diff options
author | Britney Fransen <brfransen@gmail.com> | 2018-03-04 21:45:17 (GMT) |
---|---|---|
committer | Britney Fransen <brfransen@gmail.com> | 2018-03-04 21:45:17 (GMT) |
commit | f961eb7d7befe4dce77937b7fad6d97089ae76f1 (patch) | |
tree | c51cf18fc3b5997caf3865da19a382f3f2c041a7 | |
parent | 775c7e109a8b8dde65c5baee7d6bb3265ea76c06 (diff) | |
download | linhes_pkgbuild-f961eb7d7befe4dce77937b7fad6d97089ae76f1.zip linhes_pkgbuild-f961eb7d7befe4dce77937b7fad6d97089ae76f1.tar.gz linhes_pkgbuild-f961eb7d7befe4dce77937b7fad6d97089ae76f1.tar.bz2 |
systemd: update to 237.64
-rw-r--r-- | abs/core/systemd/PKGBUILD | 238 | ||||
-rw-r--r-- | abs/core/systemd/__changelog | 1 | ||||
-rw-r--r-- | abs/core/systemd/initcpio-install-systemd | 44 | ||||
-rw-r--r-- | abs/core/systemd/initcpio-install-udev | 7 | ||||
-rw-r--r-- | abs/core/systemd/systemd-hwdb.hook | 11 | ||||
-rw-r--r-- | abs/core/systemd/systemd-sysusers.hook | 11 | ||||
-rw-r--r-- | abs/core/systemd/systemd-tmpfiles.hook | 11 | ||||
-rw-r--r-- | abs/core/systemd/systemd-update.hook | 11 | ||||
-rw-r--r-- | abs/core/systemd/systemd-user.pam | 5 | ||||
-rw-r--r-- | abs/core/systemd/systemd.install | 178 |
10 files changed, 285 insertions, 232 deletions
diff --git a/abs/core/systemd/PKGBUILD b/abs/core/systemd/PKGBUILD index ecbf16c..f2c335c 100644 --- a/abs/core/systemd/PKGBUILD +++ b/abs/core/systemd/PKGBUILD @@ -1,88 +1,155 @@ +# $Id$ +# Maintainer: Christian Hesse <mail@eworm.de> # Maintainer: Dave Reisner <dreisner@archlinux.org> # Maintainer: Tom Gundersen <teg@jklm.no> pkgbase=systemd pkgname=('systemd' 'libsystemd' 'systemd-sysvcompat') -pkgver=224 -pkgrel=2 -arch=('i686' 'x86_64') -url="http://www.freedesktop.org/wiki/Software/systemd" -makedepends=('acl' 'cryptsetup' 'docbook-xsl' 'gperf' 'lz4' 'xz' 'pam' +# latest commit on stable branch +_commit='7909254c7a8ee09d91b8b21fd779320b3e2fe716' +# Bump this to latest major release for signed tag verification, +# the commit count is handled by pkgver() function. +pkgver=237.64 +pkgrel=1 +arch=('x86_64') +url="https://www.github.com/systemd/systemd" +makedepends=('acl' 'cryptsetup' 'docbook-xsl' 'gperf' 'lz4' 'xz' 'pam' 'libelf' 'intltool' 'iptables' 'kmod' 'libcap' 'libidn' 'libgcrypt' 'libmicrohttpd' 'libxslt' 'util-linux' 'linux-api-headers' - 'python2-lxml' 'quota-tools' 'shadow' 'gnu-efi-libs' 'git') -options=('strip' 'debug') -source=("git://github.com/systemd/systemd.git#tag=v$pkgver" + 'python-lxml' 'quota-tools' 'shadow' 'gnu-efi-libs' 'git' + 'meson' 'libseccomp' 'pcre2') +options=('strip') +validpgpkeys=('63CDA1E5D3FC22B998D20DD6327F26951A015CC4') # Lennart Poettering <lennart@poettering.net> +source=('git://github.com/systemd/systemd-stable.git' + 'git://github.com/systemd/systemd.git' # pull in for tags, backports & reverts 'initcpio-hook-udev' 'initcpio-install-systemd' 'initcpio-install-udev' 'arch.conf' 'loader.conf' - 'splash-arch.bmp') -md5sums=('SKIP' - '90ea67a7bb237502094914622a39e281' - '976c5511b6493715e381f43f16cdb151' - '1b3aa3a0551b08af9305d33f85b5c2fc' - '20ead378f5d6df4b2a3e670301510a7d' - 'ddaef54f68f6c86c6c07835fc668f62a' - '1e2f9a8b0fa32022bf0a8f39123e5f4e') + 'splash-arch.bmp' + 'systemd-user.pam' + 'systemd-hwdb.hook' + 'systemd-sysusers.hook' + 'systemd-tmpfiles.hook' + 'systemd-update.hook') +sha512sums=('SKIP' + 'SKIP' + 'f0d933e8c6064ed830dec54049b0a01e27be87203208f6ae982f10fb4eddc7258cb2919d594cbfb9a33e74c3510cfd682f3416ba8e804387ab87d1a217eb4b73' + '86d7cacd7536b1069c82bbbb08de7ec81e7f0f18a19fc2b06fabe90db4700623eb3540b75121080d325672d92e26912632ae4f93fd3c0bb48eb3e5eedd88352c' + 'a25b28af2e8c516c3a2eec4e64b8c7f70c21f974af4a955a4a9d45fd3e3ff0d2a98b4419fe425d47152d5acae77d64e69d8d014a7209524b75a81b0edb10bf3a' + '61032d29241b74a0f28446f8cf1be0e8ec46d0847a61dadb2a4f096e8686d5f57fe5c72bcf386003f6520bc4b5856c32d63bf3efe7eb0bc0deefc9f68159e648' + 'c416e2121df83067376bcaacb58c05b01990f4614ad9de657d74b6da3efa441af251d13bf21e3f0f71ddcb4c9ea658b81da3d915667dc5c309c87ec32a1cb5a5' + '5a1d78b5170da5abe3d18fdf9f2c3a4d78f15ba7d1ee9ec2708c4c9c2e28973469bc19386f70b3cf32ffafbe4fcc4303e5ebbd6d5187a1df3314ae0965b25e75' + 'b90c99d768dc2a4f020ba854edf45ccf1b86a09d2f66e475de21fe589ff7e32c33ef4aa0876d7f1864491488fd7edb2682fc0d68e83a6d4890a0778dc2d6fe19' + '2c1f765e7cefc50f07ad994634ea25d9396e6b9c0de46e58f18377e642a471517a0dbf5eb547070a38c6ecf84ec8e030f650a6cee010871cd7a466a32534adda' + '7d49a948f5d58f662a7d81544254528257ef8c0a08ca560834f09a7cdf566161d2df4d419ebbc2983196cd45c9eeefcd0c4c2c554376916dce42e895262afc30' + 'e521d92674597f82d589b83c378c50c92c881fdb84c436c8b26f7a3436a4c91a20585824a5563933f6868a3023b9ee2fdc7bd58e04bb47c25a0a36e296308fd3' + '10190fba9f39a8f4b620a0829e0ba8ed63bb4dbeca712966011ee7807880d01ab2abff1a80baafeb6674db70526a473fe585db8190e864f318fc4d6068552618') + +_backports=( +) + +_reverts=( +) + +_validate_tag() { + local success fingerprint trusted status tag=v${pkgver%.*} + + parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1) + + if (( ! success )); then + error 'failed to validate tag %s\n' "$tag" + return 1 + fi + + if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then + error 'unknown or untrusted public key: %s\n' "$fingerprint" + return 1 + fi + + case $status in + 'expired') + warning 'the signature has expired' + ;; + 'expiredkey') + warning 'the key has expired' + ;; + esac + + return 0 +} + +pkgver() { + local version count + + cd "$pkgbase-stable" + + version="$(git describe --abbrev=0 --tags)" + count="$(git rev-list --count ${version}..)" + printf '%s.%s' "${version#v}" "${count}" +} prepare() { - cd "$pkgname" + cd "$pkgbase-stable" + + git remote add upstream ../systemd/ + git fetch --all - # networkd: fix neworkd crash - # https://github.com/systemd/systemd/commit/49f6e11e89b4 - git cherry-pick -n 49f6e11e89b4 + git checkout "${_commit}" - ./autogen.sh + _validate_tag || return + + local _commit + for _commit in "${_backports[@]}"; do + git cherry-pick -n "$_commit" + done + for _commit in "${_reverts[@]}"; do + git revert -n "$_commit" + done } build() { - cd "$pkgname" - local timeservers=({0..3}.arch.pool.ntp.org) - ./configure \ - --libexecdir=/usr/lib \ - --localstatedir=/var \ - --sysconfdir=/etc \ - --enable-lz4 \ - --enable-compat-libs \ - --enable-gnuefi \ - --disable-audit \ - --disable-ima \ - --disable-kdbus \ - --with-sysvinit-path= \ - --with-sysvrcnd-path= \ - --with-ntp-servers="${timeservers[*]}" - - make + local meson_options=( + -Daudit=false + -Dgnuefi=true + -Dima=false + -Dlz4=true + + -Ddbuspolicydir=/usr/share/dbus-1/system.d + -Ddefault-dnssec=no + # TODO(dreisner): consider changing this to unified + -Ddefault-hierarchy=hybrid + -Ddefault-kill-user-processes=false + -Dfallback-hostname='archlinux' + -Dntp-servers="${timeservers[*]}" + -Drpmmacrosdir=no + -Dsysvinit-path= + -Dsysvrcnd-path= + ) + + arch-meson "$pkgbase-stable" build "${meson_options[@]}" + + ninja -C build } package_systemd() { pkgdesc="system and service manager" license=('GPL2' 'LGPL2.1') - depends=('acl' 'bash' 'dbus' 'iptables' 'kbd' 'kmod' 'hwids' 'libcap' - 'libgcrypt' 'libsystemd' 'libidn' 'lz4' 'pam' 'libseccomp' 'util-linux' - 'xz') + groups=('base-devel') + depends=('acl' 'bash' 'cryptsetup' 'dbus' 'iptables' 'kbd' 'kmod' 'hwids' 'libcap' + 'libgcrypt' 'libsystemd' 'libidn' 'lz4' 'pam' 'libelf' 'libseccomp' + 'util-linux' 'xz' 'pcre2') provides=('nss-myhostname' "systemd-tools=$pkgver" "udev=$pkgver") replaces=('nss-myhostname' 'systemd-tools' 'udev') conflicts=('nss-myhostname' 'systemd-tools' 'udev') - optdepends=('cryptsetup: required for encrypted block devices' - 'libmicrohttpd: remote journald capabilities' + optdepends=('libmicrohttpd: remote journald capabilities' 'quota-tools: kernel-level quota management' 'systemd-sysvcompat: symlink package to provide sysvinit binaries' 'polkit: allow administration as unprivileged user') - backup=(etc/dbus-1/system.d/org.freedesktop.systemd1.conf - etc/dbus-1/system.d/org.freedesktop.hostname1.conf - etc/dbus-1/system.d/org.freedesktop.login1.conf - etc/dbus-1/system.d/org.freedesktop.locale1.conf - etc/dbus-1/system.d/org.freedesktop.machine1.conf - etc/dbus-1/system.d/org.freedesktop.timedate1.conf - etc/dbus-1/system.d/org.freedesktop.import1.conf - etc/dbus-1/system.d/org.freedesktop.network1.conf - etc/pam.d/systemd-user - etc/systemd/bootchart.conf + backup=(etc/pam.d/systemd-user etc/systemd/coredump.conf etc/systemd/journald.conf etc/systemd/journal-remote.conf @@ -95,17 +162,15 @@ package_systemd() { etc/udev/udev.conf) install="systemd.install" - make -C "$pkgname" DESTDIR="$pkgdir" install + DESTDIR="$pkgdir" ninja -C build install # don't write units to /etc by default. some of these will be re-enabled on # post_install. rm -r "$pkgdir/etc/systemd/system/"*.wants - - # get rid of RPM macros - rm -r "$pkgdir/usr/lib/rpm" + rm -r "$pkgdir/etc/systemd/system/"*.service # add back tmpfiles.d/legacy.conf - install -m644 "$pkgname/tmpfiles.d/legacy.conf" "$pkgdir/usr/lib/tmpfiles.d" + install -m644 "$pkgbase-stable/tmpfiles.d/legacy.conf" "$pkgdir/usr/lib/tmpfiles.d" # Replace dialout/tape/cdrom group in rules with uucp/storage/optical group sed -i 's#GROUP="dialout"#GROUP="uucp"#g; @@ -120,45 +185,59 @@ package_systemd() { install -Dm644 "$srcdir/initcpio-install-udev" "$pkgdir/usr/lib/initcpio/install/udev" install -Dm644 "$srcdir/initcpio-hook-udev" "$pkgdir/usr/lib/initcpio/hooks/udev" - # ensure proper permissions for /var/log/journal. This is only to placate + # ensure proper permissions for /var/log/journal + # The permissions are stored with named group by tar, so this works with + # users and groups populated by systemd-sysusers. This is only to prevent a + # warning from pacman as permissions are set by systemd-tmpfiles anyway. chown root:systemd-journal "$pkgdir/var/log/journal" chmod 2755 "$pkgdir/var/log/journal" - # we'll create this on installation - #rmdir "$pkgdir/var/log/journal/remote" + # match directory owner/group and mode from extra/polkit + chown root:102 "$pkgdir"/usr/share/polkit-1/rules.d + chmod 0750 "$pkgdir"/usr/share/polkit-1/rules.d - # fix pam file - sed 's|system-auth|system-login|g' -i "$pkgdir/etc/pam.d/systemd-user" + # we'll create this on installation + # rmdir "$pkgdir/var/log/journal/remote" # ship default policy to leave services disabled echo 'disable *' >"$pkgdir"/usr/lib/systemd/system-preset/99-default.preset - ### split out manpages for sysvcompat - rm -rf "$srcdir/_sysvcompat" - install -dm755 "$srcdir"/_sysvcompat/usr/share/man/man8/ - mv "$pkgdir"/usr/share/man/man8/{telinit,halt,reboot,poweroff,runlevel,shutdown}.8 \ - "$srcdir"/_sysvcompat/usr/share/man/man8 + # manpages shipped with systemd-sysvcompat + rm "$pkgdir"/usr/share/man/man8/{telinit,halt,reboot,poweroff,runlevel,shutdown}.8 + + # runtime libraries shipped with libsystemd + rm "$pkgdir"/usr/lib/lib{nss,systemd,udev}*.so* - ### split off runtime libraries - rm -rf "$srcdir/_libsystemd" - install -dm755 "$srcdir"/_libsystemd/usr/lib - cd "$srcdir"/_libsystemd - mv "$pkgdir"/usr/lib/lib{systemd,udev}*.so* usr/lib + # allow core/filesystem to pristine nsswitch.conf + rm "$pkgdir/usr/share/factory/etc/nsswitch.conf" + sed -i '/^C \/etc\/nsswitch\.conf/d' "$pkgdir/usr/lib/tmpfiles.d/etc.conf" # add example bootctl configuration install -Dm644 "$srcdir/arch.conf" "$pkgdir"/usr/share/systemd/bootctl/arch.conf install -Dm644 "$srcdir/loader.conf" "$pkgdir"/usr/share/systemd/bootctl/loader.conf install -Dm644 "$srcdir/splash-arch.bmp" "$pkgdir"/usr/share/systemd/bootctl/splash-arch.bmp + + install -Dm644 "$srcdir/systemd-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-hwdb.hook" + install -Dm644 "$srcdir/systemd-sysusers.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-sysusers.hook" + install -Dm644 "$srcdir/systemd-tmpfiles.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-tmpfiles.hook" + install -Dm644 "$srcdir/systemd-update.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-update.hook" + + # overwrite the systemd-user PAM configuration with our own + install -Dm644 systemd-user.pam "$pkgdir/etc/pam.d/systemd-user" } package_libsystemd() { pkgdesc="systemd client libraries" - depends=('glibc' 'libgcrypt' 'lz4' 'xz') + depends=('glibc' 'libcap' 'libgcrypt' 'lz4' 'xz') license=('GPL2') - provides=('libsystemd.so' 'libsystemd-daemon.so' 'libsystemd-id128.so' - 'libsystemd-journal.so' 'libsystemd-login.so' 'libudev.so') + provides=('libsystemd.so' 'libudev.so') + + # meson does not support installing subsets of files, no? + # So do a full install to temporary directory, then install what we need. + DESTDIR="$srcdir"/full-install ninja -C build install - mv "$srcdir/_libsystemd"/* "$pkgdir" + install -dm755 "$pkgdir"/usr/lib/ + cp --archive "$srcdir"/full-install/usr/lib/lib{nss_*,systemd,udev}.so* "$pkgdir"/usr/lib/ } package_systemd-sysvcompat() { @@ -168,7 +247,10 @@ package_systemd-sysvcompat() { conflicts=('sysvinit') depends=('systemd') - mv "$srcdir/_sysvcompat"/* "$pkgdir" + install -dm755 "$pkgdir"/usr/share/man/man8 + cp -d --no-preserve=ownership,timestamp \ + build/man/{telinit,halt,reboot,poweroff,runlevel,shutdown}.8 \ + "$pkgdir"/usr/share/man/man8 install -dm755 "$pkgdir/usr/bin" #for tool in runlevel reboot shutdown poweroff halt telinit; do diff --git a/abs/core/systemd/__changelog b/abs/core/systemd/__changelog index 841eee3..591fa91 100644 --- a/abs/core/systemd/__changelog +++ b/abs/core/systemd/__changelog @@ -1,4 +1,3 @@ -PKGBUILD: change dep python-lxml to python2-lxml PKGBUILD: comment out rmdir "$pkgdir/var/log/journal/remote" PKGBUILD: Change for tool in runlevel reboot shutdown poweroff halt telinit; do to for tool in runlevel telinit; do diff --git a/abs/core/systemd/initcpio-install-systemd b/abs/core/systemd/initcpio-install-systemd index 96df98a..40a352c 100644 --- a/abs/core/systemd/initcpio-install-systemd +++ b/abs/core/systemd/initcpio-install-systemd @@ -93,6 +93,13 @@ add_systemd_unit() { fi } +add_systemd_drop_in() { + local unit=$1 dropin_name=$2 + + mkdir -p "$BUILDROOT/etc/systemd/system/$unit.d" + cat >"$BUILDROOT/etc/systemd/system/$unit.d/$2.conf" +} + build() { local rules unit @@ -100,16 +107,16 @@ build() { add_binary /bin/mount add_binary /usr/bin/kmod /usr/bin/modprobe add_binary /usr/lib/systemd/systemd /init + add_binary /usr/bin/sulogin map add_binary \ /usr/bin/systemd-tmpfiles \ /usr/lib/systemd/systemd-hibernate-resume \ + /usr/lib/systemd/systemd-sulogin-shell \ /usr/lib/systemd/system-generators/systemd-fstab-generator \ /usr/lib/systemd/system-generators/systemd-gpt-auto-generator \ /usr/lib/systemd/system-generators/systemd-hibernate-resume-generator - add_module "kdbus?" - # udev rules and systemd units map add_udev_rule "$rules" \ 50-udev-default.rules \ @@ -123,6 +130,7 @@ build() { initrd-fs.target \ initrd-parse-etc.service \ initrd-root-fs.target \ + initrd-root-device.target \ initrd-switch-root.service \ initrd-switch-root.target \ initrd-udevadm-cleanup-db.service \ @@ -140,27 +148,47 @@ build() { systemd-journald.service \ systemd-journald-audit.socket \ systemd-journald-dev-log.socket \ + systemd-modules-load.service \ systemd-tmpfiles-setup-dev.service \ systemd-udev-trigger.service \ systemd-udevd-control.socket \ systemd-udevd-kernel.socket \ systemd-udevd.service \ - timers.target + timers.target \ + rescue.target \ + emergency.target add_symlink "/usr/lib/systemd/system/default.target" "initrd.target" add_symlink "/usr/lib/systemd/system/ctrl-alt-del.target" "reboot.target" - # udev wants /etc/group since it doesn't launch with --resolve-names=never - add_file "/etc/nsswitch.conf" add_binary "$(readlink -f /usr/lib/libnss_files.so)" - add_file "/etc/passwd" - add_file "/etc/group" + printf '%s\n' >"$BUILDROOT/etc/nsswitch.conf" \ + 'passwd: files' \ + 'group: files' \ + 'shadow: files' + + echo "root:x:0:0:root:/:/bin/sh" >"$BUILDROOT/etc/passwd" + echo "root:x:0:root" >"$BUILDROOT/etc/group" + echo "root::::::::" >"$BUILDROOT/etc/shadow" + + add_systemd_drop_in systemd-udevd.service resolve-names <<EOF +[Service] +ExecStart= +ExecStart=/usr/lib/systemd/systemd-udevd --resolve-names=never +EOF + + add_dir "/etc/modules-load.d" + ( + . "$_f_config" + set -f + printf '%s\n' ${MODULES[@]} >"$BUILDROOT/etc/modules-load.d/MODULES.conf" + ) } help() { cat <<HELPEOF This will install a basic systemd setup in your initramfs, and is meant to -replace the 'base', 'usr', 'udev' and 'timestamp' hooks. Other hooks with runtime +replace the 'base', 'usr', 'udev' and 'resume' hooks. Other hooks with runtime components will need to be ported, and will not work as intended. You also may wish to still include the 'base' hook (before this hook) to ensure that a rescue shell exists on your initramfs. diff --git a/abs/core/systemd/initcpio-install-udev b/abs/core/systemd/initcpio-install-udev index 7f0301a..31d9827 100644 --- a/abs/core/systemd/initcpio-install-udev +++ b/abs/core/systemd/initcpio-install-udev @@ -19,9 +19,10 @@ build() { help() { cat <<HELPEOF -This hook will use udev to create your root device node and detect the needed -modules for your root device. It is also required for firmware loading in -initramfs. It is recommended to use this hook. +This hook adds the udev daemon to the initramfs, allowing for dynamic loading +of modules and reliable detection of the root device via tags (e.g. UUID or +LABEL). Do not remove this hook unless you are using the systemd hook, or you +know what you're doing. HELPEOF } diff --git a/abs/core/systemd/systemd-hwdb.hook b/abs/core/systemd/systemd-hwdb.hook new file mode 100644 index 0000000..d7c9877 --- /dev/null +++ b/abs/core/systemd/systemd-hwdb.hook @@ -0,0 +1,11 @@ +[Trigger] +Type = File +Operation = Install +Operation = Upgrade +Operation = Remove +Target = usr/lib/udev/hwdb.d/* + +[Action] +Description = Updating udev hardware database... +When = PostTransaction +Exec = /usr/bin/systemd-hwdb --usr update diff --git a/abs/core/systemd/systemd-sysusers.hook b/abs/core/systemd/systemd-sysusers.hook new file mode 100644 index 0000000..6b8affa --- /dev/null +++ b/abs/core/systemd/systemd-sysusers.hook @@ -0,0 +1,11 @@ +[Trigger] +Type = File +Operation = Install +Operation = Upgrade +Target = usr/lib/sysusers.d/*.conf + +[Action] +Description = Updating system user accounts... +When = PostTransaction +Exec = /bin/sh -c 'while read -r f; do /usr/bin/systemd-sysusers "$(basename "$f")" ; done' +NeedsTargets diff --git a/abs/core/systemd/systemd-tmpfiles.hook b/abs/core/systemd/systemd-tmpfiles.hook new file mode 100644 index 0000000..18cdd91 --- /dev/null +++ b/abs/core/systemd/systemd-tmpfiles.hook @@ -0,0 +1,11 @@ +[Trigger] +Type = File +Operation = Install +Operation = Upgrade +Target = usr/lib/tmpfiles.d/*.conf + +[Action] +Description = Creating temporary files... +When = PostTransaction +Exec = /bin/sh -c 'while read -r f; do /usr/bin/systemd-tmpfiles --create "$(basename "$f")"; done' +NeedsTargets diff --git a/abs/core/systemd/systemd-update.hook b/abs/core/systemd/systemd-update.hook new file mode 100644 index 0000000..3697fbd --- /dev/null +++ b/abs/core/systemd/systemd-update.hook @@ -0,0 +1,11 @@ +[Trigger] +Type = File +Operation = Install +Operation = Upgrade +Operation = Remove +Target = usr/ + +[Action] +Description = Arming ConditionNeedsUpdate... +When = PostTransaction +Exec = /usr/bin/touch -c /usr diff --git a/abs/core/systemd/systemd-user.pam b/abs/core/systemd/systemd-user.pam new file mode 100644 index 0000000..83f7626 --- /dev/null +++ b/abs/core/systemd/systemd-user.pam @@ -0,0 +1,5 @@ +# Used by systemd --user instances. + +account include system-login +session required pam_loginuid.so +session include system-login diff --git a/abs/core/systemd/systemd.install b/abs/core/systemd/systemd.install index b0a3e1f..fedc747 100644 --- a/abs/core/systemd/systemd.install +++ b/abs/core/systemd/systemd.install @@ -4,143 +4,17 @@ sd_booted() { [[ -d run/systemd/system && ! -L run/systemd/system ]] } -add_privs() { - if ! setcap "$2" "$1" 2>/dev/null; then - echo "==> Warning: setcap failed, falling back to setuid root on /$1" - chmod u+s "$1" - fi -} - add_journal_acls() { # ignore errors, since the filesystem might not support ACLs setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx var/log/journal/ 2>/dev/null : } -maybe_reexec() { - # don't reexec on 209-1 upgrade due to large infrastructural changes. - if [[ $(vercmp 209-1 "$2") -eq 1 ]]; then - echo ':: systemd has not been reexecuted. It is recommended that you' - echo ' reboot at your earliest convenience.' - return - fi - - if sd_booted; then - systemctl --system daemon-reexec - fi -} - -_dir_empty() { - set -- "$1"/* - [[ ! -e $1 && ! -L $1 ]] -} - post_common() { systemd-sysusers - udevadm hwdb --update journalctl --update-catalog } -_204_1_changes() { - printf '==> The /bin/systemd symlink has been removed. Any references in your\n' - printf ' bootloader (or elsewhere) must be updated to /usr/lib/systemd/systemd.\n' -} - -_205_1_changes() { - printf '==> systemd 205 restructures the cgroup hierarchy and changes internal\n' - printf ' protocols. You should reboot at your earliest convenience.\n' -} - -_206_1_changes() { - printf '==> The "timestamp" hook for mkinitcpio no longer exists. If you used\n' - printf ' this hook, you must remove it from /etc/mkinitcpio.conf. A "systemd"\n' - printf ' hook has been added which provides this functionality, and more.\n' -} - -_208_1_changes() { - if [[ -e var/lib/backlight && ! -e var/lib/systemd/backlight ]]; then - mv -T var/lib/backlight var/lib/systemd/backlight - fi - - if [[ -e var/lib/random-seed && ! -e var/lib/systemd/random-seed ]]; then - mv -T var/lib/random-seed var/lib/systemd/random-seed - fi -} - -_208_8_changes() { - add_journal_acls -} - -_209_1_changes() { - # attempt to preserve existing behavior - - local old_rule=etc/udev/rules.d/80-net-name-slot.rules - local new_rule=etc/udev/rules.d/80-net-setup-link.rules - - echo ":: Network device naming is now controlled by udev's net_setup_link" - echo " builtin. Refer to the systemd.link manpage for a full description." - - # not clear what action we can take here, so don't do anything - [[ -e $new_rule ]] && return 0 - - # rename the old rule to the new one so that we preserve the user's - # existing option. - if [[ -e $old_rule ]]; then - printf ':: Renaming %s to %s in order\n' "${old_rule##*/}" "${new_rule##*/}" - printf ' to preserve existing network naming behavior.\n' - mv -v "$old_rule" "$new_rule" - else - echo ':: No changes have been made to your network naming configuration.' - echo ' Interfaces should continue to maintain the same names.' - fi -} - -_210_1_changes() { - if sd_booted; then - # If /etc/systemd/network is non-empty, then this is a 209 user who used - # networkd. Re-enable it for them. - if ! _dir_empty etc/systemd/network; then - systemctl enable systemd-networkd - fi - fi -} - -_213_4_changes() { - if sd_booted; then - # if /etc/resolv.conf is a symlink, just assume that it was being managed - # by systemd-networkd, and re-enable systemd-resolved. - if [[ -L etc/resolv.conf ]]; then - systemctl enable systemd-resolved - fi - fi -} - -_214_2_changes() { - # /run/systemd/network/resolv.conf -> /run/systemd/resolve/resolv.conf - if [[ etc/resolv.conf -ef run/systemd/network/resolv.conf ]]; then - ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf - - if sd_booted; then - if [[ ! -d run/systemd/resolve ]]; then - mkdir run/systemd/resolve - fi - - if [[ -f run/systemd/network/resolv.conf ]]; then - mv run/systemd/{network,resolve}/resolv.conf - fi - fi - fi - - echo ':: coredumps are no longer sent to the journal by default. To re-enable:' - echo ' echo >/etc/sysctl.d/50-coredump.conf \' - echo ' "kernel.core_pattern=|/usr/lib/systemd/systemd-coredump %p %u %g %s %t %e"' -} - -_215_2_changes() { - # create at least the symlink from /etc/os-release to /usr/lib/os-release - systemd-tmpfiles --create etc.conf -} - _216_2_changes() { echo ':: Coredumps are handled by systemd by default. Collection behavior can be' echo ' tuned in /etc/systemd/coredump.conf.' @@ -158,6 +32,27 @@ _219_4_changes() { fi } +_230_1_changes() { + echo ':: systemd-bootchart is no longer included with systemd' +} + +_232_8_changes() { + # paper over possible effects of CVE-2016-10156 + local stamps=(/var/lib/systemd/timers/*.timer) + + if [[ -f ${stamps[0]} ]]; then + chmod 0644 "${stamps[@]}" + fi +} + +_233_75_3_changes() { + # upstream installs services to /etc, which we remove + # to keep bus activation we re-enable systemd-resolved + if systemctl is-enabled -q systemd-resolved.service; then + systemctl reenable systemd-resolved.service 2>/dev/null + fi +} + post_install() { systemd-machine-id-setup @@ -179,25 +74,24 @@ post_install() { post_upgrade() { post_common "$@" - maybe_reexec "$@" - - local v upgrades=(204-1 - 205-1 - 206-1 - 208-1 - 208-8 - 209-1 - 210-1 - 213-4 - 214-2 - 215-2 - 216-2 - 219-2 - 219-4) + # don't reexec if the old version is 231-1 or 231-2. + # https://github.com/systemd/systemd/commit/bd64d82c1c + if [[ $1 != 231-[12] ]] && sd_booted; then + systemctl --system daemon-reexec + fi + + local v upgrades=( + 216-2 + 219-2 + 219-4 + 230-1 + 232-8 + 233.75-3 + ) for v in "${upgrades[@]}"; do if [[ $(vercmp "$v" "$2") -eq 1 ]]; then - "_${v//-/_}_changes" + "_${v//[.-]/_}_changes" fi done } |