make-sure-container-getty-.service-stops-resta.patch new file mode 100644 index 0000000..259a2a1 --- /dev/null +++ b/debian/patches/units-make-sure-container-getty-.service-stops-resta.patch @@ -0,0 +1,25 @@ +From: Lennart Poettering <lennart@poettering.net> +Date: Tue, 9 Dec 2014 02:12:11 +0100 +Subject: units: make sure container-getty@.service stops restarting when the + pts device it is bound to is gone + +We only want to restart the getty as long as the pts device is still +around. As soon as it is gone, the service should be removed to. + +http://lists.freedesktop.org/archives/systemd-devel/2014-December/026048.html +--- + units/container-getty@.service.m4.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/container-getty@.service.m4.in b/units/container-getty@.service.m4.in +index 4f7794b..5120466 100644 +--- a/units/container-getty@.service.m4.in ++++ b/units/container-getty@.service.m4.in +@@ -14,6 +14,7 @@ After=rc-local.service + )m4_dnl + Before=getty.target + IgnoreOnIsolate=yes ++ConditionPathExists=/dev/pts/%I + + [Service] + ExecStart=-/sbin/agetty --noclear --keep-baud pts/%I 115200,38400,9600 $TERM diff --git a/debian/systemd.postinst b/debian/systemd.postinst index de92c57..7a45dbf 100644 --- a/debian/systemd.postinst +++ b/debian/systemd.postinst @@ -12,9 +12,19 @@ _update_catalog() { journalctl --update-catalog || true } -# Update Message Catalogs database in response to dpkg trigger +# Update Message Catalogs database and reload in response to dpkg triggers if [ "$1" = "triggered" ]; then - _update_catalog + shift + for trigger in "$@"; do + case $trigger in + /usr/lib/systemd/catalog) + _update_catalog + ;; + /etc/init.d) + _systemctl daemon-reload + ;; + esac + done exit 0 fi diff --git a/debian/systemd.triggers b/debian/systemd.triggers index 69246ec..299a3f9 100644 --- a/debian/systemd.triggers +++ b/debian/systemd.triggers @@ -1 +1,2 @@ interest-noawait /usr/lib/systemd/catalog +interest-noawait /etc/init.d
Attachment:
signature.asc
Description: Digital signature