packages/systemd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package init

Browse Source
This commit is contained in:
overweight 2019-09-30 11:17:58 -04:00
commit d04d10aa25
34 changed files with 3455 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch Normal file
View File

@ -0,0 +1,178 @@
From 224a4eaf6701431af907179e313138213b60ce6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 3 Apr 2019 10:56:14 +0200
Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running
services"
This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4.
---
units/systemd-coredump@.service.in | 1 -
units/systemd-hostnamed.service.in | 1 -
units/systemd-initctl.service.in | 1 -
units/systemd-journal-remote.service.in | 1 -
units/systemd-journald.service.in | 1 -
units/systemd-localed.service.in | 1 -
units/systemd-logind.service.in | 1 -
units/systemd-machined.service.in | 1 -
units/systemd-networkd.service.in | 1 -
units/systemd-resolved.service.in | 1 -
units/systemd-rfkill.service.in | 1 -
units/systemd-timedated.service.in | 1 -
units/systemd-timesyncd.service.in | 1 -
13 files changed, 13 deletions(-)
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index afb2ab9d17..5babc11e4c 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -22,7 +22,6 @@ IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
Nice=9
-NoNewPrivileges=yes
OOMScoreAdjust=500
PrivateDevices=yes
PrivateNetwork=yes
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index b4f606cf78..f7977e1504 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
index c276283908..f48d673d58 100644
--- a/units/systemd-initctl.service.in
+++ b/units/systemd-initctl.service.in
@@ -14,6 +14,5 @@ DefaultDependencies=no
[Service]
ExecStart=@rootlibexecdir@/systemd-initctl
-NoNewPrivileges=yes
NotifyAccess=all
SystemCallArchitectures=native
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index dd6322e62c..c867aca104 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
LockPersonality=yes
LogsDirectory=journal/remote
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index fab405502a..308622e9b3 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -22,7 +22,6 @@ FileDescriptorStoreMax=4224
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 7bca34409a..05fb4f0c80 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 3eef95c661..53af530aea 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -27,7 +27,6 @@ FileDescriptorStoreMax=512
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index d6deefea08..092abc128f 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
ProtectHostname=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictRealtime=yes
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 2c74da6f1e..eaabcb9941 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
ExecStart=!!@rootlibexecdir@/systemd-networkd
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index eee5d5ea8f..a8f442ef6f 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
ExecStart=!!@rootlibexecdir@/systemd-resolved
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
index 3abb958310..7447ed5b5b 100644
--- a/units/systemd-rfkill.service.in
+++ b/units/systemd-rfkill.service.in
@@ -18,7 +18,6 @@ Before=shutdown.target
[Service]
ExecStart=@rootlibexecdir@/systemd-rfkill
-NoNewPrivileges=yes
StateDirectory=systemd/rfkill
TimeoutSec=30s
Type=notify
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index df546f471f..4d50999a22 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 6512531e1c..2b2e1d73d2 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes

48
0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch Normal file
View File

@ -0,0 +1,48 @@
From 0c670fec00f3d5c103d9b7415d4e0510c61ad006 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 11 Mar 2016 17:06:17 -0500
Subject: [PATCH] resolved: create /etc/resolv.conf symlink at runtime
If the symlink doesn't exists, and we are being started, let's
create it to provie name resolution.
If it exists, do nothing. In particular, if it is a broken symlink,
we cannot really know if the administator configured it to point to
a location used by some service that hasn't started yet, so we
don't touch it in that case either.
https://bugzilla.redhat.com/show_bug.cgi?id=1313085
---
src/resolve/resolved.c | 4 ++++
tmpfiles.d/etc.conf.m4 | 3 ---
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
index 2ca9fbdc72..3c8a9ff12a 100644
--- a/src/resolve/resolved.c
+++ b/src/resolve/resolved.c
@@ -49,6 +49,10 @@ static int run(int argc, char *argv[]) {
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume most
* privileges are already dropped. */
if (getuid() == 0) {
+ r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf");
+ if (r < 0 && errno != EEXIST)
+ log_warning_errno(errno,
+ "Could not create /etc/resolv.conf symlink: %m");
/* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
r = drop_privileges(uid, gid,
diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4
index f82e0b82ce..66a777bdb2 100644
--- a/tmpfiles.d/etc.conf.m4
+++ b/tmpfiles.d/etc.conf.m4
@@ -12,9 +12,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts
m4_ifdef(`HAVE_SMACK_RUN_LABEL',
t /etc/mtab - - - - security.SMACK64=_
)m4_dnl
-m4_ifdef(`ENABLE_RESOLVE',
-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf
-)m4_dnl
C! /etc/nsswitch.conf - - - -
m4_ifdef(`HAVE_PAM',
C! /etc/pam.d - - - -

54
1509-fix-journal-file-descriptors-leak-problems.patch Normal file
View File

@ -0,0 +1,54 @@
From 4f8cec1924bf00532f5350d9a4d7af8e853241fe Mon Sep 17 00:00:00 2001
From: huangkaibin <huangkaibin@huawei.com>
Date: Thu, 28 Jun 2018 20:23:45 +0800
Subject: [PATCH] systemd-journald: Fix journal file descriptors leak problems.
Journal files opened and then be removed by external programs(for example, the journal rotation
of systemd-journald will removed jounal files) before journal directory notify watching is added
will not be closed properly. This patch fix this problem by removing and closing these deleted journal files
after notify watching is added.
---
src/journal/sd-journal.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/src/journal/sd-journal.c b/src/journal/sd-journal.c
index 004fe64..8be5481 100644
--- a/src/journal/sd-journal.c
+++ b/src/journal/sd-journal.c
@@ -1436,6 +1436,18 @@ fail:
log_debug_errno(errno, "Failed to enumerate directory %s, ignoring: %m", m->path);
}
+static void remove_nonexistent_journal_files(sd_journal *j) {
+ Iterator i;
+ JournalFile *f = NULL;
+ ORDERED_HASHMAP_FOREACH(f, j->files, i) {
+ if(f->path && access(f->path, F_OK) < 0) {
+ log_debug("Remove not-existed file from the journal map: %s", f->path);
+ /*Its OK to remove entry from the hashmap although we are iterating on it.*/
+ remove_file_real(j, f);
+ }
+ }
+}
+
static void directory_watch(sd_journal *j, Directory *m, int fd, uint32_t mask) {
int r;
@@ -1464,6 +1476,14 @@ static void directory_watch(sd_journal *j, Directory *m, int fd, uint32_t mask)
(void) inotify_rm_watch(j->inotify_fd, m->wd);
m->wd = -1;
}
+
+ /*
+ * Before event watching, there were some files opened and if some of these opened files were
+ * deleted due to the journal rotation of systemd-jounald, they will become leaking files and will
+ * never be closed until the process exited.
+ * So here we remove these deleted files from the journal after event watching.
+ */
+ remove_nonexistent_journal_files(j);
}
static int add_directory(sd_journal *j, const char *prefix, const char *dirname) {
--
1.8.3.1

44
1602-activation-service-must-be-restarted-when-reactivated.patch Normal file
View File

@ -0,0 +1,44 @@
From 4acc8a3168e5f11b5308cf8558d68bf2a0503444 Mon Sep 17 00:00:00 2001
From: huangkaibin <huangkaibin@huawei.com>
Date: Mon, 7 Aug 2017 17:06:30 +0800
Subject: [PATCH] systemd: Activation service must be restarted when it is already started and re-actived
by dbus
When dbus-daemon service is killed, every activation service must be restarted
to reestblished dbus connection between dbus-daemon and the service.
Otherwise, there will be problem on the dbus connection. This patch fix this
problem by set JobType to JOB_RESTART when it is re-actived in signal_activation_request function.
---
src/core/dbus.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/core/dbus.c b/src/core/dbus.c
index 29524d4..38940ef 100644
--- a/src/core/dbus.c
+++ b/src/core/dbus.c
@@ -152,6 +152,8 @@ static int signal_activation_request(sd_bus_message *message, void *userdata, sd
const char *name;
Unit *u;
int r;
+ int jobtype;
+ Service *s = NULL;
assert(message);
assert(m);
@@ -177,7 +179,13 @@ static int signal_activation_request(sd_bus_message *message, void *userdata, sd
goto failed;
}
- r = manager_add_job(m, JOB_START, u, JOB_REPLACE, NULL, &error, NULL);
+ jobtype = JOB_START;
+ s = SERVICE(u);
+ if(s && s->state != SERVICE_DEAD) {
+ jobtype = JOB_RESTART;
+ log_unit_info(u, "Service '%s' will be restarted to activate the service. The current service state is %d.", u->id, s->state);
+ }
+ r = manager_add_job(m, jobtype, u, JOB_REPLACE, NULL, &error, NULL);
if (r < 0)
goto failed;
--
1.8.3.1

40
1605-systemd-core-fix-problem-of-dbus-service-can-not-be-started.patch Normal file
View File

@ -0,0 +1,40 @@
From bf589755bd5b084f1b5dd099ea3e4917ac9911fd Mon Sep 17 00:00:00 2001
From: huangkaibin <huangkaibin@huawei.com>
Date: Thu, 14 Sep 2017 12:54:01 +0800
Subject: [PATCH] systemd-core: fix problem of dbus service can not be started
when dbus is dead and state of system dbus of systemd stay in
BUS_AUTHENTICATING.
When systemd starts a dbus communication, it will first authenticate the bus by communicating with polkitd service, and then enter running state.
But if authenticating can not be establised within 25s(default timeout seconds) since authenticating starts
(maybe caused by polkitd service or dbus service can not be activated in time), the dbus state in systemd side will stays in BUS_AUTHENTICATING state,
and systemd will enter a mad state that it will handle authenticating(in bus_process_internal function) very frequently and will have no any change to
service for events of restarting services(by systemctl restart dbus.service --no-ask-password --no-block). So that the dbus service will never be restarted successfully.
systemd will enter such a state is caused by the timeout setting in sd_bus_get_timeout function. When in BUS_AUTHENTICATING state, the timeout is set
to a fix value of bus->auth_timeout(authenticating start time + 25s), if auth_timeout is an expired time, but not a furture time, systemd will always service
for the callback of function of dbus(time_callback) with no any delay when it got its chance, and leave no chance for events of restarting services.
This patch fix this problem by fixing the timeout to a furture time when bus->auth_timeout is expired.
---
src/libsystemd/sd-bus/sd-bus.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
index b0a3237..ca626d3 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -2267,7 +2267,11 @@ _public_ int sd_bus_get_timeout(sd_bus *bus, uint64_t *timeout_usec) {
switch (bus->state) {
case BUS_AUTHENTICATING:
- *timeout_usec = bus->auth_timeout;
+ //delay 1 second to ensure it is a furture time but not an expired time
+ if(bus->auth_timeout <= now(CLOCK_MONOTONIC))
+ *timeout_usec = now(CLOCK_MONOTONIC) + USEC_PER_SEC;
+ else
+ *timeout_usec = bus->auth_timeout;
return 1;
case BUS_RUNNING:
--
1.8.3.1

222
1610-add-new-rules-for-lower-priority-events-to-preempt.patch Normal file
View File

@ -0,0 +1,222 @@
From 49f6a75e648c113fa9985675f47f78a4cd57c084 Mon Sep 17 00:00:00 2001
From: yangbin <robin.yb@huawei.com>
Date: Fri, 26 Jul 2019 10:02:58 +0800
Subject: [PATCH] systemd-core: Add new rules for lower priority events to
preempt over higher priority events
1. When a high priority event happenes very frequent, and this event takes long time for execution,systemd will get into busy for handling this event only, and lower priority events will have no any change to dispatch and run.
2. One example is the event for /proc/self/mountinfo, which have a very high priority with -10.
When there are many mountpoints in mountinfo(for example, there may be many netns mountpoints),this event will take long time to finish.
Then if now there are mountpoints in repeating mounting and unmounting(for example, /run/user/uid mountpoint will be mounted then unmounted when for one su command),
this event will take all time of systemd, and lower priority lower events will not be dispatched anyway.
This will case a very severity problem that zombie process will not be reaped, for the evnet for reaping zombies has a lower priority of -6.
3. This patch fix this problem by add the following rules to allow lower priority events to preempt over higher priority events.
a) If a higher priority event has already been execute for a certain count in consecutive, it can be preempted by lower priority events. The default value for this count is 10, and can be configured through 'sd_event_source_set_preempt_dispatch_count'.
b) If a lower priority gets into pending for 10 times in consecutive, it can preempt over higher priority events.
c) If a lower priority is in pending, and is not dispatched over 50 iteration, it can preempt over higher priority events.
d) The above rules only works for events with priority equal or higher than 'SD_EVENT_PRIORITY_NORMAL' or evnets with type of SOURCE_DEFER, since SOURCE_DEFER events is used for job running queues.
---
src/core/mount.c | 4 ++
src/libsystemd/sd-event/sd-event.c | 87 ++++++++++++++++++++++++++++++
src/systemd/sd-event.h | 1 +
3 files changed, 92 insertions(+)
diff --git a/src/core/mount.c b/src/core/mount.c
index 1b94ab4..78b6e30 100644
--- a/src/core/mount.c
+++ b/src/core/mount.c
@@ -1742,6 +1742,10 @@ static void mount_enumerate(Manager *m) {
goto fail;
}
+ r = sd_event_source_set_preempt_dispatch_count(m->mount_event_source, 5);
+ if (r < 0)
+ goto fail;
+
(void) sd_event_source_set_description(m->mount_event_source, "mount-monitor-dispatch");
}
diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c
index d53b9a7..7e33061 100644
--- a/src/libsystemd/sd-event/sd-event.c
+++ b/src/libsystemd/sd-event/sd-event.c
@@ -26,6 +26,11 @@
#include "time-util.h"
#include "util.h"
+#define DEFAULT_PREEMPTED_ITERATION_COUNT (3)
+#define DEFAULT_PREEMPT_DISPATCH_COUNT (10)
+#define DEFAULT_PREEMPT_PENDING_COUNT (10)
+#define DEFAULT_PREEMPT_ITERATION_COUNT (30)
+
#define DEFAULT_ACCURACY_USEC (250 * USEC_PER_MSEC)
typedef enum EventSourceType {
@@ -103,6 +108,11 @@ struct sd_event_source {
uint64_t pending_iteration;
uint64_t prepare_iteration;
+ uint64_t preempted_iteration; /*The iteration that dispatched_count is greater than preempt_dispatch_count*/
+ unsigned pending_count; /*times of pending not dispatched*/
+ unsigned dispatched_count; /*consecutive dispatched count*/
+ unsigned preempt_dispatch_count; /*Will be preempted by lower priority if dispatched count reaches to this*/
+
sd_event_destroy_t destroy_callback;
LIST_FIELDS(sd_event_source, sources);
@@ -301,6 +311,11 @@ struct sd_event {
LIST_HEAD(sd_event_source, sources);
+ /*last dispatched source, its type is sd_event_source,
+ * here use void to avoid accessing its members,
+ * for it may have been freed already.*/
+ void *last_source;
+
usec_t last_run, last_log;
unsigned delays[sizeof(usec_t) * 8];
};
@@ -314,8 +329,42 @@ static sd_event *event_resolve(sd_event *e) {
return e == SD_EVENT_DEFAULT ? default_event : e;
}
+static int preempt_prioq_compare(const sd_event_source *x, const sd_event_source *y) {
+ if((x->priority > SD_EVENT_PRIORITY_NORMAL && x->type != SOURCE_DEFER)
+ || (y->priority > SD_EVENT_PRIORITY_NORMAL && y->type != SOURCE_DEFER)) {
+ return 0; /*only high priority evnets can preempt*/
+ }
+
+ if(x->priority <= y->priority) {
+ if(x->dispatched_count >= x->preempt_dispatch_count)
+ return 1;
+ if(y->type != SOURCE_DEFER) { /*pending state for defer event is always true*/
+ /*y has lower priority, but its pending count is greater than x, so y wins*/
+ if(y->pending_count >= (x->pending_count + DEFAULT_PREEMPT_PENDING_COUNT))
+ return 1;
+ /*y has lower priority, but is in pending longer than x, so y wins*/
+ if(x->pending_iteration >= (y->pending_iteration + DEFAULT_PREEMPT_ITERATION_COUNT))
+ return 1;
+ }
+ } else {
+ if(y->dispatched_count >= y->preempt_dispatch_count)
+ return -1;
+ if(x->type != SOURCE_DEFER) { /*pending state for defer event is always true*/
+ /*x has lower priority, but its pending count is greater than y, so x wins*/
+ if(x->pending_count >= (y->pending_count + DEFAULT_PREEMPT_PENDING_COUNT))
+ return -1;
+ /*x has lower priority, but is in pending longer than y, so x wins*/
+ if(y->pending_iteration >= (x->pending_iteration + DEFAULT_PREEMPT_ITERATION_COUNT))
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
static int pending_prioq_compare(const void *a, const void *b) {
const sd_event_source *x = a, *y = b;
+ int r;
assert(x->pending);
assert(y->pending);
@@ -326,6 +375,10 @@ static int pending_prioq_compare(const void *a, const void *b) {
if (x->enabled == SD_EVENT_OFF && y->enabled != SD_EVENT_OFF)
return 1;
+ r = preempt_prioq_compare(a, b);
+ if(r)
+ return r;
+
/* Lower priority values first */
if (x->priority < y->priority)
return -1;
@@ -1030,6 +1083,17 @@ static int source_set_pending(sd_event_source *s, bool b) {
assert(s);
assert(s->type != SOURCE_EXIT);
+ if (b && s->pending == b)
+ s->pending_count++;
+ else
+ s->pending_count = (b ? 1 : 0);
+ if (b && s->preempted_iteration &&
+ (s->pending_count >= DEFAULT_PREEMPTED_ITERATION_COUNT ||
+ s->event->iteration >= (s->preempted_iteration + DEFAULT_PREEMPTED_ITERATION_COUNT)) ) {
+ s->dispatched_count = 0;
+ s->preempted_iteration = 0;
+ }
+
if (s->pending == b)
return 0;
@@ -1097,6 +1161,7 @@ static sd_event_source *source_new(sd_event *e, bool floating, EventSourceType t
.type = type,
.pending_index = PRIOQ_IDX_NULL,
.prepare_index = PRIOQ_IDX_NULL,
+ .preempt_dispatch_count = DEFAULT_PREEMPT_DISPATCH_COUNT,
};
if (!floating)
@@ -2263,6 +2328,7 @@ _public_ int sd_event_source_set_enabled(sd_event_source *s, int m) {
return r;
}
+ s->pending_count = 0;
switch (s->type) {
case SOURCE_IO:
@@ -3055,6 +3121,19 @@ static int process_inotify(sd_event *e) {
return done;
}
+static void source_dispatch_pre(sd_event_source *s) {
+ if(s->event->last_source == s) {
+ s->dispatched_count++;
+ if(s->dispatched_count >= s->preempt_dispatch_count)
+ s->preempted_iteration = s->event->iteration;
+ } else {
+ s->preempted_iteration = 0;
+ s->dispatched_count = 0;
+ }
+ s->event->last_source = s;
+ s->pending_count = 0;
+}
+
static int source_dispatch(sd_event_source *s) {
EventSourceType saved_type;
int r = 0;
@@ -3095,6 +3174,7 @@ static int source_dispatch(sd_event_source *s) {
return r;
}
+ source_dispatch_pre(s);
s->dispatching = true;
switch (s->type) {
@@ -3793,3 +3873,10 @@ _public_ int sd_event_source_get_destroy_callback(sd_event_source *s, sd_event_d
return !!s->destroy_callback;
}
+
+_public_ int sd_event_source_set_preempt_dispatch_count(sd_event_source *s, unsigned count) {
+ assert_return(s, -EINVAL);
+
+ s->preempt_dispatch_count = count;
+ return 0;
+}
diff --git a/src/systemd/sd-event.h b/src/systemd/sd-event.h
index 7fcae4a..fdf9108 100644
--- a/src/systemd/sd-event.h
+++ b/src/systemd/sd-event.h
@@ -143,6 +143,7 @@ int sd_event_source_get_child_pid(sd_event_source *s, pid_t *pid);
int sd_event_source_get_inotify_mask(sd_event_source *s, uint32_t *ret);
int sd_event_source_set_destroy_callback(sd_event_source *s, sd_event_destroy_t callback);
int sd_event_source_get_destroy_callback(sd_event_source *s, sd_event_destroy_t *ret);
+int sd_event_source_set_preempt_dispatch_count(sd_event_source *s, unsigned count);
/* Define helpers so that __attribute__((cleanup(sd_event_unrefp))) and similar may be used. */
_SD_DEFINE_POINTER_CLEANUP_FUNC(sd_event, sd_event_unref);
--
2.17.1

89
1612-serialize-pids-for-scope-when-not-started.patch Normal file
View File

@ -0,0 +1,89 @@
From a5c08598384d44ad3bce24ff63ab320b3b3e5292 Mon Sep 17 00:00:00 2001
From: huangkaibin <huangkaibin@huawei.com>
Date: Wed, 31 Jan 2018 22:28:36 +0800
Subject: [PATCH] systemd-core: Serialize pids for scope unit when it is not
started
1. when a scope unit is initialized, and daemon-reload is performed before it is started,
pids (generally comes from dbus) belog to this scope will not be attached to the cgroup of this scope,
because these pids are not serialized and are lost during daemon-reload.
2. this patch fix this problem by serializing scope pids when the state of the scope is DEAD(the init state).
---
src/core/scope.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/src/core/scope.c b/src/core/scope.c
index ae6614f..8d96ee1 100644
--- a/src/core/scope.c
+++ b/src/core/scope.c
@@ -194,6 +194,8 @@ static int scope_load(Unit *u) {
static int scope_coldplug(Unit *u) {
Scope *s = SCOPE(u);
+ Iterator i;
+ void *pidp = NULL;
int r;
assert(s);
@@ -214,6 +216,12 @@ static int scope_coldplug(Unit *u) {
bus_scope_track_controller(s);
scope_set_state(s, s->deserialized_state);
+ if (s->state == SCOPE_DEAD && !u->cgroup_path && !set_isempty(u->pids)) {
+ SET_FOREACH(pidp, u->pids, i) {
+ log_unit_info(u, "Rewatch pid from serialized pids. unit: %s, pid: %u", u->id, PTR_TO_UINT32(pidp));
+ unit_watch_pid(u, PTR_TO_UINT32(pidp));
+ }
+ }
return 0;
}
@@ -396,6 +404,8 @@ static int scope_get_timeout(Unit *u, usec_t *timeout) {
}
static int scope_serialize(Unit *u, FILE *f, FDSet *fds) {
+ Iterator i;
+ void *pidp = NULL;
Scope *s = SCOPE(u);
assert(s);
@@ -408,6 +418,14 @@ static int scope_serialize(Unit *u, FILE *f, FDSet *fds) {
if (s->controller)
unit_serialize_item(u, f, "controller", s->controller);
+ /*serialize pids when scope is not started*/
+ if (s->state == SCOPE_DEAD && !u->cgroup_path && !set_isempty(u->pids)) {
+ SET_FOREACH(pidp, u->pids, i) {
+ log_unit_info(u, "scope is not started yet, pids are serialized. unit: %s, pid: %u", u->id, PTR_TO_UINT32(pidp));
+ unit_serialize_item_format(u, f, "scope_pids", PID_FMT, PTR_TO_UINT32(pidp));
+ }
+ }
+
return 0;
}
@@ -443,6 +461,21 @@ static int scope_deserialize_item(Unit *u, const char *key, const char *value, F
if (r < 0)
log_oom();
+ } else if (streq(key, "scope_pids")) {
+ pid_t pid;
+
+ if (parse_pid(value, &pid) < 0)
+ log_unit_debug(u, "Failed to parse scope-pid value %s.", value);
+ else {
+ if(!u->pids) {
+ r = set_ensure_allocated(&u->pids, NULL);
+ if (r < 0)
+ return r;
+ }
+ r = set_put(u->pids, pid);
+ if (r < 0)
+ return r;
+ }
} else
log_unit_debug(u, "Unknown serialization key: %s", key);
--
1.8.3.1

37
1615-do-not-finish-job-during-daemon-reload-in-unit_notify.patch Normal file
View File

@ -0,0 +1,37 @@
From 650352c713aeb3b47807c9699ceeb168f9f880b8 Mon Sep 17 00:00:00 2001
From: huangkaibin <huangkaibin@huawei.com>
Date: Tue, 13 Mar 2018 20:51:37 +0800
Subject: [PATCH] systemd-core: Do not finish job during daemon reloading in
unit_notify.
1. During daemon reload, a service unit will restore its state from dead to its deserialized state,
and unit_notify will be triggered to notify the state change.
Since JobRemove signal will not be sent during daemon-reload(see details of job_uninstall),
if one job is finished in unit_notify due to the deserialization of a service, the corresponding
job observers(such as systemctl) will not receive any JobRemove signals will hang forever.
2. The above problem will cause a systemctl command to hang forever by using the following steps to reproduce.
a) Ensuere a service(named A)is in running state.
b) execute "systemctl daemon-reload" and "systemctl start A" concurrently
c) the systemctl command will hang for it is in waiting for the JobRemoved signal, but not signals will come from systemd.
3. This patch fix this bug by not finishing job in unit_notify when it is in daemon reload.
---
src/core/unit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index 9e5f1a8..2da6f61 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -1831,7 +1831,8 @@ void unit_notify(Unit *u, UnitActiveState os, UnitActiveState ns, UnitNotifyFlag
unit_update_on_console(u);
- if (u->job) {
+ if (u->job &&
+ !(m->n_reloading > 0 && u->job->state != JOB_RUNNING && os == UNIT_INACTIVE)) { /*do not finish job during daemon-reload*/
unexpected = false;
if (u->job->state == JOB_WAITING)
--
1.8.3.1

43
1619-delay-to-restart-when-a-service-can-not-be-auto-restarted.patch Normal file
View File

@ -0,0 +1,43 @@
From 9315c29e4fdfa19c90bb483a364b017881f5cef7 Mon Sep 17 00:00:00 2001
From: huangkaibin <huangkaibin@huawei.com>
Date: Sat, 21 Apr 2018 17:18:19 +0800
Subject: [PATCH] systemd-core: Delay to restart when a service can not be
auto-restarted when there is one STOP_JOB for the service
When a service current has a STOP job has not scheduled yet,
and also if the service is already scheduled with an auto-restart
with restart-second configured as 0, the service will not be restarted successfully,
and systemd will go into an endless loop to restart the service.
This is because restart-second is 0 and timer task has higher priority than IO tasks when there priority
is same(both with 0), so the STOP job has no chance to be scheduled, and systemd will go into the endless loop
to handle the time task.
This patch fix this problem by delaying 1 second to restart the service to cause STOP job to be scheduled.
---
src/core/service.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/core/service.c b/src/core/service.c
index ad9c028..8217447 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1716,14 +1716,15 @@ fail:
static void service_enter_restart(Service *s) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
int r;
+ int restart_usec;
assert(s);
if (UNIT(s)->job && UNIT(s)->job->type == JOB_STOP) {
/* Don't restart things if we are going down anyway */
log_unit_info(UNIT(s), "Stop job pending for unit, delaying automatic restart.");
-
- r = service_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->restart_usec));
+ restart_usec = (s->restart_usec == 0) ? 1*USEC_PER_SEC : s->restart_usec;
+ r = service_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), restart_usec));
if (r < 0)
goto fail;
--
1.8.3.1

46
1620-nop_job-of-a-unit-must-also-be-coldpluged-after-deserization.patch Normal file
View File

@ -0,0 +1,46 @@
From 07e13151c566588b5f679e2576d3dfc2125c6e7c Mon Sep 17 00:00:00 2001
From: huangkaibin <huangkaibin@huawei.com>
Date: Sun, 22 Apr 2018 18:49:19 +0800
Subject: [PATCH] systemd-core: nop_job of a unit must also be coldpluged after
deserization.
When a unit is not in-active, and systemctl try-restart is executed for this unit,
systemd will do nothing for it and just accept it as a nop_job for the unit.
When then nop-job is still in the running queue, then daemon-reload is performed, this nop job
will be dropped from the unit since it is not coldpluged in the unit_coldplug function.
After then, the systemctl try-restart command will hang forever since no JOB_DONE dbus signal will be sent
to it from systemd.
This patch fix this problem by do coldplug for the nop_job in unit_coldplug function.
---
src/core/unit.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index 2da6f61..a862b79 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3028,10 +3028,17 @@ int unit_coldplug(Unit *u) {
r = q;
}
- if (u->job) {
- q = job_coldplug(u->job);
- if (q < 0 && r >= 0)
- r = q;
+ if (u->job || u->nop_job) {
+ if (u->job) {
+ q = job_coldplug(u->job);
+ if (q < 0 && r >= 0)
+ r = q;
+ }
+ if (u->nop_job) {
+ q = job_coldplug(u->nop_job);
+ if (q < 0 && r >= 0)
+ r = q;
+ }
}
return r;
--
1.8.3.1

51
20-grubby.install Executable file
View File

@ -0,0 +1,51 @@
#!/bin/bash
if [[ ! -x /sbin/new-kernel-pkg ]]; then
exit 0
fi
COMMAND="$1"
KERNEL_VERSION="$2"
BOOT_DIR_ABS="$3"
KERNEL_IMAGE="$4"
KERNEL_DIR="${KERNEL_IMAGE%/*}"
[[ "$KERNEL_VERSION" == *\+* ]] && flavor=-"${KERNEL_VERSION##*+}"
case "$COMMAND" in
add)
if [[ "${KERNEL_DIR}" != "/boot" ]]; then
for i in \
"$KERNEL_IMAGE" \
"$KERNEL_DIR"/System.map \
"$KERNEL_DIR"/config \
"$KERNEL_DIR"/zImage.stub \
"$KERNEL_DIR"/dtb \
; do
[[ -e "$i" ]] || continue
cp -aT "$i" "/boot/${i##*/}-${KERNEL_VERSION}"
command -v restorecon &>/dev/null && \
restorecon -R "/boot/${i##*/}-${KERNEL_VERSION}"
done
# hmac is .vmlinuz-<version>.hmac so needs a special treatment
i="$KERNEL_DIR/.${KERNEL_IMAGE##*/}.hmac"
if [[ -e "$i" ]]; then
cp -a "$i" "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
command -v restorecon &>/dev/null && \
restorecon "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
fi
fi
/sbin/new-kernel-pkg --package "kernel${flavor}" --install "$KERNEL_VERSION" || exit $?
/sbin/new-kernel-pkg --package "kernel${flavor}" --mkinitrd --dracut --depmod --update "$KERNEL_VERSION" || exit $?
/sbin/new-kernel-pkg --package "kernel${flavor}" --rpmposttrans "$KERNEL_VERSION" || exit $?
;;
remove)
/sbin/new-kernel-pkg --package "kernel${flavor+-$flavor}" --rminitrd --rmmoddep --remove "$KERNEL_VERSION" || exit $?
;;
*)
;;
esac
# skip other installation plugins, if we can't find a boot loader spec conforming setup
if ! [[ -d /boot/loader/entries || -L /boot/loader/entries ]]; then
exit 77
fi

42
20-yama-ptrace.conf Normal file
View File

@ -0,0 +1,42 @@
# The ptrace system call is used for interprocess services,
# communication and introspection (like synchronisation, signaling,
# debugging, tracing and profiling) of processes.
#
# Usage of ptrace is restricted by normal user permissions. Normal
# unprivileged processes cannot use ptrace on processes that they
# cannot send signals to or processes that are running set-uid or
# set-gid. Nevertheless, processes running under the same uid will
# usually be able to ptrace one another.
#
# Fedora enables the Yama security mechanism which restricts ptrace
# even further. Sysctl setting kernel.yama.ptrace_scope can have one
# of the following values:
#
# 0 - Normal ptrace security permissions.
# 1 - Restricted ptrace. Only child processes plus normal permissions.
# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
# 3 - No attach. No process may call ptrace at all. Irrevocable.
#
# For more information see Documentation/security/Yama.txt in the
# kernel sources.
#
# The default is 1., which allows tracing of child processes, but
# forbids tracing of arbitrary processes. This allows programs like
# gdb or strace to work when the most common way of having the
# debugger start the debuggee is used:
# gdb /path/to/program ...
# Attaching to already running programs is NOT allowed:
# gdb -p ...
# This default setting is suitable for the common case, because it
# reduces the risk that one hacked process can be used to attack other
# processes. (For example, a hacked firefox process in a user session
# will not be able to ptrace the keyring process and extract passwords
# stored only in memory.)
#
# Developers and administrators might want to disable those protections
# to be able to attach debuggers to existing processes. Use
# sysctl kernel.yama.ptrace_scope=0
# for change the setting temporarily, or copy this file to
# /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots.
kernel.yama.ptrace_scope = 0

40
464a73411c13596a130a7a8f0ac00ca728e5f69e.patch Normal file
View File

@ -0,0 +1,40 @@
From 464a73411c13596a130a7a8f0ac00ca728e5f69e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 14 Aug 2019 15:57:42 +0200
Subject: [PATCH] udev: use bfq as the default scheduler
As requested in https://bugzilla.redhat.com/show_bug.cgi?id=1738828.
Test results are that bfq seems to behave better and more consistently on
typical hardware. The kernel does not have a configuration option to set
the default scheduler, and it currently needs to be set by userspace.
See the bug for more discussion and links.
---
rules/60-block-scheduler.rules | 5 +++++
rules/meson.build | 1 +
2 files changed, 6 insertions(+)
create mode 100644 rules/60-block-scheduler.rules
diff --git a/rules/60-block-scheduler.rules b/rules/60-block-scheduler.rules
new file mode 100644
index 00000000000..480b941761f
--- /dev/null
+++ b/rules/60-block-scheduler.rules
@@ -0,0 +1,5 @@
+# do not edit this file, it will be overwritten on update
+
+ACTION=="add", SUBSYSTEM=="block", \
+ KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
+ ATTR{queue/scheduler}="bfq"
diff --git a/rules/meson.build b/rules/meson.build
index b6a32ba77e2..1da958b4d46 100644
--- a/rules/meson.build
+++ b/rules/meson.build
@@ -2,6 +2,7 @@
rules = files('''
60-block.rules
+ 60-block-scheduler.rules
60-cdrom_id.rules
60-drm.rules
60-evdev.rules

67
core-bugfix-call-malloc_trim-to-return-memory-to-OS-immediately.patch Normal file
View File

@ -0,0 +1,67 @@
From 95100aa8fa3182f3b066bdc5927b0a78c37550aa Mon Sep 17 00:00:00 2001
From: huangkaibin <huangkaibin@huawei.com>
Date: Mon, 23 Jul 2018 17:58:18 +0800
Subject: [PATCH] systemd-udevd: Call malloc_trim to return memory to OS
immediately in forked children.
hen there are many events from kernel, memory used to store these events(in event_list)
will be large, may be up to 100M. The forked child process will have a copy of these events and
release them using free. But since glibc will release memory to OS immediately, and if this child process
is stuck due I/O waiting(in D state), these memory will never be released until it is recoveried from D-state.
When there are so many such child processes, it will eat up much memory from system.
This patch fix this problem by invoking glibc's malloc_trim to release memory immediately when the child is forked.
---
meson.build | 6 ++++++
src/udev/udevd.c | 12 ++++++++++++
2 files changed, 18 insertions(+)
diff --git a/meson.build b/meson.build
index c14540a..5ee2fa7 100644
--- a/meson.build
+++ b/meson.build
@@ -518,6 +518,12 @@ else
conf.set10('HAVE_GETRANDOM', have)
endif
+if cc.has_function('malloc_trim', prefix : '''#include <malloc.h>''')
+ conf.set10('HAVE_MALLOC_TRIM', true)
+else
+ conf.set10('HAVE_MALLOC_TRIM', false)
+endif
+
#####################################################################
sed = find_program('sed')
diff --git a/src/udev/udevd.c b/src/udev/udevd.c
index c1119c3..62f1c44 100644
--- a/src/udev/udevd.c
+++ b/src/udev/udevd.c
@@ -27,6 +27,9 @@
#include <sys/time.h>
#include <sys/wait.h>
#include <unistd.h>
+#ifdef HAVE_MALLOC_TRIM
+#include <malloc.h>
+#endif
#include "sd-daemon.h"
#include "sd-event.h"
@@ -233,6 +236,15 @@ static void worker_spawn(Manager *manager, struct event *event) {
manager->event = sd_event_unref(manager->event);
+#ifdef HAVE_MALLOC_TRIM
+ /* unused memory inherits from parent has been freed, but it will
+ * not release to OS immediately. We do the optimization by invoking
+ * glibc's malloc_trim to force these unused memory to return to OS immediately.
+ * Otherwise when there are many forked process, it will eat up system's memory,
+ * and will cause OOM problem.
+ */
+ malloc_trim(0);
+#endif
sigfillset(&mask);
fd_signal = signalfd(-1, &mask, SFD_NONBLOCK|SFD_CLOEXEC);
if (fd_signal < 0) {
--
1.8.3.1

4
detect_virt Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
VIRT_PLATFORM="$(/usr/bin/systemd-detect-virt)"
echo "$VIRT_PLATFORM"

16
inittab Normal file
View File

@ -0,0 +1,16 @@
# inittab is no longer used.
#
# ADDING CONFIGURATION HERE WILL HAVE NO EFFECT ON YOUR SYSTEM.
#
# Ctrl-Alt-Delete is handled by /usr/lib/systemd/system/ctrl-alt-del.target
#
# systemd uses 'targets' instead of runlevels. By default, there are two main targets:
#
# multi-user.target: analogous to runlevel 3
# graphical.target: analogous to runlevel 5
#
# To view current default target, run:
# systemctl get-default
#
# To set a default target, run:
# systemctl set-default TARGET.target

79
net-set-sriov-names Normal file
View File

@ -0,0 +1,79 @@
#!/bin/bash -e
#
# This script is run to rename virtual interfaces
#
if [ -n "$UDEV_LOG" ]; then
if [ "$UDEV_LOG" -ge 7 ]; then
set -x
fi
fi
# according to dev_new_index(), ifindex is within [1, INT_MAX]
int_max=$(/usr/bin/getconf INT_MAX)
ifindex_before() {
a=$1
b=$2
((0 < (b - a) && (b - a) < int_max / 2 ||
-1 * int_max < (b - a) && (b - a) < -1 * int_max / 2))
}
rename_interface() {
local src_net=$1
local dest_net=$2
local err=0
/sbin/ip link set dev $src_net down
/sbin/ip link set dev $src_net name $dest_net
}
if [ -z "$INTERFACE" ]; then
echo "missing \$INTERFACE" >&2
exit 1
fi
if [ -e "/sys/class/net/$INTERFACE/device/physfn" ]; then
pf=$(ls -1 "/sys/class/net/$INTERFACE/device/physfn/net")
if [ $(echo "$pf" | wc -l) -ne 1 ]; then
echo "too many pf's" >&2
exit 1
fi
read vfindex < "/sys/class/net/$INTERFACE/ifindex"
read pfindex < "/sys/class/net/$pf/ifindex"
if ifindex_before $pfindex $vfindex; then
bus_info=$(basename $(readlink "/sys/class/net/$INTERFACE/device"))
for virtfn in "/sys/class/net/$pf/device/"virtfn*; do
if [ "$(basename $(readlink "$virtfn"))" = "$bus_info" ]; then
vfnum=$(basename "$virtfn")
vfnum=${vfnum#virtfn}
echo "INTERFACE_NEW=$pf.vf$vfnum"
exit 0
fi
done
fi
fi
read pfindex < "/sys/class/net/$INTERFACE/ifindex"
shopt -s nullglob
for virtfn in "/sys/class/net/$INTERFACE/device/"virtfn*; do
vf=$(ls -1 "$virtfn/net")
if [ $(echo "$vf" | wc -l) -ne 1 ]; then
echo "too many vf's" >&2
exit 1
fi
read vfindex < "/sys/class/net/$vf/ifindex"
if ifindex_before $vfindex $pfindex; then
vfnum=$(basename "$virtfn")
vfnum=${vfnum#virtfn}
if [ "$INTERFACE_NEW" ]; then
new_name=$INTERFACE_NEW
else
new_name=$INTERFACE
fi
new_name="$new_name.vf$vfnum"
if [ "$vf" != "$new_name" ]; then
rename_interface "$vf" "$new_name"
fi
fi
done

101
purge-nobody-user Executable file
View File

@ -0,0 +1,101 @@
#!/bin/bash -eu
if [ $UID -ne 0 ]; then
echo "WARNING: This script needs to run as root to be effective"
exit 1
fi
export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
if [ "${1:-}" = "--ignore-journal" ]; then
shift
ignore_journal=1
else
ignore_journal=0
fi
echo "Checking processes..."
if ps h -u 99 | grep .; then
echo "ERROR: ps reports processes with UID 99!"
exit 2
fi
echo "... not found"
echo "Checking UTMP..."
if w -h 199 | grep . ; then
echo "ERROR: w reports UID 99 as active!"
exit 2
fi
if w -h nobody | grep . ; then
echo "ERROR: w reports user nobody as active!"
exit 2
fi
echo "... not found"
echo "Checking the journal..."
if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
echo "ERROR: journalctl reports messages from UID 99 in current boot!"
exit 2
fi
echo "... not found"
echo "Looking for files in /etc, /run, /tmp, and /var..."
if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
echo "ERROR: found files belonging to UID 99"
exit 2
fi
echo "... not found"
echo "Checking if nobody is defined correctly..."
if getent passwd nobody |
grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
then
echo "OK, nothing to do."
exit 0
else
echo "NOTICE: User nobody is not defined correctly"
fi
echo "Checking if nfsnobody or something else is using the uid..."
if getent passwd 65534 | grep . ; then
echo "NOTICE: will have to remove this user"
else
echo "... not found"
fi
if [ "${1:-}" = "-x" ]; then
if getent passwd nobody >/dev/null; then
# this will remove both the user and the group.
( set -x
userdel nobody
)
fi
if getent passwd 65534 >/dev/null; then
# Make sure the uid is unused. This should free gid too.
name="$(getent passwd 65534 | cut -d: -f1)"
( set -x
userdel "$name"
)
fi
if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
echo "Sleeping, so sss can catch up"
sleep 3
fi
if getent group 65534; then
# Make sure the gid is unused, even if uid wasn't.
name="$(getent group 65534 | cut -d: -f1)"
( set -x
groupdel "$name"
)
fi
# systemd-sysusers uses the same gid and uid
( set -x
systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
)
else
echo "Pass '-x' to perform changes"
fi

13
rc.local Normal file
View File

@ -0,0 +1,13 @@
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
touch /var/lock/subsys/local

107
rule_generator.functions Normal file
View File

@ -0,0 +1,107 @@
# functions used by the udev rule generator
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation version 2 of the License.
PATH='/usr/sbin:/usr/bin'
# Read a single line from file $1 in the $DEVPATH directory.
# The function must not return an error even if the file does not exist.
sysread() {
local file="$1"
[ -e "/sys$DEVPATH/$file" ] || return 0
local value
read value < "/sys$DEVPATH/$file" || return 0
echo "$value"
}
sysreadlink() {
local file="$1"
[ -e "/sys$DEVPATH/$file" ] || return 0
readlink -f /sys$DEVPATH/$file 2> /dev/null || true
}
# Return true if a directory is writeable.
writeable() {
if ln -s test-link $1/.is-writeable 2> /dev/null; then
rm -f $1/.is-writeable
return 0
else
return 1
fi
}
# Create a lock file for the current rules file.
lock_rules_file() {
[ -e /dev/.udev/ ] || return 0
RULES_LOCK="/dev/.udev/.lock-${RULES_FILE##*/}"
retry=30
while ! mkdir $RULES_LOCK 2> /dev/null; do
if [ $retry -eq 0 ]; then
echo "Cannot lock $RULES_FILE!" >&2
exit 2
fi
sleep 1
retry=$(($retry - 1))
done
}
unlock_rules_file() {
[ "$RULES_LOCK" ] || return 0
rmdir $RULES_LOCK || true
}
# Choose the real rules file if it is writeable or a temporary file if not.
# Both files should be checked later when looking for existing rules.
choose_rules_file() {
local tmp_rules_file="/dev/.udev/tmp-rules--${RULES_FILE##*/}"
[ -e "$RULES_FILE" -o -e "$tmp_rules_file" ] || PRINT_HEADER=1
local retry=5
while :;
do
if [ $retry -eq 0 ]; then
echo "$RULES_FILE not writeable!" >&2
exit 2
elif writeable ${RULES_FILE%/*}; then
RO_RULES_FILE='/dev/null'
break
fi
sleep 1
retry=$(($retry - 1))
done
}
# Return the name of the first free device.
raw_find_next_available() {
local links="$1"
local basename=${links%%[ 0-9]*}
local max=-1
for name in $links; do
local num=${name#$basename}
[ "$num" ] || num=0
[ $num -gt $max ] && max=$num
done
local max=$(($max + 1))
# "name0" actually is just "name"
[ $max -eq 0 ] && return
echo "$max"
}
# Find all rules matching a key (with action) and a pattern.
find_all_rules() {
local key="$1"
local linkre="$2"
local match="$3"
local search='.*[[:space:],]'"$key"'"('"$linkre"')".*'
echo $(sed -n -r -e 's/^#.*//' -e "${match}s/${search}/\1/p" \
$RO_RULES_FILE \
$([ -e $RULES_FILE ] && echo $RULES_FILE) \
2>/dev/null)
}

10
sysctl.conf.README Normal file
View File

@ -0,0 +1,10 @@
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).

BIN
systemd-243.tar.gz Normal file
View File

Binary file not shown.

40
systemd-core-Close-and-free-dbus-when-bus-authentica.patch Normal file
View File

@ -0,0 +1,40 @@
From 1245ae05c6e2ca7a2af055f9c44f19a0db2971a5 Mon Sep 17 00:00:00 2001
From: yangbin <robin.yb@huawei.com>
Date: Thu, 15 Aug 2019 15:24:03 +0800
Subject: [PATCH 3/3] systemd-core: Close and free dbus when bus authenticating
timedout
1. when timedout happened on authenticating a private dbus(can be established by systemctl command),
this dbus will never be freed and closed, and will left on systemd permanently even through the client
(for example, systemctl command) has closed the connection. This is because when timedout happend,
the event and also the timer to watch dbus actions is disabled by sd_event_source_set_enabled
from source_dispatch function, and systemd can do nothing on it since this dbus will not be activated again.
2. If a private dbus staying on authenticating state, and when systemd sends a signal message, it will also
add this message to the message write queue of this bus and will never send it out because the dbus is not in running.
systemd does this for it believe that the bus will change from authenticating to running sometime, but actually it will not.
3. When many private dbuses are left as authenticating and many signal messages are sent from dbus, it will eat up our memory
to hold these dbuses and messages, and memory usage of systemd will grow very fast.
4. This patch fix this problem by closing and freeing the dbus when authenticating timedout.
---
src/libsystemd/sd-bus/sd-bus.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
index 05cb4c3..65cf449 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -2946,6 +2946,11 @@ static int bus_process_internal(sd_bus *bus, bool hint_priority, int64_t priorit
if (IN_SET(r, -ENOTCONN, -ECONNRESET, -EPIPE, -ESHUTDOWN)) {
bus_enter_closing(bus);
r = 1;
+ } else if(r == -ETIMEDOUT && !bus->is_system) {
+ /*close dbus directly when timedout happened and it is a private dbus*/
+ log_info("Private bus is closed due authentication timedout.");
+ bus_enter_closing(bus);
+ r = 1;
} else if (r < 0)
return r;
--
2.17.1

6
systemd-journal-gatewayd.xml Normal file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>systemd-journal-gatewayd</short>
<description>Journal Gateway Service</description>
<port protocol="tcp" port="19531"/>
</service>

6
systemd-journal-remote.xml Normal file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>systemd-journal-remote</short>
<description>Journal Remote Sink</description>
<port protocol="tcp" port="19532"/>
</service>

3
systemd-udev-trigger-no-reload.conf Normal file
View File

@ -0,0 +1,3 @@
[Unit]
# https://bugzilla.redhat.com/show_bug.cgi?id=1378974#c17
RefuseManualStop=true

10
systemd-user Normal file
View File

@ -0,0 +1,10 @@
# This file is part of systemd.
#
# Used by systemd --user instances.
account include system-auth
session required pam_selinux.so close
session required pam_selinux.so nottys open
session required pam_loginuid.so
session include system-auth

1755
systemd.spec Normal file
View File

File diff suppressed because it is too large Load Diff

44
udev-40-openEuler.rules Normal file
View File

@ -0,0 +1,44 @@
# do not edit this file, it will be overwritten on update
# CPU hotadd request
SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1"
# Memory hotadd request
SUBSYSTEM!="memory", ACTION!="add", GOTO="memory_hotplug_end"
PROGRAM="/bin/uname -p", RESULT=="s390*", GOTO="memory_hotplug_end"
ENV{.state}="online"
ATTR{state}=="offline", ATTR{state}="$env{.state}"
LABEL="memory_hotplug_end"
# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded
ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
# load SCSI generic (sg) driver
SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
# Rule for prandom character device node permissions
KERNEL=="prandom", MODE="0644"
# Rules for creating the ID_PATH for SCSI devices based on the CCW bus
# using the form: ccw-<BUS_ID>-zfcp-<WWPN>:<LUN>
#
ACTION=="remove", GOTO="zfcp_scsi_device_end"
#
# Set environment variable "ID_ZFCP_BUS" to "1" if the devices
# (both disk and partition) are SCSI devices based on FCP devices
#
KERNEL=="sd*", SUBSYSTEMS=="ccw", DRIVERS=="zfcp", ENV{.ID_ZFCP_BUS}="1"
# For SCSI disks
KERNEL=="sd*[!0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}"
# For partitions on a SCSI disk
KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n"
LABEL="zfcp_scsi_device_end"

104
udev-55-persistent-net-generator.rules Normal file
View File

@ -0,0 +1,104 @@
# do not edit this file, it will be overwritten on update
# these rules generate rules for persistent network device naming
#
# variables used to communicate:
# MATCHADDR MAC address used for the match
# MATCHID bus_id used for the match
# MATCHDRV driver name used for the match
# MATCHIFTYPE interface type match
# COMMENT comment to add to the generated rule
# INTERFACE_NAME requested name supplied by external tool
# INTERFACE_NEW new interface name returned by rule writer
ACTION!="add", GOTO="persistent_net_generator_end"
SUBSYSTEM!="net", GOTO="persistent_net_generator_end"
# ignore the interface if a name has already been set
NAME=="?*", GOTO="persistent_net_generator_end"
# device name whitelist
KERNEL!="eth*|ath*|wlan*[0-9]|msh*|ra*|sta*|ctc*|lcs*|hsi*", GOTO="persistent_net_generator_end"
# when net.ifnames=0 is not set in command line ,do not generate net-name rules
IMPORT{cmdline}="net.ifnames"
ENV{net.ifnames}!="0",SUBSYSTEMS=="pci", GOTO="persistent_net_generator_end"
# ignore Xen virtual interfaces
#SUBSYSTEMS=="xen", GOTO="persistent_net_generator_end"
# check if running in a guest
PROGRAM=="detect_virt", RESULT=="?*", ENV{VIRTPLATFORM}="$result"
# read MAC address
ENV{MATCHADDR}="$attr{address}"
# match interface type
ENV{MATCHIFTYPE}="$attr{type}"
# These vendors are known to violate the local MAC address assignment scheme
# Interlan, DEC (UNIBUS or QBUS), Apollo, Cisco, Racal-Datacom
ENV{MATCHADDR}=="02:07:01:*", GOTO="globally_administered_whitelist"
# 3Com
ENV{MATCHADDR}=="02:60:60:*", GOTO="globally_administered_whitelist"
# 3Com IBM PC; Imagen; Valid; Cisco; Apple
ENV{MATCHADDR}=="02:60:8c:*", GOTO="globally_administered_whitelist"
# Intel
ENV{MATCHADDR}=="02:a0:c9:*", GOTO="globally_administered_whitelist"
# Olivetti
ENV{MATCHADDR}=="02:aa:3c:*", GOTO="globally_administered_whitelist"
# CMC Masscomp; Silicon Graphics; Prime EXL
ENV{MATCHADDR}=="02:cf:1f:*", GOTO="globally_administered_whitelist"
# Prominet Corporation Gigabit Ethernet Switch
ENV{MATCHADDR}=="02:e0:3b:*", GOTO="globally_administered_whitelist"
# BTI (Bus-Tech, Inc.) IBM Mainframes
ENV{MATCHADDR}=="02:e6:d3:*", GOTO="globally_administered_whitelist"
# Realtek
ENV{MATCHADDR}=="52:54:00:*", GOTO="globally_administered_whitelist"
# Novell 2000
ENV{MATCHADDR}=="52:54:4c:*", GOTO="globally_administered_whitelist"
# Realtec
ENV{MATCHADDR}=="52:54:ab:*", GOTO="globally_administered_whitelist"
# Kingston Technologies
ENV{MATCHADDR}=="e2:0c:0f:*", GOTO="globally_administered_whitelist"
# match interface dev_id
ATTR{dev_id}=="?*", ENV{MATCHDEVID}="$attr{dev_id}"
# do not use "locally administered" MAC address
#ENV{MATCHADDR}=="?[2367abef]:*", ENV{MATCHADDR}=""
# do not use "locally administered" MAC address only on host
ENV{VIRTPLATFORM}=="none", ENV{MATCHADDR}=="?[2367abef]:*", ENV{MATCHADDR}=""
# do not use empty address
ENV{MATCHADDR}=="00:00:00:00:00:00", ENV{MATCHADDR}=""
LABEL="globally_administered_whitelist"
# build comment line for generated rule:
SUBSYSTEMS=="pci", ENV{COMMENT}="PCI device $attr{vendor}:$attr{device} ($driver)"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="?*", ENV{COMMENT}="USB device 0x$attr{idVendor}:0x$attr{idProduct} ($driver)"
SUBSYSTEMS=="pcmcia", ENV{COMMENT}="PCMCIA device $attr{card_id}:$attr{manf_id} ($driver)"
SUBSYSTEMS=="ieee1394", ENV{COMMENT}="Firewire device $attr{host_id})"
# ibmveth likes to use "locally administered" MAC addresses
DRIVERS=="ibmveth", ENV{MATCHADDR}="$attr{address}", ENV{COMMENT}="ibmveth ($id)"
# S/390 uses id matches only, do not use MAC address match
SUBSYSTEMS=="ccwgroup", ENV{COMMENT}="S/390 $driver device at $id", ENV{MATCHID}="$id", ENV{MATCHDRV}="$driver", ENV{MATCHADDR}="", ENV{MATCHDEVID}=""
# see if we got enough data to create a rule
ENV{MATCHADDR}=="", ENV{MATCHID}=="", ENV{INTERFACE_NAME}=="", GOTO="persistent_net_generator_end"
# default comment
ENV{COMMENT}=="", ENV{COMMENT}="net device ($attr{driver})"
# write rule
DRIVERS=="?*", IMPORT{program}="write_net_rules"
# rename interface if needed
ENV{INTERFACE_NEW}=="?*", NAME="$env{INTERFACE_NEW}"
LABEL="persistent_net_generator_end"

17
udev-56-net-sriov-names.rules Normal file
View File

@ -0,0 +1,17 @@
# do not edit this file, it will be overwritten on update
#
# rename SRIOV virtual function interfaces
ACTION=="remove", GOTO="net-sriov-names_end"
# when net.ifnames=0 is not set in command line ,do not generate net-name rules
IMPORT{cmdline}="net.ifnames"
ENV{net.ifnames}!="0",SUBSYSTEMS=="pci", GOTO="net-sriov-names_end"
SUBSYSTEM=="net", SUBSYSTEMS=="pci", ACTION=="add", NAME=="?*", ENV{INTERFACE_NEW}="$name"
SUBSYSTEM=="net", SUBSYSTEMS=="pci", ACTION=="add", IMPORT{program}="net-set-sriov-names"
# rename interface if needed
ENV{INTERFACE_NEW}=="?*", NAME="$env{INTERFACE_NEW}"
LABEL="net-sriov-names_end"

3
udev-61-euleros-persistent-storage.rules Normal file
View File

@ -0,0 +1,3 @@
# scsi compat links for ATA devices
KERNEL=="sd*[!0-9]", ENV{ID_BUS}=="ata", PROGRAM="scsi_id --whitelisted --replace-whitespace -p0x80 -d$tempnode", RESULT=="?*", ENV{ID_SCSI_COMPAT}="$result", SYMLINK+="disk/by-id/scsi-$env{ID_SCSI_COMPAT}"
KERNEL=="sd*[0-9]", ENV{ID_SCSI_COMPAT}=="?*", SYMLINK+="disk/by-id/scsi-$env{ID_SCSI_COMPAT}-part%n"

134
write_net_rules Normal file
View File

@ -0,0 +1,134 @@
#!/bin/sh -e
#
# Copyright (C) 2006 Marco d'Itri <md@Linux.IT>
# Copyright (C) 2007 Kay Sievers <kay.sievers@vrfy.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation version 2 of the License.
#
# This script is run to create persistent network device naming rules
# based on properties of the device.
# If the interface needs to be renamed, INTERFACE_NEW=<name> will be printed
# on stdout to allow udev to IMPORT it.
# variables used to communicate:
# MATCHADDR MAC address used for the match
# MATCHID bus_id used for the match
# MATCHDEVID dev_id used for the match
# MATCHDRV driver name used for the match
# MATCHIFTYPE interface type match
# COMMENT comment to add to the generated rule
# INTERFACE_NAME requested name supplied by external tool
# INTERFACE_NEW new interface name returned by rule writer
RULES_FILE='/etc/udev/rules.d/50-persistent-net.rules'
. /usr/lib/udev/rule_generator.functions
interface_name_taken() {
local value="$(find_all_rules 'NAME=' $INTERFACE)"
if [ "$value" ]; then
return 0
else
return 1
fi
}
find_next_available() {
raw_find_next_available "$(find_all_rules 'NAME=' "$1")"
}
write_rule() {
local match="$1"
local name="$2"
local comment="$3"
{
if [ "$PRINT_HEADER" ]; then
PRINT_HEADER=
echo "# This file was automatically generated by the $0"
echo "# program, run by the persistent-net-generator.rules rules file."
echo "#"
echo "# You can modify it, as long as you keep each rule on a single"
echo "# line, and change only the value of the NAME= key."
fi
echo ""
[ "$comment" ] && echo "# $comment"
echo "SUBSYSTEM==\"net\", ACTION==\"add\"$match, NAME=\"$name\""
} >> $RULES_FILE
}
if [ -z "$INTERFACE" ]; then
echo "missing \$INTERFACE" >&2
exit 1
fi
mkdir -p /dev/.udev
# Prevent concurrent processes from modifying the file at the same time.
lock_rules_file
# Check if the rules file is writeable.
choose_rules_file
# the DRIVERS key is needed to not match bridges and VLAN sub-interfaces
if [ "$MATCHADDR" ]; then
match="$match, DRIVERS==\"?*\", ATTR{address}==\"$MATCHADDR\""
fi
if [ "$MATCHDRV" ]; then
match="$match, DRIVERS==\"$MATCHDRV\""
fi
if [ "$MATCHDEVID" ]; then
match="$match, ATTR{dev_id}==\"$MATCHDEVID\""
fi
if [ "$MATCHID" ]; then
match="$match, KERNELS==\"$MATCHID\""
fi
if [ "$MATCHIFTYPE" ]; then
match="$match, ATTR{type}==\"$MATCHIFTYPE\""
fi
if [ -z "$match" ]; then
echo "missing valid match" >&2
unlock_rules_file
exit 1
fi
basename=${INTERFACE%%[0-9]*}
match="$match, KERNEL==\"$basename*\""
if [ "$INTERFACE_NAME" ]; then
# external tools may request a custom name
COMMENT="$COMMENT (custom name provided by external tool)"
if [ "$INTERFACE_NAME" != "$INTERFACE" ]; then
INTERFACE=$INTERFACE_NAME;
echo "INTERFACE_NEW=$INTERFACE"
fi
else
# if a rule using the current name already exists, find a new name
if interface_name_taken; then
INTERFACE="$basename$(find_next_available "$basename[0-9]*")"
echo "INTERFACE_NEW=$INTERFACE"
fi
fi
if [ "$MATCHADDR" ]; then
mac_found=0
grep -qE "^\s*[^#].*==\"$MATCHADDR\"" "$RULES_FILE" || mac_found=$?
if [ $mac_found -ne 0 ]; then
# only add new rules while mac address not found
write_rule "$match" "$INTERFACE" "$COMMENT"
fi
else
write_rule "$match" "$INTERFACE" "$COMMENT"
fi
unlock_rules_file
exit 0

2
yum-protect-systemd.conf Normal file
View File

@ -0,0 +1,2 @@
systemd
systemd-udev