2021-02-03 19:25:52 +00:00
|
|
|
# NOTE: Make sure to (re-)format this file on changes with `nixpkgs-fmt`!
|
|
|
|
|
|
2020-10-27 22:28:29 +00:00
|
|
|
{ stdenv
|
|
|
|
|
, lib
|
2021-12-09 11:39:30 +00:00
|
|
|
, nixosTests
|
2023-02-02 16:57:21 +00:00
|
|
|
, pkgsCross
|
2020-10-27 22:28:29 +00:00
|
|
|
, fetchFromGitHub
|
2021-10-15 21:28:13 +00:00
|
|
|
, fetchzip
|
2020-10-25 08:38:02 +00:00
|
|
|
, buildPackages
|
2022-09-23 21:47:05 +00:00
|
|
|
, makeBinaryWrapper
|
2020-10-27 22:28:29 +00:00
|
|
|
, ninja
|
|
|
|
|
, meson
|
|
|
|
|
, m4
|
2021-01-19 06:50:56 +00:00
|
|
|
, pkg-config
|
2020-10-27 22:28:29 +00:00
|
|
|
, coreutils
|
|
|
|
|
, gperf
|
|
|
|
|
, getent
|
|
|
|
|
, glibcLocales
|
2021-12-12 14:59:20 +00:00
|
|
|
|
|
|
|
|
# glib is only used during tests (test-bus-gvariant, test-bus-marshal)
|
2020-10-27 22:28:29 +00:00
|
|
|
, glib
|
|
|
|
|
, gettext
|
|
|
|
|
, python3Packages
|
|
|
|
|
|
|
|
|
|
# Mandatory dependencies
|
2020-10-26 07:17:14 +00:00
|
|
|
, libcap
|
2020-11-24 15:29:28 +00:00
|
|
|
, util-linux
|
2020-10-26 07:17:14 +00:00
|
|
|
, kbd
|
|
|
|
|
, kmod
|
2022-09-24 18:38:33 +00:00
|
|
|
, libxcrypt
|
2020-10-26 07:17:14 +00:00
|
|
|
|
2020-10-27 22:28:29 +00:00
|
|
|
# Optional dependencies
|
|
|
|
|
, pam
|
|
|
|
|
, cryptsetup
|
|
|
|
|
, audit
|
|
|
|
|
, acl
|
|
|
|
|
, lz4
|
|
|
|
|
, libgcrypt
|
2021-09-04 20:05:03 +00:00
|
|
|
, libgpg-error
|
2020-10-27 22:28:29 +00:00
|
|
|
, libidn2
|
|
|
|
|
, curl
|
|
|
|
|
, gnutar
|
|
|
|
|
, gnupg
|
|
|
|
|
, zlib
|
|
|
|
|
, xz
|
2021-11-19 01:54:49 +00:00
|
|
|
, zstd
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
, tpm2-tss
|
2020-10-27 22:28:29 +00:00
|
|
|
, libuuid
|
|
|
|
|
, libapparmor
|
|
|
|
|
, intltool
|
|
|
|
|
, bzip2
|
|
|
|
|
, pcre2
|
2021-11-19 01:55:14 +00:00
|
|
|
, elfutils
|
2020-10-26 07:17:14 +00:00
|
|
|
, linuxHeaders ? stdenv.cc.libc.linuxHeaders
|
2022-09-01 12:39:00 +00:00
|
|
|
, gnutls
|
2020-10-26 07:17:14 +00:00
|
|
|
, iptables
|
2020-10-27 22:28:29 +00:00
|
|
|
, withSelinux ? false
|
|
|
|
|
, libselinux
|
2021-02-25 16:21:13 +00:00
|
|
|
, withLibseccomp ? lib.meta.availableOn stdenv.hostPlatform libseccomp
|
2020-10-27 22:28:29 +00:00
|
|
|
, libseccomp
|
2021-09-03 14:17:21 +00:00
|
|
|
, withKexectools ? lib.meta.availableOn stdenv.hostPlatform kexec-tools
|
|
|
|
|
, kexec-tools
|
2020-10-26 07:17:14 +00:00
|
|
|
, bashInteractive
|
2023-02-02 16:57:21 +00:00
|
|
|
, bash
|
2020-11-01 17:47:18 +00:00
|
|
|
, libmicrohttpd
|
2021-12-12 14:49:40 +00:00
|
|
|
, libfido2
|
|
|
|
|
, p11-kit
|
2023-11-19 01:35:57 +00:00
|
|
|
, libpwquality
|
|
|
|
|
, qrencode
|
2020-10-26 07:17:14 +00:00
|
|
|
|
2024-01-22 23:37:48 +00:00
|
|
|
# the (optional) BPF feature requires bpftool, libbpf, clang and llvm-strip to
|
|
|
|
|
# be available during build time.
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
# Only libbpf should be a runtime dependency.
|
2023-01-03 21:19:59 +00:00
|
|
|
# Note: llvmPackages is explicitly taken from buildPackages instead of relying
|
|
|
|
|
# on splicing. Splicing will evaluate the adjacent (pkgsHostTarget) llvmPackages
|
|
|
|
|
# which is sometimes problematic: llvmPackages.clang looks at targetPackages.stdenv.cc
|
2024-01-22 23:37:48 +00:00
|
|
|
# which, in the unfortunate case of pkgsCross.ghcjs, `throw`s. If we
|
|
|
|
|
# explicitly take buildPackages.llvmPackages, this is no problem because
|
|
|
|
|
# `buildPackages.targetPackages.stdenv.cc == stdenv.cc` relative to
|
|
|
|
|
# us. Working around this is important, because systemd is in the dependency
|
|
|
|
|
# closure of GHC via emscripten and jdk.
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
, bpftools
|
|
|
|
|
, libbpf
|
|
|
|
|
|
2023-07-20 17:15:42 +00:00
|
|
|
# Needed to produce a ukify that works for cross compiling UKIs.
|
|
|
|
|
, targetPackages
|
|
|
|
|
|
2023-02-19 04:11:25 +00:00
|
|
|
, withAcl ? true
|
2020-10-27 23:29:07 +00:00
|
|
|
, withAnalyze ? true
|
2020-10-28 00:26:24 +00:00
|
|
|
, withApparmor ? true
|
2023-02-21 07:17:24 +00:00
|
|
|
, withAudit ? true
|
2023-12-14 13:53:49 +00:00
|
|
|
# compiles systemd-boot, assumes EFI is available.
|
|
|
|
|
, withBootloader ? withEfi
|
|
|
|
|
&& !stdenv.hostPlatform.isMusl
|
|
|
|
|
# "Unknown 64-bit data model"
|
|
|
|
|
&& !stdenv.hostPlatform.isRiscV32
|
2024-01-22 23:37:48 +00:00
|
|
|
# adds bzip2, lz4, xz and zstd
|
|
|
|
|
, withCompression ? true
|
2020-11-24 23:11:56 +00:00
|
|
|
, withCoredump ? true
|
2020-10-27 22:48:19 +00:00
|
|
|
, withCryptsetup ? true
|
2023-06-19 00:39:30 +00:00
|
|
|
, withRepart ? true
|
2020-10-27 23:54:08 +00:00
|
|
|
, withDocumentation ? true
|
2023-04-07 10:45:40 +00:00
|
|
|
, withEfi ? stdenv.hostPlatform.isEfi
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
, withFido2 ? true
|
2024-01-22 23:37:48 +00:00
|
|
|
# conflicts with the NixOS /etc management
|
|
|
|
|
, withFirstboot ? false
|
2023-01-11 06:16:18 +00:00
|
|
|
, withHomed ? !stdenv.hostPlatform.isMusl
|
2020-10-26 07:17:14 +00:00
|
|
|
, withHostnamed ? true
|
2020-10-27 22:48:19 +00:00
|
|
|
, withHwdb ? true
|
2021-10-15 21:28:13 +00:00
|
|
|
, withImportd ? !stdenv.hostPlatform.isMusl
|
2023-11-19 01:35:57 +00:00
|
|
|
, withIptables ? true
|
2023-02-21 07:48:27 +00:00
|
|
|
, withKmod ? true
|
2023-01-03 21:19:59 +00:00
|
|
|
, withLibBPF ? lib.versionAtLeast buildPackages.llvmPackages.clang.version "10.0"
|
2024-01-22 23:37:48 +00:00
|
|
|
# assumes hard floats
|
|
|
|
|
&& (stdenv.hostPlatform.isAarch -> lib.versionAtLeast stdenv.hostPlatform.parsed.cpu.version "6")
|
|
|
|
|
# see https://github.com/NixOS/nixpkgs/pull/194149#issuecomment-1266642211
|
|
|
|
|
&& !stdenv.hostPlatform.isMips64
|
2023-12-13 23:51:40 +00:00
|
|
|
# can't find gnu/stubs-32.h
|
|
|
|
|
&& (stdenv.hostPlatform.isPower64 -> stdenv.hostPlatform.isBigEndian)
|
2023-12-14 13:53:49 +00:00
|
|
|
# https://reviews.llvm.org/D43106#1019077
|
|
|
|
|
&& (stdenv.hostPlatform.isRiscV32 -> stdenv.cc.isClang)
|
2023-04-19 18:44:28 +00:00
|
|
|
# buildPackages.targetPackages.llvmPackages is the same as llvmPackages,
|
|
|
|
|
# but we do it this way to avoid taking llvmPackages as an input, and
|
|
|
|
|
# risking making it too easy to ignore the above comment about llvmPackages.
|
|
|
|
|
&& lib.meta.availableOn stdenv.hostPlatform buildPackages.targetPackages.llvmPackages.compiler-rt
|
2023-02-19 02:23:36 +00:00
|
|
|
, withLibidn2 ? true
|
2020-10-26 07:17:14 +00:00
|
|
|
, withLocaled ? true
|
2020-10-27 22:48:19 +00:00
|
|
|
, withLogind ? true
|
2020-10-28 00:08:29 +00:00
|
|
|
, withMachined ? true
|
2020-10-26 07:17:14 +00:00
|
|
|
, withNetworkd ? true
|
2021-10-15 21:28:13 +00:00
|
|
|
, withNss ? !stdenv.hostPlatform.isMusl
|
2022-04-21 16:49:03 +00:00
|
|
|
, withOomd ? true
|
2023-02-21 07:30:26 +00:00
|
|
|
, withPam ? true
|
2023-11-19 01:35:57 +00:00
|
|
|
, withPasswordQuality ? true
|
2020-10-28 00:36:02 +00:00
|
|
|
, withPCRE2 ? true
|
2020-10-27 23:48:51 +00:00
|
|
|
, withPolkit ? true
|
2022-10-14 17:34:07 +00:00
|
|
|
, withPortabled ? !stdenv.hostPlatform.isMusl
|
2023-11-19 01:35:57 +00:00
|
|
|
, withQrencode ? true
|
2021-10-15 21:28:13 +00:00
|
|
|
, withRemote ? !stdenv.hostPlatform.isMusl
|
2020-10-27 22:48:19 +00:00
|
|
|
, withResolved ? true
|
2020-10-27 23:51:39 +00:00
|
|
|
, withShellCompletions ? true
|
2023-11-01 17:17:18 +00:00
|
|
|
, withSysusers ? true
|
2023-07-28 18:47:12 +00:00
|
|
|
, withSysupdate ? true
|
2020-10-26 07:17:14 +00:00
|
|
|
, withTimedated ? true
|
|
|
|
|
, withTimesyncd ? true
|
2022-09-13 14:03:35 +00:00
|
|
|
, withTpm2Tss ? true
|
2024-01-22 23:37:48 +00:00
|
|
|
# adds python to closure which is too much by default
|
|
|
|
|
, withUkify ? false
|
2022-09-13 14:03:35 +00:00
|
|
|
, withUserDb ? true
|
2022-09-13 08:32:35 +00:00
|
|
|
, withUtmp ? !stdenv.hostPlatform.isMusl
|
2023-11-19 01:35:57 +00:00
|
|
|
, withVmspawn ? true
|
2021-12-12 14:59:20 +00:00
|
|
|
# tests assume too much system access for them to be feasible for us right now
|
|
|
|
|
, withTests ? false
|
2023-10-18 09:44:18 +00:00
|
|
|
# build only libudev and libsystemd
|
|
|
|
|
, buildLibsOnly ? false
|
2020-10-26 07:17:14 +00:00
|
|
|
|
2024-01-22 23:37:48 +00:00
|
|
|
# yes, pname is an argument here
|
2020-10-26 07:17:14 +00:00
|
|
|
, pname ? "systemd"
|
|
|
|
|
|
2020-10-27 22:28:29 +00:00
|
|
|
, libxslt
|
|
|
|
|
, docbook_xsl
|
|
|
|
|
, docbook_xml_dtd_42
|
|
|
|
|
, docbook_xml_dtd_45
|
2023-10-23 14:46:12 +00:00
|
|
|
, withLogTrace ? false
|
2012-06-06 16:07:30 +00:00
|
|
|
}:
|
2012-05-21 20:48:19 +00:00
|
|
|
|
2022-05-30 03:49:19 +00:00
|
|
|
assert withImportd -> withCompression;
|
2020-10-27 23:12:45 +00:00
|
|
|
assert withCoredump -> withCompression;
|
2020-10-10 10:05:31 +00:00
|
|
|
assert withHomed -> withCryptsetup;
|
2023-02-21 07:30:26 +00:00
|
|
|
assert withHomed -> withPam;
|
2023-12-22 01:36:30 +00:00
|
|
|
assert withUkify -> (withEfi && withBootloader);
|
2023-06-19 00:39:30 +00:00
|
|
|
assert withRepart -> withCryptsetup;
|
2023-07-28 18:46:45 +00:00
|
|
|
assert withBootloader -> withEfi;
|
2020-10-10 10:05:31 +00:00
|
|
|
|
2020-08-06 10:04:28 +00:00
|
|
|
let
|
2020-10-27 22:48:19 +00:00
|
|
|
wantCurl = withRemote || withImportd;
|
2021-12-12 02:56:45 +00:00
|
|
|
wantGcrypt = withResolved || withImportd;
|
2023-11-19 01:35:57 +00:00
|
|
|
version = "255.2";
|
2021-12-12 02:56:45 +00:00
|
|
|
|
2024-01-22 23:37:48 +00:00
|
|
|
# Use the command below to update `releaseTimestamp` on every (major) version
|
|
|
|
|
# change. More details in the commentary at mesonFlags.
|
2021-12-12 02:56:45 +00:00
|
|
|
# command:
|
|
|
|
|
# $ curl -s https://api.github.com/repos/systemd/systemd/releases/latest | \
|
|
|
|
|
# jq '.created_at|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime'
|
2023-11-19 01:35:57 +00:00
|
|
|
releaseTimestamp = "1701895110";
|
2020-10-27 22:28:29 +00:00
|
|
|
in
|
2023-02-02 16:57:21 +00:00
|
|
|
stdenv.mkDerivation (finalAttrs: {
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
inherit pname version;
|
2018-03-02 23:31:30 +00:00
|
|
|
|
2020-08-06 10:04:28 +00:00
|
|
|
# We use systemd/systemd-stable for src, and ship NixOS-specific patches inside nixpkgs directly
|
|
|
|
|
# This has proven to be less error-prone than the previous systemd fork.
|
2018-03-02 23:31:30 +00:00
|
|
|
src = fetchFromGitHub {
|
2020-01-26 13:56:41 +00:00
|
|
|
owner = "systemd";
|
2023-09-12 08:00:16 +00:00
|
|
|
repo = "systemd-stable";
|
|
|
|
|
rev = "v${version}";
|
2023-11-19 01:35:57 +00:00
|
|
|
hash = "sha256-8SfJY/pcH4yrDeJi0GfIUpetTbpMwyswvSu+RSfgqfY=";
|
2018-03-02 23:31:30 +00:00
|
|
|
};
|
|
|
|
|
|
2024-01-22 23:37:48 +00:00
|
|
|
# On major changes, or when otherwise required, you *must* :
|
|
|
|
|
# 1. reformat the patches,
|
|
|
|
|
# 2. `git am path/to/00*.patch` them into a systemd worktree,
|
|
|
|
|
# 3. rebase to the more recent systemd version,
|
|
|
|
|
# 4. and export the patches again via
|
|
|
|
|
# `git -c format.signoff=false format-patch v${version} --no-numbered --zero-commit --no-signature`.
|
|
|
|
|
# Use `find . -name "*.patch" | sort` to get an up-to-date listing of all
|
|
|
|
|
# patches
|
2020-01-26 13:56:41 +00:00
|
|
|
patches = [
|
|
|
|
|
./0001-Start-device-units-for-uninitialised-encrypted-devic.patch
|
2020-04-29 23:03:18 +00:00
|
|
|
./0002-Don-t-try-to-unmount-nix-or-nix-store.patch
|
|
|
|
|
./0003-Fix-NixOS-containers.patch
|
systemd: 253.3 -> 253.5
This allows us to drop our fsck-look-for-fsck-binary-not-just-in-
sbin.patch, as it was upstreamed.
We also manually backport https://github.com/systemd/systemd/pull/27856 as
it didn't get backported and without it we can't merge this PR as
systemd-boot-builder.py will remain broken and make it impossible to do upgrade
to NixOS 23.05 in some scenarios
Changelog:
```
991158e8b9 (hwdb: update to 2533fdd0fbe71e4a3fa7a2cca9830cd864fb9136, 2023-06-01)
d1087bc599 (test-network: add tests for vlan QoS mapping, 2023-05-24)
7ed7b07a92 (network/vlan: paranoia about type safety, 2023-05-24)
b20bc7c1ff (network/vlan: drop unnecessary restriction for QoS mapping, 2023-05-24)
dbf50f1911 (udev: do not set ID_PATH and by-path symlink for nvmf disks, 2023-05-10)
75d4967502 (journalctl: fix --no-tail handling, 2023-05-04)
f1ea9cd55e (journalctl: use correct variable to check if --since is specified, 2023-05-04)
0227947bab (test/README: fix advice for testsuite debugging, 2023-05-29)
3222272c46 (test-fstab-generator: fix test on systemd with systemd-boot, 2023-05-30)
23b7bf3d01 (home: move the assert back to the intended place, 2023-05-29)
901f0f0ac1 (resolvectl: drop extra colon, 2023-05-28)
5f3ca32d0c (basic/syscall: update syscall list, 2023-05-29)
375e6be16c (tree-wide: Downgrade a few more noisy log messages to trace, 2023-05-27)
3f5f7e5f30 (journal-remote: bump the refcount right after creating the writer object, 2023-05-25)
4810e789ad (man: fix UKI filename suffix in 'tries' description, 2023-05-26)
2e10f8874a (units: Shut down networkd and resolved on switch-root, 2023-05-25)
9dde31ac74 (resolve: avoid memory leak from a partially processed RR, 2023-05-23)
b1663b8333 (sd-journal: avoid double-free, 2023-05-23)
aa48ecb0a6 (core/timer: Always use inactive_exit_timestamp if it is set, 2023-05-23)
ac380e43a4 (core: Do not check child freezability when thawing slice, 2023-05-23)
53bc78d3e0 (tree-wide: Fix false positives on newer gcc, 2023-05-23)
58c1816aa4 (json: correctly handle magic strings when parsing variant strv, 2023-05-23)
fbb2c5ab19 (sysusers: fix argument confusion in error message, 2022-10-13)
e5520ab28f (sysusers: add usual "ret_" prefix, fix messages, 2022-10-13)
286ce2be44 (man: extend description of --boot, 2022-10-09)
7394a75688 (sd-bus: refuse to send messages with an invalid string, 2023-05-19)
ae83e97a51 (core/service: when resetting PID also reset known flag, 2023-05-22)
f0bb967388 (shared: correctly propagate possible allocation errors, 2023-05-21)
318c9d5fec (wait-online: downgrade log level of failure that interface is removed or unmanaged during processing it, 2023-05-22)
1a0f2c5c57 (boot: Read files in small chunks on broken firmware, 2023-01-05)
eeaf884f5b (cryptenroll: update log messages, 2023-05-20)
debce7c184 (test: check if we can use --merge with --follow, 2023-05-19)
3cf401e3e3 (manager: restrict Dump*() to privileged callers or ratelimit, 2023-04-27)
6ca461fe29 (ratelimit: add ratelimit_left helper, 2023-04-28)
604d132fde (journalctl: make --follow work with --merge again, 2023-05-19)
6a4c05c615 (test: make the stress test slightly less stressful on slower machines, 2023-05-19)
a08cb80451 (core/device: downgrade error when units specified in SYSTEMD_WANTS= not found, 2023-05-19)
eb5dad0a72 (unit: add conditions and deps to make oomd.socket and .service consistent, 2023-05-19)
c756ffea57 (oomd: shorten message, 2023-05-18)
a3e5eb5606 (sd-bus,sd-event: allow querying of description even after fork, 2023-05-18)
e91557a1e0 (sd-bus: do not assert if bus description is not set, 2023-05-18)
93b3bd12ac (test: don't mount /sys & /proc if already mounted, 2023-05-18)
c51273941d (nspawn: make the error message less confusing, 2023-05-18)
e85daabd3e (Revert (partially) "man: Clarify when OnFailure= activates after restarts (#7646)", 2023-05-17)
3e286a7b2e (man/tmpfiles: fix off-by-one in example, 2023-05-17)
cb6641bde3 (man: explain allowed values for /sys/power/{disk,state}, 2023-05-17)
65bf6c5a8f (man: say that ProtectClock= also affects reads, 2023-05-17)
13c8807360 (man: fixes for assorted issues reported by the manpage-l10n project, 2023-05-17)
1809fff392 (nspawn: make sure the device type survives when setting device mode, 2023-05-16)
b8ed81660f (nspawn: fix a global-buffer-overflow, 2023-05-15)
756e77b936 (nspawn: fix inverted condition, 2023-05-15)
c7861222ba (nspawn: call json_dispatch() with a correct pointer, 2023-05-15)
6f577f5d92 (nspawn: use the just returned errno in the log message, 2023-05-15)
9a7c6ed568 (nspawn: avoid NULL pointer dereference, 2023-05-16)
17c7b07c67 (nspawn: file system namespace -> mount namespace, 2023-05-15)
b13e836315 (nspawn: fix a typo in an error message, 2023-05-15)
d88225ef44 (busctl: set a description for the bus connection, 2023-05-05)
29115ef32e (man: indicate that the JOB parameter to "systemctl cancel" is optional, 2023-05-16)
051f86ae0e (meson: fix description for link-udev-shared option, 2023-05-16)
85ba46539f (man: use correct name for --bank option, 2023-05-15)
d7e75c7315 (machine,portable: fix a typo in an info message, 2023-05-12)
4d29f741c8 (machine: fix a memory leak when showing multiple machines, 2023-05-12)
e6a719598c (machine: fix a memory leak when showing multiple images, 2023-05-12)
ea221dc685 (fstab-generator: Fix log message, 2023-05-10)
4c3b06f255 (test: test O_CLOEXEC filtering of fdset fill logic, 2023-05-30)
88bf6b5815 (pid1: when taking possession of passed fds check O_CLOEXEC state first, 2023-05-30)
0d8372b450 (repart: Create temporary root directory using var_tmp_dir(), 2023-02-14)
aedfe41cda (cryptenroll: actually allow using multiple "special" strings when wiping, 2023-05-10)
f59ce1aa7b (core: fix use of uninitialized value, 2023-05-04)
3f5db0dbc1 (sd-journal: check .next_entry_array_offset earlier, 2023-05-03)
0baac8e60e (tree-wide: drop _pure_ attribute from non-pure functions, 2023-05-10)
4984f70db5 (dirent: conditionalize dirent assert based on dirent64 existence, 2023-05-10)
5fcbda8b5e (network/tc: rename settings in log messages too, 2023-05-10)
59dccdfddb (sd-bus: bus_message_type_from_string is not pure, 2023-05-10)
133d4ff6d6 (cryptenroll: fix an assertion with weak passwords, 2023-05-09)
c937b8f9de (units: Add CAP_NET_ADMIN condition to systemd-networkd-wait-online@.service as well, 2023-05-07)
60af5019fb (units: add/fix Documentation= about bus interface, 2023-05-09)
53f7e5f18f (core/service: fix error cause in the log, 2023-05-09)
951c27ce14 (shell completion: add timesync-status and show-timesync to zsh completion file (#27574), 2023-05-08)
32831842ba (doc: remove legacy DefaultControlGroup from dbus properties, 2023-05-08)
c31e2fa9c7 (zsh: add service-log-{level,target} completions for systemctl, 2023-05-07)
011a686a23 (test_ukify: fix loop iteration, 2023-04-21)
927d234406 (hwdb: do not include '#' in modalias, 2023-05-06)
b1a7a15ed2 (core: check the unit type more thoroughly when deserializing, 2023-05-04)
154b108513 (shared: refuse fd == INT_MAX, 2023-05-04)
a25605d01d (zsh: remove usage of PREFIX in _systemctl, 2023-05-05)
4be604e75a (basic/audit-util: make a test request before enabling use of audit, 2023-05-02)
4b4285e231 (main: add missing return, 2023-05-05)
ce096b0212 (shared: reject empty attachment path, 2023-05-02)
6027fbf1af (shared: ignore invalid valink socket fd when deserializing, 2023-05-02)
d649128268 (core: fix NULL pointer dereference during deserialization, 2023-05-02)
6ae77d6b99 (boot: Use correct memory type for allocations, 2023-05-02)
de0cbaceb7 (core: check for SERVICE_RELOAD_NOTIFY in manager_dbus_is_running, 2023-05-02)
5ed087fa46 (generators: skip private tmpfs if /tmp does not exist, 2023-04-30)
93143b6d6a (test: replace sleep with timeout, 2023-05-02)
881382685e (test-network: add workaround for bug in iproute2 v6.2.0, 2023-05-02)
abf9e916ad (coredumpctl: add --file/--root/--image to bash completion, 2023-04-25)
dd349a0ede (coredumpctl: fix bash completion matching, 2023-04-25)
120342b62d (test: match all messages with the FILE field, 2023-04-29)
e0da5c9bc6 (test: add tests for "systemctl stop" vs triggering by path unit, 2023-04-29)
c1542a967b (test: create temporary units under /run, 2023-04-29)
03f2a8921e (core/path: do not enqueue new job in .trigger_notify callback, 2023-04-29)
674591e6af (core/path: align table, 2023-04-29)
0413fb7de9 (test: add a couple of tests for systemd-pstore, 2023-04-27)
de41e55c7d (pstore: avoid opening the dmesg.txt file if not requested, 2023-04-28)
37c212dbd7 (pstore: explicitly set the base when converting record ID, 2023-04-28)
daee48adbb (test: dont use anchor char '$' to match a part of a string, 2023-04-27)
53ac14a054 (core/transaction: use hashmap_remove_value() to make not remove job with same ID, 2023-04-26)
0258760397 (resolved: adjust message about credentials, 2023-04-25)
8f19911bc3 (fuzz-journal-remote: fix potential fd-leak, 2023-03-18)
df1e479d4e (fuzz-journal-remote: remove temporary files on exit, 2023-03-18)
0d745e2de3 (hwdb: update to 46b8c3f5b297ac034f2d024c1f3d84ad2c17f410, 2023-04-30)
df9d1d9bb2 (sd-journal: make journal_file_copy_entry() return earlier, 2023-04-26)
3bc2553cfc (sd-journal: copy boot ID, 2023-04-26)
45b045880c (sd-journal: tighten variable scope, 2023-04-26)
3821e3ea07 (journal: Don't try to write garbage if journal entry is corrupted, 2023-04-26)
4eedc4711a (test: add test case of negative match for SYMLINK and TAG, 2023-04-25)
cd795f9abc (udev-rules: fix negative match rule for SYMLINK and TAG, 2023-04-25)
a25e2ef992 (core: fix property getter method for NFileDescriptorStore bus property, 2023-04-12)
eec30e3143 (repart: always take BSD lock when whole block device is opened, 2023-04-13)
50ab96e442 (bootctl: clean up handling of files with no version information, 2023-03-30)
9d97c8d423 (mkosi: disable centos 8 build, 2023-04-26)
c603dae241 (mkosi: disable key check for Fedora builds, 2023-04-26)
724a50fb01 (mkfs-util: do not pass -quiet to mksquashfs, 2023-04-27)
43d194392f (test: use setpriv instead of su for user switch from root, 2023-03-14)
ba683eb48c (test: wrap mkfs.*/mksquashfs/mkswap binaries when running w/ ASan, 2023-03-16)
fdcd1807ff (test: bump the D-Bus related timeouts to 120s, 2023-03-09)
4f8b2abf69 (coredump filter: add mask for 'all' using UINT32_MAX, not UINT64_MAX, 2023-04-26)
021bb972ff (coredump filter: fix stack overflow with =all, 2023-04-26)
3fd444c048 (build(deps): bump github/super-linter from 4.9.7 to 4.10.1, 2023-04-01)
a19396c73b (cryptenroll: fix a memory leak, 2023-03-27)
083ede1482 (test: tell dfuzzer to skip Reexecute(), 2023-04-26)
ae12c1380b (portablectl: add --extension to bash completion, 2023-04-25)
b1ecfe3fe7 (man: /usr/lib/systemd/random-seed -> /usr/lib/systemd/systemd-random-seed, 2023-04-25)
8895ccaaa8 (cryptsetup-fido2: Depend on libcryptsetup, 2023-04-24)
c6e957d02d (test: use idiomatic bash loop iteration, 2023-04-07)
26e181e94e (testsuite-54: drop unnecessary pipe, 2023-04-05)
d2c738341b (testsuite-70: drop unnecessary env, 2023-04-05)
f3abd451dd (test: drop uses of "&& { echo 'unexpected success'; exit 1; }", 2023-04-05)
59243061f6 (man: fix LogControl1 manpage example, 2023-04-24)
04983c2b00 (pam: cache sd-bus separately per module, 2023-04-16)
0045d952b5 (pam_systemd_home: clean up sd-bus when called about something else's user, 2023-04-20)
c50ec75e1e (testsuite-04: remove unnecessary conditional, 2023-04-04)
5a8987794e (man: clarify sd_bus_default, 2023-04-22)
b9af9a320e (man: add working example to LogControl1 manpage, 2023-04-21)
4d2b5338ac (detect-virt: add message at debug level, 2023-04-20)
749a6d9959 (dissect: let's check for crypto_LUKS before fstype allowlist check, 2023-04-20)
1aa6171081 (ratelimit: handle counter overflows somewhat sanely, 2023-04-20)
5ff63b8507 (man: try to make clearer that /var/ is generally not available in /usr/lib/systemd/system-shutdown/ callouts, 2023-04-20)
2be23f69ee (dissect-image: issue BLKFLSBUF before probing an fs at block device offset != 0, 2023-04-20)
7b437659b1 (list: fix double evaluation, 2023-04-20)
ffbb75aa46 (mountpoint-util: check /proc is mounted on failure, 2023-04-17)
14eb49b5eb (test: prefix the transient unit with test- to make coverage runs happy, 2023-04-18)
980954d2cf (kmod-setup: bypass heavy virtio-rng check if we are not running in a VM anyway, 2023-04-18)
567a1a6fd8 (kmod-setup: use STARTSWITH_SET() where appropriate, 2023-04-18)
d37f06f96f (creds: make available to all ExecStartPre= and ExecStart= processes, 2023-04-15)
d15f907b5b (user-util:remove duplicate includes, 2023-04-17)
cedea4cb7e (virt: Further improve detection of EC2 metal instances, 2023-04-13)
826662680b (string-util: add strstrafter(), 2023-04-14)
ac721c88af (test: add a couple of tests with invalid UTF-8 characters, 2023-04-15)
9c8d8719e4 (test: add a simple test for getenv_path_list(), 2023-04-15)
a9c73150ac (test: add a couple of basic sanity tests for the security verb, 2023-04-15)
06a70861bc (test: add a couple of basic sanity tests for timedatectl, 2023-04-15)
def6c37a19 (shared: add a missing include, 2023-04-15)
79e23f618f (test: add tests for uuid/uint64 specifiers, 2023-04-15)
3ee1839c19 (fsck: look for fsck binary not just in /sbin, 2023-04-13)
eab75a8591 (test: stop the test unit when it's not needed anymore, 2023-04-14)
f86ec34958 (Synposis and description of networkctl man page reflecting only part of its functionality (#27264), 2023-04-13)
fffcebc4bb (core/main: fix a typo for --log-target, 2023-04-13)
f152cdabae (test: add some tests for RuntimeMaxSec, 2023-04-13)
999f48558b (scope: do not disable timer event source when state is SCOPE_RUNNING, 2023-04-04)
430861fc96 (Fix cross-reference of manual for LogsDirectory, 2023-04-12)
91953109ec (pid1: fix coredump_filter setting, 2023-04-12)
fa8d33bb37 (Uphold/StopWhenUnneeded/BindsTo: requeue when job finishes, 2023-04-12)
6fc08d8407 (Uphold/StopWhenUnneeded/BindsTo: add retry timer on rate limit, 2023-04-12)
1fb4ae32b0 (man: add util-linux to the package list for Fedora container, 2023-04-12)
841146f243 (man: link to Fedora 37, 2023-04-12)
465edc1230 (systemctl: suppress error for try-* if unit is masked, 2023-04-04)
7102925d1a (ci: drop checkout from release workflow, 2023-04-11)
167c01688f (ci: don't run release wf on `systemd-security`, 2023-04-11)
bda5c892a8 (shell-completion: add --xml-interface option of busctl to the rules, 2023-04-11)
6265430ca9 (busctl: add --xml-interface to the help message, 2023-04-11)
d26fd71d1a (test: update description, 2023-04-11)
35a6460a2f (test: systemd-analyze blame should succeed now, 2023-04-10)
ef10974c66 (analyze: make blame command work even the default target not reached, 2023-04-10)
dc2facf61d (ci: add permissions to make a release, 2023-04-03)
4c65c644d6 (test/test-functions: fix typo in install_suse_systemd(), 2023-04-04)
fca5a45a59 (test: install symlinks with valid targets on SUSE and Debian, 2023-03-24)
d18037b8ff (localed: fix invalid free after shifting pointers using strstrip, 2023-04-07)
93ac024b7e (test: bump the timeout for non-qemu runs to 90s, 2023-04-07)
283b7b4159 (test: enable the systemd-resolved unit in TEST-75, 2023-04-07)
6179141124 (man/systemd-mount: Clearify documentation about --bind-device, 2023-04-05)
b2e1dabbeb (resolve: change DNS_PACKET_UNICAST_SIZE_LARGE_MAX to 1232 (#27171), 2023-04-07)
16dc17d68c (man: netdev: Clarify wireguard IPv6 endpoint format, 2023-04-07)
0558c490a6 (test: use kbd-mode-map we ship in TEST-73-LOCALE, 2023-04-05)
64ef6ccd4f (ci: do one build with no tpm/p11kit/fido2, 2023-04-04)
018461aaf0 (man: mention -o option for systemd-journal-remote, 2023-04-05)
31c7f6d0d1 (manager: remove transient unit directory during startup, 2023-04-04)
49c6965946 (core: a more informative error when SetProperties/StartTransientUnit fails, 2023-04-02)
649e335bc1 (journald: fix log message, 2023-04-04)
eda7bf237f (Added unit test for strv_env_name_is_valid() function listed in env-util.c (#27100), 2023-04-02)
0430078cfb (man: restore description of ConditionControlGroupController=v1|v2, 2023-03-31)
0d9c2c270b (test: set ReadWritePaths= for test-.services when built w/ coverage, 2023-03-31)
384fec2622 (core: skip deps on oomd if v2 or memory unavailable, 2023-03-31)
2950b4ebf6 (test: fixed negative checks in TEST-70-TPM2. Use in-line error handling rather than redirections. Follow up on #27020, 2023-03-30)
786649c904 (test: make make_addresses() actually return the addresses, 2023-03-30)
5e3ac73017 (coverage: add a wrapper for execveat(), 2023-03-30)
8b1cc644c5 (man: add example for sd_bus_call_method, 2023-03-30)
382e53977c (man: further shorten print-unit-path example, 2023-03-29)
960f05945c (man: link up new online coredump docs from man page, 2023-03-30)
edfca36727 (tree-wide: reset optind to 0 when GNU extensions in optstring are used, 2023-03-21)
91ff21962d (test-kernel-install: several cleanups, 2023-03-28)
9943f2af3d (units: let's establish the coredump socket before writting core_pattern sysctl, 2023-03-29)
dbb1b9c2c8 (test: do not remove state directory on failure, 2023-03-29)
29cfb05183 (test: fix shellcheck warnings in test-sysusers.sh, 2023-03-29)
18afac6e90 (man: fix shellcheck warning for html.in, 2023-03-29)
4629419038 (added more test cases, 2023-03-27)
05ae9e276c (test: fix regexp in testsuite-74.mount.sh, 2023-03-28)
295012f7fa (test: drop extraneous bracket in testsuite-74.mount.sh, 2023-03-28)
ff7040b193 (busctl: also assume --full if not writing to terminal, 2023-03-28)
00977a8e74 (busctl: use size_t for set size, 2023-03-28)
802fded9a5 (busctl: do not truncate property values when --full, 2023-03-28)
e400a62a92 (oomd: add inline comments with param names, 2023-03-21)
4067ec52f4 (test: add more testcases for rm_rf(), 2023-03-19)
201830df21 (rm-rf: also chmod() directory if it cannot be opened, 2023-03-19)
d91f7eb0fb (rm-rf: mask file mode with 07777 when passed to chmod(), 2023-03-19)
80417f90b0 (rm-rf: fix errno handling, 2023-03-18)
```
Co-authored-by: Arian van Putten <arian.vanputten@gmail.com>
2023-05-03 07:09:53 +00:00
|
|
|
./0004-Add-some-NixOS-specific-unit-directories.patch
|
|
|
|
|
./0005-Get-rid-of-a-useless-message-in-user-sessions.patch
|
|
|
|
|
./0006-hostnamed-localed-timedated-disable-methods-that-cha.patch
|
2023-11-19 01:35:57 +00:00
|
|
|
./0007-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
|
|
|
|
|
./0008-localectl-use-etc-X11-xkb-for-list-x11.patch
|
|
|
|
|
./0009-add-rootprefix-to-lookup-dir-paths.patch
|
|
|
|
|
./0010-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
|
|
|
|
|
./0011-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
|
|
|
|
|
./0012-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
|
|
|
|
|
./0013-inherit-systemd-environment-when-calling-generators.patch
|
|
|
|
|
./0014-core-don-t-taint-on-unmerged-usr.patch
|
|
|
|
|
./0015-tpm2_context_init-fix-driver-name-checking.patch
|
|
|
|
|
./0016-systemctl-edit-suggest-systemdctl-edit-runtime-on-sy.patch
|
|
|
|
|
./0017-meson.build-do-not-create-systemdstatedir.patch
|
2024-01-17 07:55:31 +00:00
|
|
|
] ++ lib.optional (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isGnu) [
|
2023-11-19 01:35:57 +00:00
|
|
|
./0018-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch
|
2021-12-12 02:57:53 +00:00
|
|
|
] ++ lib.optional stdenv.hostPlatform.isMusl (
|
|
|
|
|
let
|
|
|
|
|
oe-core = fetchzip {
|
2023-09-29 14:42:41 +00:00
|
|
|
url = "https://git.openembedded.org/openembedded-core/snapshot/openembedded-core-eb8a86fee9eeae787cc0a58ef2ed087fd48d93eb.tar.gz";
|
|
|
|
|
sha256 = "tE2KpXLvOknIpEZFdOnNxvBmDvZrra3kvQp9tKxa51c=";
|
2021-12-12 02:57:53 +00:00
|
|
|
};
|
2023-01-11 06:16:18 +00:00
|
|
|
musl-patches = oe-core + "/meta/recipes-core/systemd/systemd";
|
2021-12-12 02:57:53 +00:00
|
|
|
in
|
|
|
|
|
[
|
2022-03-05 23:37:43 +00:00
|
|
|
(musl-patches + "/0001-Adjust-for-musl-headers.patch")
|
2023-04-07 10:45:40 +00:00
|
|
|
(musl-patches + "/0005-pass-correct-parameters-to-getdents64.patch")
|
|
|
|
|
(musl-patches + "/0006-test-bus-error-strerror-is-assumed-to-be-GNU-specifi.patch")
|
|
|
|
|
(musl-patches + "/0009-missing_type.h-add-comparison_fn_t.patch")
|
|
|
|
|
(musl-patches + "/0010-add-fallback-parse_printf_format-implementation.patch")
|
|
|
|
|
(musl-patches + "/0011-src-basic-missing.h-check-for-missing-strndupa.patch")
|
|
|
|
|
(musl-patches + "/0012-don-t-fail-if-GLOB_BRACE-and-GLOB_ALTDIRFUNC-is-not-.patch")
|
|
|
|
|
(musl-patches + "/0013-add-missing-FTW_-macros-for-musl.patch")
|
|
|
|
|
(musl-patches + "/0014-Use-uintmax_t-for-handling-rlim_t.patch")
|
|
|
|
|
(musl-patches + "/0016-don-t-pass-AT_SYMLINK_NOFOLLOW-flag-to-faccessat.patch")
|
|
|
|
|
(musl-patches + "/0017-Define-glibc-compatible-basename-for-non-glibc-syste.patch")
|
|
|
|
|
(musl-patches + "/0018-Do-not-disable-buffering-when-writing-to-oom_score_a.patch")
|
|
|
|
|
(musl-patches + "/0019-distinguish-XSI-compliant-strerror_r-from-GNU-specif.patch")
|
|
|
|
|
(musl-patches + "/0020-avoid-redefinition-of-prctl_mm_map-structure.patch")
|
|
|
|
|
(musl-patches + "/0021-do-not-disable-buffer-in-writing-files.patch")
|
|
|
|
|
(musl-patches + "/0022-Handle-__cpu_mask-usage.patch")
|
|
|
|
|
(musl-patches + "/0023-Handle-missing-gshadow.patch")
|
|
|
|
|
(musl-patches + "/0024-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch")
|
2023-09-29 14:42:41 +00:00
|
|
|
(musl-patches + "/0028-sd-event-Make-malloc_trim-conditional-on-glibc.patch")
|
|
|
|
|
(musl-patches + "/0029-shared-Do-not-use-malloc_info-on-musl.patch")
|
2021-12-12 02:57:53 +00:00
|
|
|
]
|
|
|
|
|
);
|
2020-01-26 13:56:41 +00:00
|
|
|
|
2020-03-07 22:47:22 +00:00
|
|
|
postPatch = ''
|
|
|
|
|
substituteInPlace src/basic/path-util.h --replace "@defaultPathNormal@" "${placeholder "out"}/bin/"
|
2022-08-21 10:22:16 +00:00
|
|
|
'' + lib.optionalString withLibBPF ''
|
2022-08-25 13:34:19 +00:00
|
|
|
substituteInPlace meson.build \
|
|
|
|
|
--replace "find_program('clang'" "find_program('${stdenv.cc.targetPrefix}clang'"
|
2023-07-20 17:15:42 +00:00
|
|
|
'' + lib.optionalString withUkify ''
|
|
|
|
|
substituteInPlace src/ukify/ukify.py \
|
|
|
|
|
--replace \
|
|
|
|
|
"'readelf'" \
|
2023-12-11 12:58:03 +00:00
|
|
|
"'${targetPackages.stdenv.cc.bintools.targetPrefix}readelf'" \
|
|
|
|
|
--replace \
|
|
|
|
|
"/usr/lib/systemd/boot/efi" \
|
|
|
|
|
"$out/lib/systemd/boot/efi"
|
2021-02-03 17:54:07 +00:00
|
|
|
'' + (
|
|
|
|
|
let
|
2024-01-22 23:37:48 +00:00
|
|
|
# The following patches references to dynamic libraries to ensure that all
|
|
|
|
|
# the features that are implemented via dlopen(3) are available (or
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
# explicitly deactivated) by pointing dlopen to the absolute store path
|
|
|
|
|
# instead of relying on the linkers runtime lookup code.
|
2021-02-03 17:54:07 +00:00
|
|
|
#
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
# All of the shared library references have to be handled. When new ones
|
|
|
|
|
# are introduced by upstream (or one of our patches) they must be
|
|
|
|
|
# explicitly declared, otherwise the build will fail.
|
2021-02-03 17:54:07 +00:00
|
|
|
#
|
|
|
|
|
# As of systemd version 247 we've seen a few errors like `libpcre2.… not
|
|
|
|
|
# found` when using e.g. --grep with journalctl. Those errors should
|
|
|
|
|
# become less unexpected now.
|
|
|
|
|
#
|
2024-01-22 23:37:48 +00:00
|
|
|
# There are generally two classes of dlopen(3) calls. Those that we want
|
|
|
|
|
# to support and those that should be deactivated / unsupported. This
|
|
|
|
|
# change enforces that we handle all dlopen calls explicitly. Meaning:
|
|
|
|
|
# There is not a single dlopen call in the source code tree that we did
|
|
|
|
|
# not explicitly handle.
|
2021-02-03 17:54:07 +00:00
|
|
|
#
|
|
|
|
|
# In order to do this we introduced a list of attributes that maps from
|
|
|
|
|
# shared object name to the package that contains them. The package can be
|
|
|
|
|
# null meaning the reference should be nuked and the shared object will
|
|
|
|
|
# never be loadable during runtime (because it points at an invalid store
|
|
|
|
|
# path location).
|
|
|
|
|
#
|
|
|
|
|
# To get a list of dynamically loaded libraries issue something like
|
2024-01-22 23:37:48 +00:00
|
|
|
# `grep -ri '"lib[a-zA-Z0-9-]*\.so[\.0-9a-zA-z]*"'' $src`
|
|
|
|
|
# and update the list below.
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
dlopenLibs =
|
|
|
|
|
let
|
|
|
|
|
opt = condition: pkg: if condition then pkg else null;
|
|
|
|
|
in
|
|
|
|
|
[
|
2022-11-05 02:01:05 +00:00
|
|
|
# bpf compilation support. We use libbpf 1 now.
|
|
|
|
|
{ name = "libbpf.so.1"; pkg = opt withLibBPF libbpf; }
|
|
|
|
|
{ name = "libbpf.so.0"; pkg = null; }
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
|
2023-11-19 01:35:57 +00:00
|
|
|
# We did never provide support for libxkbcommon
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
{ name = "libxkbcommon.so.0"; pkg = null; }
|
2023-11-19 01:35:57 +00:00
|
|
|
|
|
|
|
|
# qrencode
|
|
|
|
|
{ name = "libqrencode.so.4"; pkg = opt withQrencode qrencode; }
|
2022-11-05 02:01:05 +00:00
|
|
|
{ name = "libqrencode.so.3"; pkg = null; }
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
|
2023-11-19 01:35:57 +00:00
|
|
|
# Password quality
|
|
|
|
|
# We currently do not package passwdqc, only libpwquality.
|
|
|
|
|
{ name = "libpwquality.so.1"; pkg = opt withPasswordQuality libpwquality; }
|
|
|
|
|
{ name = "libpasswdqc.so.1"; pkg = null; }
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
|
|
|
|
|
# Only include cryptsetup if it is enabled. We might not be able to
|
|
|
|
|
# provide it during "bootstrap" in e.g. the minimal systemd build as
|
|
|
|
|
# cryptsetup has udev (aka systemd) in it's dependencies.
|
|
|
|
|
{ name = "libcryptsetup.so.12"; pkg = opt withCryptsetup cryptsetup; }
|
|
|
|
|
|
|
|
|
|
# We are using libidn2 so we only provide that and ignore the others.
|
|
|
|
|
# Systemd does this decision during configure time and uses ifdef's to
|
|
|
|
|
# enable specific branches. We can safely ignore (nuke) the libidn "v1"
|
|
|
|
|
# libraries.
|
2023-02-19 02:23:36 +00:00
|
|
|
{ name = "libidn2.so.0"; pkg = opt withLibidn2 libidn2; }
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
{ name = "libidn.so.12"; pkg = null; }
|
|
|
|
|
{ name = "libidn.so.11"; pkg = null; }
|
|
|
|
|
|
2022-03-06 00:58:59 +00:00
|
|
|
# journalctl --grep requires libpcre so let's provide it
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
{ name = "libpcre2-8.so.0"; pkg = pcre2; }
|
|
|
|
|
|
|
|
|
|
# Support for TPM2 in systemd-cryptsetup, systemd-repart and systemd-cryptenroll
|
|
|
|
|
{ name = "libtss2-esys.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
|
|
|
|
|
{ name = "libtss2-rc.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
|
|
|
|
|
{ name = "libtss2-mu.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
|
2021-09-29 09:15:35 +00:00
|
|
|
{ name = "libtss2-tcti-"; pkg = opt withTpm2Tss tpm2-tss; }
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
{ name = "libfido2.so.1"; pkg = opt withFido2 libfido2; }
|
2021-12-12 02:56:45 +00:00
|
|
|
|
|
|
|
|
# inspect-elf support
|
|
|
|
|
{ name = "libelf.so.1"; pkg = opt withCoredump elfutils; }
|
|
|
|
|
{ name = "libdw.so.1"; pkg = opt withCoredump elfutils; }
|
2023-02-17 17:03:01 +00:00
|
|
|
|
|
|
|
|
# Support for PKCS#11 in systemd-cryptsetup, systemd-cryptenroll and systemd-homed
|
|
|
|
|
{ name = "libp11-kit.so.0"; pkg = opt (withHomed || withCryptsetup) p11-kit; }
|
2023-06-19 00:40:27 +00:00
|
|
|
|
2023-11-19 01:35:57 +00:00
|
|
|
{ name = "libip4tc.so.2"; pkg = opt withIptables iptables; }
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
];
|
2020-12-26 15:55:33 +00:00
|
|
|
|
2021-02-03 17:54:07 +00:00
|
|
|
patchDlOpen = dl:
|
|
|
|
|
let
|
|
|
|
|
library = "${lib.makeLibraryPath [ dl.pkg ]}/${dl.name}";
|
|
|
|
|
in
|
|
|
|
|
if dl.pkg == null then ''
|
|
|
|
|
# remove the dependency on the library by replacing it with an invalid path
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
for file in $(grep -lr '"${dl.name}"' src); do
|
2023-03-23 17:34:04 +00:00
|
|
|
echo "patching dlopen(\"${dl.name}\", …) in $file to an invalid store path ("${builtins.storeDir}/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-not-implemented/${dl.name}")…"
|
|
|
|
|
substituteInPlace "$file" --replace '"${dl.name}"' '"${builtins.storeDir}/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-not-implemented/${dl.name}"'
|
2021-02-03 17:54:07 +00:00
|
|
|
done
|
|
|
|
|
'' else ''
|
|
|
|
|
# ensure that the library we provide actually exists
|
|
|
|
|
if ! [ -e ${library} ]; then
|
2021-09-29 09:15:35 +00:00
|
|
|
# exceptional case, details:
|
|
|
|
|
# https://github.com/systemd/systemd-stable/blob/v249-stable/src/shared/tpm2-util.c#L157
|
|
|
|
|
if ! [[ "${library}" =~ .*libtss2-tcti-$ ]]; then
|
2022-03-06 00:58:59 +00:00
|
|
|
echo 'The shared library `${library}` does not exist but was given as substitute for `${dl.name}`'
|
2021-09-29 09:15:35 +00:00
|
|
|
exit 1
|
|
|
|
|
fi
|
2021-02-03 17:54:07 +00:00
|
|
|
fi
|
|
|
|
|
# make the path to the dependency explicit
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
for file in $(grep -lr '"${dl.name}"' src); do
|
2021-02-03 17:54:07 +00:00
|
|
|
echo "patching dlopen(\"${dl.name}\", …) in $file to ${library}…"
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
substituteInPlace "$file" --replace '"${dl.name}"' '"${library}"'
|
2021-02-03 17:54:07 +00:00
|
|
|
done
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
|
2021-02-03 17:54:07 +00:00
|
|
|
'';
|
|
|
|
|
in
|
|
|
|
|
# patch all the dlopen calls to contain absolute paths to the libraries
|
|
|
|
|
lib.concatMapStringsSep "\n" patchDlOpen dlopenLibs
|
|
|
|
|
)
|
2024-01-22 23:37:48 +00:00
|
|
|
# finally ensure that there are no left-over dlopen calls (or rather strings
|
|
|
|
|
# pointing to shared libraries) that we didn't handle
|
2020-12-26 15:55:33 +00:00
|
|
|
+ ''
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
if grep -qr '"lib[a-zA-Z0-9-]*\.so[\.0-9a-zA-z]*"' src; then
|
|
|
|
|
echo "Found unhandled dynamic library calls: "
|
|
|
|
|
grep -r '"lib[a-zA-Z0-9-]*\.so[\.0-9a-zA-z]*"' src
|
2020-12-26 15:55:33 +00:00
|
|
|
exit 1
|
|
|
|
|
fi
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
''
|
2022-05-21 20:03:56 +00:00
|
|
|
# Finally, patch shebangs in scripts used at build time. This must not patch
|
|
|
|
|
# scripts that will end up in the output, to avoid build platform references
|
|
|
|
|
# when cross-compiling.
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
+ ''
|
2022-05-21 20:03:56 +00:00
|
|
|
shopt -s extglob
|
2023-09-14 18:37:36 +00:00
|
|
|
patchShebangs tools test src/!(rpm|kernel-install|ukify) src/kernel-install/test-kernel-install.sh
|
2020-03-07 22:47:22 +00:00
|
|
|
'';
|
|
|
|
|
|
2023-10-18 09:44:18 +00:00
|
|
|
outputs = [ "out" "dev" ] ++ (lib.optional (!buildLibsOnly) "man");
|
2018-03-02 23:31:30 +00:00
|
|
|
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
nativeBuildInputs =
|
|
|
|
|
[
|
|
|
|
|
pkg-config
|
2022-09-23 21:47:05 +00:00
|
|
|
makeBinaryWrapper
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
gperf
|
|
|
|
|
ninja
|
|
|
|
|
meson
|
|
|
|
|
glibcLocales
|
|
|
|
|
getent
|
|
|
|
|
m4
|
|
|
|
|
|
|
|
|
|
intltool
|
|
|
|
|
gettext
|
|
|
|
|
|
|
|
|
|
libxslt
|
|
|
|
|
docbook_xsl
|
|
|
|
|
docbook_xml_dtd_42
|
|
|
|
|
docbook_xml_dtd_45
|
2023-02-02 16:57:21 +00:00
|
|
|
bash
|
2023-06-19 00:40:27 +00:00
|
|
|
(buildPackages.python3Packages.python.withPackages (ps: with ps; [ lxml jinja2 ] ++ lib.optional withEfi ps.pyelftools))
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
]
|
2022-08-25 13:34:19 +00:00
|
|
|
++ lib.optionals withLibBPF [
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
bpftools
|
2023-01-03 21:19:59 +00:00
|
|
|
buildPackages.llvmPackages.clang
|
|
|
|
|
buildPackages.llvmPackages.libllvm
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
]
|
|
|
|
|
;
|
2021-07-26 11:12:36 +00:00
|
|
|
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
buildInputs =
|
|
|
|
|
[
|
2022-09-24 18:38:33 +00:00
|
|
|
libxcrypt
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
libcap
|
|
|
|
|
libuuid
|
|
|
|
|
linuxHeaders
|
2023-02-02 16:57:21 +00:00
|
|
|
bashInteractive # for patch shebangs
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
]
|
|
|
|
|
|
2023-02-07 10:17:34 +00:00
|
|
|
++ lib.optionals wantGcrypt [ libgcrypt libgpg-error ]
|
2021-12-12 14:59:20 +00:00
|
|
|
++ lib.optional withTests glib
|
2023-02-19 04:11:25 +00:00
|
|
|
++ lib.optional withAcl acl
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
++ lib.optional withApparmor libapparmor
|
2023-02-21 07:17:24 +00:00
|
|
|
++ lib.optional withAudit audit
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
++ lib.optional wantCurl (lib.getDev curl)
|
2023-11-19 01:35:57 +00:00
|
|
|
++ lib.optionals withCompression [ zlib bzip2 lz4 xz zstd ]
|
2021-11-19 01:55:14 +00:00
|
|
|
++ lib.optional withCoredump elfutils
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
++ lib.optional withCryptsetup (lib.getDev cryptsetup.dev)
|
|
|
|
|
++ lib.optional withKexectools kexec-tools
|
2023-02-21 07:48:27 +00:00
|
|
|
++ lib.optional withKmod kmod
|
2023-02-19 02:23:36 +00:00
|
|
|
++ lib.optional withLibidn2 libidn2
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
++ lib.optional withLibseccomp libseccomp
|
2023-11-19 01:35:57 +00:00
|
|
|
++ lib.optional withIptables iptables
|
2023-02-21 07:30:26 +00:00
|
|
|
++ lib.optional withPam pam
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
++ lib.optional withPCRE2 pcre2
|
|
|
|
|
++ lib.optional withSelinux libselinux
|
2022-09-01 12:39:00 +00:00
|
|
|
++ lib.optionals withRemote [ libmicrohttpd gnutls ]
|
2023-02-17 17:03:01 +00:00
|
|
|
++ lib.optionals (withHomed || withCryptsetup) [ p11-kit ]
|
systemd: 247.6 -> 249.4
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514
https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
2021-08-30 13:10:54 +00:00
|
|
|
++ lib.optionals (withHomed || withCryptsetup) [ libfido2 ]
|
|
|
|
|
++ lib.optionals withLibBPF [ libbpf ]
|
2021-09-29 09:15:35 +00:00
|
|
|
++ lib.optional withTpm2Tss tpm2-tss
|
2023-03-30 15:40:35 +00:00
|
|
|
++ lib.optional withUkify (python3Packages.python.withPackages (ps: with ps; [ pefile ]))
|
2023-11-19 01:35:57 +00:00
|
|
|
++ lib.optionals withPasswordQuality [ libpwquality ]
|
|
|
|
|
++ lib.optionals withQrencode [ qrencode ]
|
2020-11-24 23:11:56 +00:00
|
|
|
;
|
2018-03-02 23:31:30 +00:00
|
|
|
|
2023-10-18 09:44:18 +00:00
|
|
|
mesonBuildType = "release";
|
2018-03-02 23:31:30 +00:00
|
|
|
|
|
|
|
|
mesonFlags = [
|
2023-11-19 01:35:57 +00:00
|
|
|
# Options
|
|
|
|
|
|
2024-01-22 23:37:48 +00:00
|
|
|
# We bump this attribute on every (major) version change to ensure that we
|
|
|
|
|
# have known-good value for a timestamp that is in the (not so distant)
|
|
|
|
|
# past. This serves as a lower bound for valid system timestamps during
|
|
|
|
|
# startup. Systemd will reset the system timestamp if this date is +- 15
|
|
|
|
|
# years from the system time.
|
2021-12-31 16:21:05 +00:00
|
|
|
# See the systemd v250 release notes for further details:
|
2024-01-22 23:37:48 +00:00
|
|
|
# https://github.com/systemd/systemd/blob/60e930fc3e6eb8a36fbc184773119eb8d2f30364/NEWS#L258-L266
|
2023-11-19 01:35:57 +00:00
|
|
|
(lib.mesonOption "time-epoch" releaseTimestamp)
|
2020-11-17 20:54:26 +00:00
|
|
|
|
2023-11-19 01:35:57 +00:00
|
|
|
(lib.mesonOption "version-tag" version)
|
|
|
|
|
(lib.mesonOption "mode" "release")
|
|
|
|
|
(lib.mesonOption "tty-gid" "3") # tty in NixOS has gid 3
|
|
|
|
|
(lib.mesonOption "debug-shell" "${bashInteractive}/bin/bash")
|
|
|
|
|
(lib.mesonOption "pamconfdir" "${placeholder "out"}/etc/pam.d")
|
2020-11-17 20:54:26 +00:00
|
|
|
# Use cgroupsv2. This is already the upstream default, but better be explicit.
|
2023-11-19 01:35:57 +00:00
|
|
|
(lib.mesonOption "default-hierarchy" "unified")
|
|
|
|
|
(lib.mesonOption "kmod-path" "${kmod}/bin/kmod")
|
|
|
|
|
|
|
|
|
|
# D-Bus
|
|
|
|
|
(lib.mesonOption "dbuspolicydir" "${placeholder "out"}/share/dbus-1/system.d")
|
|
|
|
|
(lib.mesonOption "dbussessionservicedir" "${placeholder "out"}/share/dbus-1/services")
|
|
|
|
|
(lib.mesonOption "dbussystemservicedir" "${placeholder "out"}/share/dbus-1/system-services")
|
|
|
|
|
|
|
|
|
|
# pkgconfig
|
|
|
|
|
(lib.mesonOption "pkgconfiglibdir" "${placeholder "dev"}/lib/pkgconfig")
|
|
|
|
|
(lib.mesonOption "pkgconfigdatadir" "${placeholder "dev"}/share/pkgconfig")
|
|
|
|
|
|
|
|
|
|
# Keyboard
|
|
|
|
|
(lib.mesonOption "loadkeys-path" "${kbd}/bin/loadkeys")
|
|
|
|
|
(lib.mesonOption "setfont-path" "${kbd}/bin/setfont")
|
|
|
|
|
|
|
|
|
|
# SBAT
|
|
|
|
|
(lib.mesonOption "sbat-distro" "nixos")
|
|
|
|
|
(lib.mesonOption "sbat-distro-summary" "NixOS")
|
|
|
|
|
(lib.mesonOption "sbat-distro-url" "https://nixos.org/")
|
|
|
|
|
(lib.mesonOption "sbat-distro-pkgname" pname)
|
|
|
|
|
(lib.mesonOption "sbat-distro-version" version)
|
|
|
|
|
|
|
|
|
|
# Users
|
|
|
|
|
(lib.mesonOption "system-uid-max" "999")
|
|
|
|
|
(lib.mesonOption "system-gid-max" "999")
|
|
|
|
|
|
|
|
|
|
# SysVinit
|
|
|
|
|
(lib.mesonOption "sysvinit-path" "")
|
|
|
|
|
(lib.mesonOption "sysvrcnd-path" "")
|
|
|
|
|
|
|
|
|
|
# Login
|
|
|
|
|
(lib.mesonOption "sulogin-path" "${util-linux.login}/bin/sulogin")
|
|
|
|
|
(lib.mesonOption "nologin-path" "${util-linux.login}/bin/nologin")
|
|
|
|
|
|
|
|
|
|
# Mount
|
|
|
|
|
(lib.mesonOption "mount-path" "${lib.getOutput "mount" util-linux}/bin/mount")
|
|
|
|
|
(lib.mesonOption "umount-path" "${lib.getOutput "mount" util-linux}/bin/umount")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Features
|
|
|
|
|
|
|
|
|
|
# Tests
|
|
|
|
|
(lib.mesonBool "tests" withTests)
|
|
|
|
|
(lib.mesonEnable "glib" withTests)
|
|
|
|
|
(lib.mesonEnable "dbus" withTests)
|
|
|
|
|
|
|
|
|
|
# Compression
|
|
|
|
|
(lib.mesonEnable "bzip2" withCompression)
|
|
|
|
|
(lib.mesonEnable "lz4" withCompression)
|
|
|
|
|
(lib.mesonEnable "xz" withCompression)
|
|
|
|
|
(lib.mesonEnable "zstd" withCompression)
|
|
|
|
|
(lib.mesonEnable "zlib" withCompression)
|
|
|
|
|
|
|
|
|
|
# NSS
|
|
|
|
|
(lib.mesonEnable "nss-mymachines" withNss)
|
|
|
|
|
(lib.mesonEnable "nss-resolve" withNss)
|
|
|
|
|
(lib.mesonBool "nss-myhostname" withNss)
|
|
|
|
|
(lib.mesonBool "nss-systemd" withNss)
|
|
|
|
|
|
|
|
|
|
# Cryptsetup
|
|
|
|
|
(lib.mesonEnable "libcryptsetup" withCryptsetup)
|
|
|
|
|
(lib.mesonEnable "libcryptsetup-plugins" withCryptsetup)
|
|
|
|
|
(lib.mesonEnable "p11kit" (withHomed || withCryptsetup))
|
|
|
|
|
|
|
|
|
|
# FIDO2
|
|
|
|
|
(lib.mesonEnable "libfido2" withFido2)
|
|
|
|
|
(lib.mesonEnable "openssl" withFido2)
|
|
|
|
|
|
|
|
|
|
# Password Quality
|
|
|
|
|
(lib.mesonEnable "pwquality" withPasswordQuality)
|
|
|
|
|
(lib.mesonEnable "passwdqc" false)
|
|
|
|
|
|
|
|
|
|
# Remote
|
|
|
|
|
(lib.mesonEnable "remote" withRemote)
|
|
|
|
|
(lib.mesonEnable "microhttpd" withRemote)
|
|
|
|
|
|
|
|
|
|
(lib.mesonEnable "pam" withPam)
|
|
|
|
|
(lib.mesonEnable "acl" withAcl)
|
|
|
|
|
(lib.mesonEnable "audit" withAudit)
|
|
|
|
|
(lib.mesonEnable "apparmor" withApparmor)
|
|
|
|
|
(lib.mesonEnable "gcrypt" wantGcrypt)
|
|
|
|
|
(lib.mesonEnable "importd" withImportd)
|
|
|
|
|
(lib.mesonEnable "homed" withHomed)
|
|
|
|
|
(lib.mesonEnable "polkit" withPolkit)
|
|
|
|
|
(lib.mesonEnable "elfutils" withCoredump)
|
|
|
|
|
(lib.mesonEnable "libcurl" wantCurl)
|
|
|
|
|
(lib.mesonEnable "libidn" false)
|
|
|
|
|
(lib.mesonEnable "libidn2" withLibidn2)
|
|
|
|
|
(lib.mesonEnable "libiptc" withIptables)
|
|
|
|
|
(lib.mesonEnable "repart" withRepart)
|
|
|
|
|
(lib.mesonEnable "sysupdate" withSysupdate)
|
|
|
|
|
(lib.mesonEnable "selinux" withSelinux)
|
|
|
|
|
(lib.mesonEnable "tpm2" withTpm2Tss)
|
|
|
|
|
(lib.mesonEnable "pcre2" withPCRE2)
|
|
|
|
|
(lib.mesonEnable "bpf-framework" withLibBPF)
|
|
|
|
|
(lib.mesonEnable "bootloader" withBootloader)
|
|
|
|
|
(lib.mesonEnable "ukify" withUkify)
|
|
|
|
|
(lib.mesonEnable "kmod" withKmod)
|
|
|
|
|
(lib.mesonEnable "qrencode" withQrencode)
|
|
|
|
|
(lib.mesonEnable "vmspawn" withVmspawn)
|
|
|
|
|
(lib.mesonEnable "xenctrl" false)
|
|
|
|
|
(lib.mesonEnable "gnutls" false)
|
|
|
|
|
(lib.mesonEnable "xkbcommon" false)
|
|
|
|
|
(lib.mesonEnable "man" true)
|
|
|
|
|
|
|
|
|
|
(lib.mesonBool "analyze" withAnalyze)
|
|
|
|
|
(lib.mesonBool "logind" withLogind)
|
|
|
|
|
(lib.mesonBool "localed" withLocaled)
|
|
|
|
|
(lib.mesonBool "hostnamed" withHostnamed)
|
|
|
|
|
(lib.mesonBool "machined" withMachined)
|
|
|
|
|
(lib.mesonBool "networkd" withNetworkd)
|
|
|
|
|
(lib.mesonBool "oomd" withOomd)
|
|
|
|
|
(lib.mesonBool "portabled" withPortabled)
|
|
|
|
|
(lib.mesonBool "hwdb" withHwdb)
|
|
|
|
|
(lib.mesonBool "timedated" withTimedated)
|
|
|
|
|
(lib.mesonBool "timesyncd" withTimesyncd)
|
|
|
|
|
(lib.mesonBool "userdb" withUserDb)
|
|
|
|
|
(lib.mesonBool "coredump" withCoredump)
|
|
|
|
|
(lib.mesonBool "firstboot" withFirstboot)
|
|
|
|
|
(lib.mesonBool "resolve" withResolved)
|
|
|
|
|
(lib.mesonBool "sysusers" withSysusers)
|
|
|
|
|
(lib.mesonBool "efi" withEfi)
|
|
|
|
|
(lib.mesonBool "utmp" withUtmp)
|
|
|
|
|
(lib.mesonBool "log-trace" withLogTrace)
|
|
|
|
|
(lib.mesonBool "quotacheck" false)
|
|
|
|
|
(lib.mesonBool "ldconfig" false)
|
|
|
|
|
(lib.mesonBool "install-sysconfdir" false)
|
|
|
|
|
(lib.mesonBool "create-log-dirs" false)
|
|
|
|
|
(lib.mesonBool "smack" true)
|
|
|
|
|
(lib.mesonBool "b_pie" true)
|
2023-03-30 15:40:35 +00:00
|
|
|
|
2020-10-27 23:51:39 +00:00
|
|
|
] ++ lib.optionals (withShellCompletions == false) [
|
2023-11-19 01:35:57 +00:00
|
|
|
(lib.mesonOption "bashcompletiondir" "no")
|
|
|
|
|
(lib.mesonOption "zshcompletiondir" "no")
|
2021-10-15 21:28:13 +00:00
|
|
|
] ++ lib.optionals stdenv.hostPlatform.isMusl [
|
2023-11-19 01:35:57 +00:00
|
|
|
(lib.mesonBool "gshadow" false)
|
|
|
|
|
(lib.mesonBool "idn" false)
|
2021-10-15 21:28:13 +00:00
|
|
|
];
|
2021-12-12 02:56:45 +00:00
|
|
|
preConfigure =
|
|
|
|
|
let
|
2024-01-22 23:37:48 +00:00
|
|
|
# A list of all the runtime binaries referenced by the source code (plus
|
|
|
|
|
# scripts and unit files) of systemd executables, tests and libraries.
|
|
|
|
|
# As soon as a dependency is lo longer required we should remove it from
|
|
|
|
|
# the list.
|
|
|
|
|
# The `where` attribute for each of the replacement patterns must be
|
|
|
|
|
# exhaustive. If another (unhandled) case is found in the source code the
|
|
|
|
|
# build fails with an error message.
|
2021-12-12 02:56:45 +00:00
|
|
|
binaryReplacements = [
|
2024-01-24 01:48:29 +00:00
|
|
|
{
|
|
|
|
|
search = "/usr/bin/getent";
|
|
|
|
|
replacement = "${getent}/bin/getent";
|
|
|
|
|
where = [ "src/nspawn/nspawn-setuid.c" ];
|
|
|
|
|
}
|
2021-12-12 02:56:45 +00:00
|
|
|
{
|
|
|
|
|
search = "/sbin/mkswap";
|
|
|
|
|
replacement = "${lib.getBin util-linux}/sbin/mkswap";
|
|
|
|
|
where = [
|
|
|
|
|
"man/systemd-makefs@.service.xml"
|
|
|
|
|
];
|
|
|
|
|
}
|
2024-01-24 01:48:29 +00:00
|
|
|
{
|
|
|
|
|
search = "/sbin/swapon";
|
|
|
|
|
replacement = "${lib.getOutput "swap" util-linux}/sbin/swapon";
|
|
|
|
|
where = [
|
|
|
|
|
"src/core/swap.c"
|
|
|
|
|
"src/basic/unit-def.h"
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
search = "/sbin/swapoff";
|
|
|
|
|
replacement = "${lib.getOutput "swap" util-linux}/sbin/swapoff";
|
|
|
|
|
where = [ "src/core/swap.c" ];
|
|
|
|
|
}
|
2021-12-12 02:56:45 +00:00
|
|
|
{
|
|
|
|
|
search = "/bin/echo";
|
|
|
|
|
replacement = "${coreutils}/bin/echo";
|
|
|
|
|
where = [
|
|
|
|
|
"man/systemd-analyze.xml"
|
|
|
|
|
"man/systemd.service.xml"
|
2023-06-19 00:40:27 +00:00
|
|
|
"man/systemd-run.xml"
|
2021-12-12 02:56:45 +00:00
|
|
|
"src/analyze/test-verify.c"
|
|
|
|
|
"src/test/test-env-file.c"
|
|
|
|
|
"src/test/test-fileio.c"
|
2022-06-30 07:46:32 +00:00
|
|
|
"src/test/test-load-fragment.c"
|
2021-12-12 02:56:45 +00:00
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
search = "/bin/cat";
|
|
|
|
|
replacement = "${coreutils}/bin/cat";
|
2024-01-24 01:48:29 +00:00
|
|
|
where = [
|
|
|
|
|
"test/test-execute/exec-noexecpaths-simple.service"
|
|
|
|
|
"src/journal/cat.c"
|
|
|
|
|
];
|
2021-12-12 02:56:45 +00:00
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
search = "/usr/lib/systemd/systemd-fsck";
|
|
|
|
|
replacement = "$out/lib/systemd/systemd-fsck";
|
2024-01-24 01:48:29 +00:00
|
|
|
where = [ "man/systemd-fsck@.service.xml" ];
|
2021-12-12 02:56:45 +00:00
|
|
|
}
|
|
|
|
|
] ++ lib.optionals withImportd [
|
|
|
|
|
{
|
|
|
|
|
search = "\"gpg\"";
|
|
|
|
|
replacement = "\\\"${gnupg}/bin/gpg\\\"";
|
|
|
|
|
where = [ "src/import/pull-common.c" ];
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
search = "\"tar\"";
|
|
|
|
|
replacement = "\\\"${gnutar}/bin/tar\\\"";
|
|
|
|
|
where = [
|
|
|
|
|
"src/import/export-tar.c"
|
|
|
|
|
"src/import/import-common.c"
|
|
|
|
|
"src/import/import-tar.c"
|
2022-06-30 07:46:32 +00:00
|
|
|
];
|
|
|
|
|
ignore = [
|
2022-12-18 00:39:44 +00:00
|
|
|
# occurrences here refer to the tar sub command
|
2022-06-30 07:46:32 +00:00
|
|
|
"src/sysupdate/sysupdate-resource.c"
|
|
|
|
|
"src/sysupdate/sysupdate-transfer.c"
|
|
|
|
|
"src/import/pull.c"
|
|
|
|
|
"src/import/export.c"
|
2021-12-12 02:56:45 +00:00
|
|
|
"src/import/import.c"
|
|
|
|
|
"src/import/importd.c"
|
2022-06-30 07:46:32 +00:00
|
|
|
# runs `tar` but also also creates a temporary directory with the string
|
2021-12-12 02:56:45 +00:00
|
|
|
"src/import/pull-tar.c"
|
|
|
|
|
];
|
|
|
|
|
}
|
2023-02-21 07:48:27 +00:00
|
|
|
] ++ lib.optionals withKmod [
|
2024-01-24 01:48:29 +00:00
|
|
|
{
|
|
|
|
|
search = "/sbin/modprobe";
|
|
|
|
|
replacement = "${lib.getBin kmod}/sbin/modprobe";
|
|
|
|
|
where = [ "units/modprobe@.service" ];
|
|
|
|
|
}
|
2021-12-12 02:56:45 +00:00
|
|
|
];
|
|
|
|
|
|
2024-01-24 01:48:29 +00:00
|
|
|
# { replacement, search, where, ignore } -> List[str]
|
2022-10-03 11:09:29 +00:00
|
|
|
mkSubstitute = { replacement, search, where, ignore ? [ ] }:
|
2021-12-12 02:56:45 +00:00
|
|
|
map (path: "substituteInPlace ${path} --replace '${search}' \"${replacement}\"") where;
|
2022-10-03 11:09:29 +00:00
|
|
|
mkEnsureSubstituted = { replacement, search, where, ignore ? [ ] }:
|
|
|
|
|
let
|
|
|
|
|
ignore' = lib.concatStringsSep "|" (ignore ++ [ "^test" "NEWS" ]);
|
|
|
|
|
in
|
|
|
|
|
''
|
|
|
|
|
set +e
|
|
|
|
|
search=$(grep '${search}' -r | grep -v "${replacement}" | grep -Ev "${ignore'}")
|
|
|
|
|
set -e
|
|
|
|
|
if [[ -n "$search" ]]; then
|
|
|
|
|
echo "Not all references to '${search}' have been replaced. Found the following matches:"
|
|
|
|
|
echo "$search"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
'';
|
2021-12-12 02:56:45 +00:00
|
|
|
in
|
|
|
|
|
''
|
|
|
|
|
mesonFlagsArray+=(-Dntp-servers="0.nixos.pool.ntp.org 1.nixos.pool.ntp.org 2.nixos.pool.ntp.org 3.nixos.pool.ntp.org")
|
|
|
|
|
export LC_ALL="en_US.UTF-8";
|
|
|
|
|
|
|
|
|
|
${lib.concatStringsSep "\n" (lib.flatten (map mkSubstitute binaryReplacements))}
|
|
|
|
|
${lib.concatMapStringsSep "\n" mkEnsureSubstituted binaryReplacements}
|
|
|
|
|
|
|
|
|
|
substituteInPlace src/libsystemd/sd-journal/catalog.c \
|
|
|
|
|
--replace /usr/lib/systemd/catalog/ $out/lib/systemd/catalog/
|
2022-06-30 07:46:32 +00:00
|
|
|
|
|
|
|
|
substituteInPlace src/import/pull-tar.c \
|
|
|
|
|
--replace 'wait_for_terminate_and_check("tar"' 'wait_for_terminate_and_check("${gnutar}/bin/tar"'
|
2021-12-12 02:56:45 +00:00
|
|
|
'';
|
2018-03-02 23:31:30 +00:00
|
|
|
|
|
|
|
|
# These defines are overridden by CFLAGS and would trigger annoying
|
|
|
|
|
# warning messages
|
|
|
|
|
postConfigure = ''
|
|
|
|
|
substituteInPlace config.h \
|
|
|
|
|
--replace "POLKIT_AGENT_BINARY_PATH" "_POLKIT_AGENT_BINARY_PATH" \
|
|
|
|
|
--replace "SYSTEMD_BINARY_PATH" "_SYSTEMD_BINARY_PATH" \
|
2021-12-12 02:56:45 +00:00
|
|
|
--replace "SYSTEMD_CGROUP_AGENTS_PATH" "_SYSTEMD_CGROUP_AGENT_PATH"
|
2018-03-02 23:31:30 +00:00
|
|
|
'';
|
|
|
|
|
|
2023-02-19 19:23:32 +00:00
|
|
|
env.NIX_CFLAGS_COMPILE = toString ([
|
2019-10-29 23:53:51 +00:00
|
|
|
# Can't say ${polkit.bin}/bin/pkttyagent here because that would
|
|
|
|
|
# lead to a cyclic dependency.
|
2020-10-27 22:28:29 +00:00
|
|
|
"-UPOLKIT_AGENT_BINARY_PATH"
|
|
|
|
|
"-DPOLKIT_AGENT_BINARY_PATH=\"/run/current-system/sw/bin/pkttyagent\""
|
2018-03-02 23:31:30 +00:00
|
|
|
|
2019-10-29 23:53:51 +00:00
|
|
|
# Set the release_agent on /sys/fs/cgroup/systemd to the
|
|
|
|
|
# currently running systemd (/run/current-system/systemd) so
|
|
|
|
|
# that we don't use an obsolete/garbage-collected release agent.
|
2021-12-12 02:56:45 +00:00
|
|
|
"-USYSTEMD_CGROUP_AGENTS_PATH"
|
|
|
|
|
"-DSYSTEMD_CGROUP_AGENTS_PATH=\"/run/current-system/systemd/lib/systemd/systemd-cgroups-agent\""
|
2018-03-02 23:31:30 +00:00
|
|
|
|
2020-10-27 22:28:29 +00:00
|
|
|
"-USYSTEMD_BINARY_PATH"
|
|
|
|
|
"-DSYSTEMD_BINARY_PATH=\"/run/current-system/systemd/lib/systemd/systemd\""
|
2021-10-15 21:28:13 +00:00
|
|
|
|
|
|
|
|
] ++ lib.optionals stdenv.hostPlatform.isMusl [
|
|
|
|
|
"-D__UAPI_DEF_ETHHDR=0"
|
|
|
|
|
]);
|
2018-03-02 23:31:30 +00:00
|
|
|
|
2018-04-25 03:20:18 +00:00
|
|
|
doCheck = false; # fails a bunch of tests
|
|
|
|
|
|
2020-01-26 15:15:19 +00:00
|
|
|
# trigger the test -n "$DESTDIR" || mutate in upstreams build system
|
|
|
|
|
preInstall = ''
|
|
|
|
|
export DESTDIR=/
|
|
|
|
|
'';
|
|
|
|
|
|
2023-10-18 09:44:18 +00:00
|
|
|
mesonInstallTags = lib.optionals buildLibsOnly [ "devel" "libudev" "libsystemd" ];
|
|
|
|
|
|
|
|
|
|
postInstall = lib.optionalString (!buildLibsOnly) ''
|
2018-03-02 23:31:30 +00:00
|
|
|
mkdir -p $out/example/systemd
|
2023-02-21 07:48:27 +00:00
|
|
|
mv $out/lib/{binfmt.d,sysctl.d,tmpfiles.d} $out/example
|
2018-03-02 23:31:30 +00:00
|
|
|
mv $out/lib/systemd/{system,user} $out/example/systemd
|
|
|
|
|
|
|
|
|
|
rm -rf $out/etc/systemd/system
|
|
|
|
|
|
|
|
|
|
# Fix reference to /bin/false in the D-Bus services.
|
|
|
|
|
for i in $out/share/dbus-1/system-services/*.service; do
|
|
|
|
|
substituteInPlace $i --replace /bin/false ${coreutils}/bin/false
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
rm -rf $out/etc/rpm
|
|
|
|
|
|
|
|
|
|
# "kernel-install" shouldn't be used on NixOS.
|
|
|
|
|
find $out -name "*kernel-install*" -exec rm {} \;
|
2020-10-27 23:54:08 +00:00
|
|
|
'' + lib.optionalString (!withDocumentation) ''
|
|
|
|
|
rm -rf $out/share/doc
|
2023-10-18 09:44:18 +00:00
|
|
|
'' + lib.optionalString (withKmod && !buildLibsOnly) ''
|
2023-02-21 07:48:27 +00:00
|
|
|
mv $out/lib/modules-load.d $out/example
|
2023-11-01 17:17:18 +00:00
|
|
|
'' + lib.optionalString withSysusers ''
|
|
|
|
|
mv $out/lib/sysusers.d $out/example
|
2020-10-27 23:54:08 +00:00
|
|
|
'';
|
2018-03-02 23:31:30 +00:00
|
|
|
|
2024-01-22 23:37:48 +00:00
|
|
|
# Avoid *.EFI binary stripping.
|
|
|
|
|
# At least on aarch64-linux strip removes too much from PE32+ files:
|
2022-04-23 17:49:59 +00:00
|
|
|
# https://github.com/NixOS/nixpkgs/issues/169693
|
2024-01-22 23:37:48 +00:00
|
|
|
# The hack is to move EFI file out of lib/ before doStrip run and return it
|
|
|
|
|
# after doStrip run.
|
2023-09-29 14:42:41 +00:00
|
|
|
preFixup = lib.optionalString withBootloader ''
|
2022-04-23 17:49:59 +00:00
|
|
|
mv $out/lib/systemd/boot/efi $out/dont-strip-me
|
|
|
|
|
'';
|
2022-09-23 21:47:05 +00:00
|
|
|
|
|
|
|
|
# Wrap in the correct path for LUKS2 tokens.
|
|
|
|
|
postFixup = lib.optionalString withCryptsetup ''
|
2023-11-19 01:35:57 +00:00
|
|
|
for f in bin/systemd-cryptsetup bin/systemd-cryptenroll; do
|
2022-09-23 21:47:05 +00:00
|
|
|
# This needs to be in LD_LIBRARY_PATH because rpath on a binary is not propagated to libraries using dlopen, in this case `libcryptsetup.so`
|
|
|
|
|
wrapProgram $out/$f --prefix LD_LIBRARY_PATH : ${placeholder "out"}/lib/cryptsetup
|
|
|
|
|
done
|
2023-09-29 14:42:41 +00:00
|
|
|
'' + lib.optionalString withBootloader ''
|
2022-04-23 17:49:59 +00:00
|
|
|
mv $out/dont-strip-me $out/lib/systemd/boot/efi
|
2023-07-20 17:15:42 +00:00
|
|
|
'' + lib.optionalString withUkify ''
|
|
|
|
|
# To cross compile a derivation that builds a UKI with ukify, we need to wrap
|
|
|
|
|
# ukify with the correct binutils. When wrapping, no splicing happens so we
|
|
|
|
|
# have to explicitly pull binutils from targetPackages.
|
2023-11-19 01:35:57 +00:00
|
|
|
wrapProgram $out/bin/ukify --prefix PATH : ${lib.makeBinPath [ targetPackages.stdenv.cc.bintools ] }:${placeholder "out"}/lib/systemd
|
2022-04-23 17:49:59 +00:00
|
|
|
'';
|
|
|
|
|
|
2023-02-02 16:57:21 +00:00
|
|
|
disallowedReferences = lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform)
|
|
|
|
|
# 'or p' is for manually specified buildPackages as they dont have __spliced
|
|
|
|
|
(builtins.map (p: p.__spliced.buildHost or p) finalAttrs.nativeBuildInputs);
|
|
|
|
|
|
2022-01-23 10:58:30 +00:00
|
|
|
passthru = {
|
2024-01-22 23:37:48 +00:00
|
|
|
# The `interfaceVersion` attribute below points out the incompatibilities
|
|
|
|
|
# between systemd versions. When the new systemd build is
|
|
|
|
|
# backwards-compatible with the previous one, then they can be switched at
|
|
|
|
|
# runtime (the reboot being optional in this case); otherwise, a reboot is
|
|
|
|
|
# needed - and therefore `interfaceVersion` should be incremented.
|
2022-01-23 10:58:30 +00:00
|
|
|
interfaceVersion = 2;
|
|
|
|
|
|
2024-01-24 01:48:29 +00:00
|
|
|
inherit withCryptsetup withHostnamed withImportd withKmod withLocaled
|
|
|
|
|
withMachined withPortabled withTimedated withUtmp util-linux kmod kbd;
|
2022-01-23 10:58:30 +00:00
|
|
|
|
|
|
|
|
tests = {
|
2022-09-01 14:08:18 +00:00
|
|
|
inherit (nixosTests)
|
|
|
|
|
switchTest
|
|
|
|
|
systemd-journal
|
|
|
|
|
systemd-journal-gateway
|
|
|
|
|
systemd-journal-upload;
|
2024-01-24 01:48:29 +00:00
|
|
|
cross =
|
|
|
|
|
let
|
|
|
|
|
systemString =
|
|
|
|
|
if stdenv.buildPlatform.isAarch64
|
|
|
|
|
then "gnu64"
|
|
|
|
|
else "aarch64-multiplatform";
|
|
|
|
|
in
|
|
|
|
|
pkgsCross.${systemString}.systemd;
|
2022-01-23 10:58:30 +00:00
|
|
|
};
|
2021-12-09 11:39:30 +00:00
|
|
|
};
|
|
|
|
|
|
2023-11-24 10:58:08 +00:00
|
|
|
meta = {
|
2020-02-18 20:46:40 +00:00
|
|
|
homepage = "https://www.freedesktop.org/wiki/Software/systemd/";
|
2018-03-02 23:31:30 +00:00
|
|
|
description = "A system and service manager for Linux";
|
2023-11-24 10:58:08 +00:00
|
|
|
longDescription = ''
|
|
|
|
|
systemd is a suite of basic building blocks for a Linux system. It
|
|
|
|
|
provides a system and service manager that runs as PID 1 and starts the
|
|
|
|
|
rest of the system. systemd provides aggressive parallelization
|
|
|
|
|
capabilities, uses socket and D-Bus activation for starting services,
|
|
|
|
|
offers on-demand starting of daemons, keeps track of processes using Linux
|
|
|
|
|
control groups, maintains mount and automount points, and implements an
|
|
|
|
|
elaborate transactional dependency-based service control logic. systemd
|
|
|
|
|
supports SysV and LSB init scripts and works as a replacement for
|
|
|
|
|
sysvinit. Other parts include a logging daemon, utilities to control basic
|
|
|
|
|
system configuration like the hostname, date, locale, maintain a list of
|
|
|
|
|
logged-in users and running containers and virtual machines, system
|
|
|
|
|
accounts, runtime directories and settings, and daemons to manage simple
|
|
|
|
|
network configuration, network time synchronization, log forwarding, and
|
|
|
|
|
name resolution.
|
|
|
|
|
'';
|
2024-01-22 12:41:15 +00:00
|
|
|
license = with lib.licenses; [
|
|
|
|
|
# Taken from https://raw.githubusercontent.com/systemd/systemd-stable/${finalAttrs.src.rev}/LICENSES/README.md
|
|
|
|
|
bsd2
|
|
|
|
|
bsd3
|
|
|
|
|
cc0
|
|
|
|
|
lgpl21Plus
|
|
|
|
|
lgpl2Plus
|
|
|
|
|
mit
|
|
|
|
|
mit0
|
|
|
|
|
ofl
|
|
|
|
|
publicDomain
|
|
|
|
|
];
|
2023-11-24 10:58:08 +00:00
|
|
|
maintainers = with lib.maintainers; [ flokli kloenk ];
|
|
|
|
|
platforms = lib.platforms.linux;
|
|
|
|
|
priority = 10;
|
2023-01-27 10:21:41 +00:00
|
|
|
badPlatforms = [ lib.systems.inspect.platformPatterns.isStatic ];
|
2022-04-24 12:00:00 +00:00
|
|
|
# https://github.com/systemd/systemd/issues/20600#issuecomment-912338965
|
|
|
|
|
broken = stdenv.hostPlatform.isStatic;
|
2018-03-02 23:31:30 +00:00
|
|
|
};
|
2023-02-02 16:57:21 +00:00
|
|
|
})
|