unblock: systemd/231-19
Martin Pitt
mpitt at debian.org
Sun Mar 12 09:47:21 GMT 2017
Package: release.debian.org
User: release.debian.org at packages.debian.org
Usertags: unblock
Hello release team,
The current systemd in unstable (232-19) fixes a bunch of bugs, mostly in
resolved (which we don't enable by default), but also in bits which do run by
default. Also some testing improvements.
The package has been in unstable for 10 days now without any regression
reports, and of course passes upstream tests and our downstream autopkgtests.
debdiff between -18 (in testing) and current -19 attached. I also put the
changelog and some annotations to it below.
| systemd (232-19) unstable; urgency=medium
|
| [ Martin Pitt ]
| * debian/README.source: Update patch and changelog handling to current
| reality.
Documentation only.
| * root-unittests autopkgtest: Blacklist test-journal-importer.
| This got added in a recent PR, but running this requires using "make
| install-tests" which hasn't landed yet.
Not relevant for stretch, just for upstream CI. No-op at runtime.
| * fsckd: Fix format specifiers on 32 bit architectures.
Should be mostly harmles at runtime, but fixes a warning and using correct
types is always good.
| * resolved: Fix NSEC proofs for missing TLDs (Closes: #855479)
Quite an important bug fix if you use resolved with DNSSEC. Not RC overall as
neither resolved as a whole nor the DNSSEC option is enabled by default, but
both become increasingly popular.
| * boot-and-services autopkgtest: Skip CgroupsTest on unified hierarchy.
| * boot-smoke autopkgtest: Run in containers, too.
| * logind autopkgtest: Adjust to work in containers.
Test fixes only.
| [ Dimitri John Ledkov ]
| * Fix resolved failing to follow CNAMES for DNS stub replies (LP: #1647031)
Similarly to above, this is an even more important fix for resolved as it
affects quite a number of hosts out there (like resolving freedesktop.org
machines).
| * Fix emitting change signals with a sessions property in logind
| (LP: #1661568)
This doesn't affect systemd itself, but desktop clients which use libsystemd to
track the active session. Not particularly urgent, but a nice and
straightforward fix.
| [ Michael Biebl ]
| * If an automount unit is masked, don't react to activation anymore.
| Otherwise we'll hit an assert sooner or later. (Closes: #856035)
This fixes a nasty crash of the entire system with automount units, so this is
rather important.
| [ Felipe Sateler ]
| * resolved: add the new KSK to the built-in resolved trust anchor.
| The old root key will be discarded in early 2018, so get this into
| stretch.
We have to update the key at some point anyway, so let's rather do it now
before the release.
| * Backport some zsh completion fixes from upstream (Closes: #847203)
Low-risk, and nice for zsh users.
Thanks for considering,
Martin
-------------- next part --------------
diff --git a/debian/README.source b/debian/README.source
index 04d5ffe..e3ba8cf 100644
--- a/debian/README.source
+++ b/debian/README.source
@@ -10,13 +10,26 @@ We recommend you use pbuilder to make sure you build in a clean environment:
gbp buildpackage --git-pbuilder
+Changelog
+---------
+The systemd package uses gbp dch for automatically generating
+debian/changelog entries from the corresponding git commits. This makes
+cherry-picking, merging, and rebasing much simpler.
+
+Thus, for any packaging change *don't* modify debian/changelog, just write a
+meaningful git commit log with proper bug references (such as "Closes: #12345"
+on the last line). For doing a release, run
+
+ gbp dch --auto
+
+then beautify the generated debian/changelog, then run the usual "dch -r" and
+"debcommit -ar --sign-tags".
+
Patch handling
--------------
-The official form of modifications to the upstream source are quilt patches in
-debian/patches/, like most Debian packages do. You are welcome to use quilt to
-add or modify patches, but you might prefer using a git commit based approach.
-gbp-pq provides that by synthesizing a "patch-queue/<branch>" local branch
-which represents each quilt patch as git commit. You create this with
+The systemd package uses gbp pq for maintaining patches with a git-like
+workflow in a "patch-queue/<branch>" local branch and then exporting them as
+quilt series. For working on patches you run
gbp pq import --force
@@ -26,8 +39,13 @@ upstream commits, rebase, etc. there. After you are done, run
gbp pq export
which will put you back into master and update debian/patches/ (including
-series). You need to git add etc. new patches, add a changelog and other
-packaging changes, and then debcommit as usual.
+series). You need to git add etc. new patches, possibly other
+packaging changes, and then git commit as usual.
+
+systemd uses gbp pq's "topic" branches for organizing patches; for simplicity
+(as this is the most common operation), upstream cherry-picks go into the
+"empty" topic (i. e. directly into debian/patches/), while Debian specific
+patches go into "Gbp-Pq: Topic debian" (i. e. debian/patches/debian/).
Rebasing patches to a new upstream version
------------------------------------------
@@ -78,3 +96,8 @@ patch-queue branch:
gbp pq import --force
git log github/master
git cherry-pick 123DEADBEEF
+
+debian/git-cherry-pick is a nice tool to automate all that:
+
+ debian/git-cherry-pick 123DEADBEEF 987654 AFFE99
+ git checkout master # switch back from patch-queue branch
diff --git a/debian/changelog b/debian/changelog
index 2e4d6da..0774f4d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,34 @@
+systemd (232-19) unstable; urgency=medium
+
+ [ Martin Pitt ]
+ * debian/README.source: Update patch and changelog handling to current
+ reality.
+ * root-unittests autopkgtest: Blacklist test-journal-importer.
+ This got added in a recent PR, but running this requires using "make
+ install-tests" which hasn't landed yet.
+ * fsckd: Fix format specifiers on 32 bit architectures.
+ * resolved: Fix NSEC proofs for missing TLDs (Closes: #855479)
+ * boot-and-services autopkgtest: Skip CgroupsTest on unified hierarchy.
+ * boot-smoke autopkgtest: Run in containers, too.
+ * logind autopkgtest: Adjust to work in containers.
+
+ [ Dimitri John Ledkov ]
+ * Fix resolved failing to follow CNAMES for DNS stub replies (LP: #1647031)
+ * Fix emitting change signals with a sessions property in logind
+ (LP: #1661568)
+
+ [ Michael Biebl ]
+ * If an automount unit is masked, don't react to activation anymore.
+ Otherwise we'll hit an assert sooner or later. (Closes: #856035)
+
+ [ Felipe Sateler ]
+ * resolved: add the new KSK to the built-in resolved trust anchor.
+ The old root key will be discarded in early 2018, so get this into
+ stretch.
+ * Backport some zsh completion fixes from upstream (Closes: #847203)
+
+ -- Martin Pitt <mpitt at debian.org> Thu, 02 Mar 2017 09:21:12 +0100
+
systemd (232-18) unstable; urgency=medium
* udev autopkgtest: Adjust to script-based test /sys creation.
diff --git a/debian/patches/automount-if-an-automount-unit-is-masked-don-t-react-to-a.patch b/debian/patches/automount-if-an-automount-unit-is-masked-don-t-react-to-a.patch
new file mode 100644
index 0000000..f7c2e25
--- /dev/null
+++ b/debian/patches/automount-if-an-automount-unit-is-masked-don-t-react-to-a.patch
@@ -0,0 +1,144 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Wed, 1 Mar 2017 04:03:48 +0100
+Subject: automount: if an automount unit is masked,
+ don't react to activation anymore (#5445)
+
+Otherwise we'll hit an assert sooner or later.
+
+This requires us to initialize ->where even if we come back in "masked"
+mode, as otherwise we don't know how to operate on the automount and
+detach it.
+
+Fixes: #5441
+(cherry picked from commit e350ca3f1ecb6672b74cd25d09ef23c7b309aa5a)
+---
+ src/core/automount.c | 78 +++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 50 insertions(+), 28 deletions(-)
+
+diff --git a/src/core/automount.c b/src/core/automount.c
+index 7d7a0a6..f091a9a 100644
+--- a/src/core/automount.c
++++ b/src/core/automount.c
+@@ -101,17 +101,17 @@ static void unmount_autofs(Automount *a) {
+ a->pipe_event_source = sd_event_source_unref(a->pipe_event_source);
+ a->pipe_fd = safe_close(a->pipe_fd);
+
+- /* If we reload/reexecute things we keep the mount point
+- * around */
+- if (a->where &&
+- (UNIT(a)->manager->exit_code != MANAGER_RELOAD &&
+- UNIT(a)->manager->exit_code != MANAGER_REEXECUTE)) {
++ /* If we reload/reexecute things we keep the mount point around */
++ if (!IN_SET(UNIT(a)->manager->exit_code, MANAGER_RELOAD, MANAGER_REEXECUTE)) {
++
+ automount_send_ready(a, a->tokens, -EHOSTDOWN);
+ automount_send_ready(a, a->expire_tokens, -EHOSTDOWN);
+
+- r = repeat_unmount(a->where, MNT_DETACH);
+- if (r < 0)
+- log_error_errno(r, "Failed to unmount: %m");
++ if (a->where) {
++ r = repeat_unmount(a->where, MNT_DETACH);
++ if (r < 0)
++ log_error_errno(r, "Failed to unmount: %m");
++ }
+ }
+ }
+
+@@ -186,6 +186,22 @@ static int automount_verify(Automount *a) {
+ return 0;
+ }
+
++static int automount_set_where(Automount *a) {
++ int r;
++
++ assert(a);
++
++ if (a->where)
++ return 0;
++
++ r = unit_name_to_path(UNIT(a)->id, &a->where);
++ if (r < 0)
++ return r;
++
++ path_kill_slashes(a->where);
++ return 1;
++}
++
+ static int automount_load(Unit *u) {
+ Automount *a = AUTOMOUNT(u);
+ int r;
+@@ -201,13 +217,9 @@ static int automount_load(Unit *u) {
+ if (u->load_state == UNIT_LOADED) {
+ Unit *x;
+
+- if (!a->where) {
+- r = unit_name_to_path(u->id, &a->where);
+- if (r < 0)
+- return r;
+- }
+-
+- path_kill_slashes(a->where);
++ r = automount_set_where(a);
++ if (r < 0)
++ return r;
+
+ r = unit_load_related_unit(u, ".mount", &x);
+ if (r < 0)
+@@ -256,26 +268,30 @@ static int automount_coldplug(Unit *u) {
+ assert(a);
+ assert(a->state == AUTOMOUNT_DEAD);
+
+- if (a->deserialized_state != a->state) {
++ if (a->deserialized_state == a->state)
++ return 0;
++
++ if (IN_SET(a->deserialized_state, AUTOMOUNT_WAITING, AUTOMOUNT_RUNNING)) {
++
++ r = automount_set_where(a);
++ if (r < 0)
++ return r;
+
+ r = open_dev_autofs(u->manager);
+ if (r < 0)
+ return r;
+
+- if (a->deserialized_state == AUTOMOUNT_WAITING ||
+- a->deserialized_state == AUTOMOUNT_RUNNING) {
+- assert(a->pipe_fd >= 0);
++ assert(a->pipe_fd >= 0);
+
+- r = sd_event_add_io(u->manager->event, &a->pipe_event_source, a->pipe_fd, EPOLLIN, automount_dispatch_io, u);
+- if (r < 0)
+- return r;
++ r = sd_event_add_io(u->manager->event, &a->pipe_event_source, a->pipe_fd, EPOLLIN, automount_dispatch_io, u);
++ if (r < 0)
++ return r;
+
+- (void) sd_event_source_set_description(a->pipe_event_source, "automount-io");
+- if (a->deserialized_state == AUTOMOUNT_RUNNING) {
+- r = automount_start_expire(a);
+- if (r < 0)
+- log_unit_warning_errno(UNIT(a), r, "Failed to start expiration timer, ignoring: %m");
+- }
++ (void) sd_event_source_set_description(a->pipe_event_source, "automount-io");
++ if (a->deserialized_state == AUTOMOUNT_RUNNING) {
++ r = automount_start_expire(a);
++ if (r < 0)
++ log_unit_warning_errno(UNIT(a), r, "Failed to start expiration timer, ignoring: %m");
+ }
+
+ automount_set_state(a, a->deserialized_state);
+@@ -733,6 +749,12 @@ static void automount_enter_runnning(Automount *a) {
+
+ assert(a);
+
++ /* If the user masked our unit in the meantime, fail */
++ if (UNIT(a)->load_state != UNIT_LOADED) {
++ log_unit_error(UNIT(a), "Suppressing automount event since unit is no longer loaded.");
++ goto fail;
++ }
++
+ /* We don't take mount requests anymore if we are supposed to
+ * shut down anyway */
+ if (unit_stop_pending(UNIT(a))) {
diff --git a/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch b/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
index 32371fd..74bb1db 100644
--- a/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
+++ b/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
@@ -338,7 +338,7 @@ index f33c53f..4b8ef2e 100644
+src/fsckd/fsckd.c
diff --git a/src/fsckd/fsckd.c b/src/fsckd/fsckd.c
new file mode 100644
-index 0000000..1b12042
+index 0000000..d48e53a
--- /dev/null
+++ b/src/fsckd/fsckd.c
@@ -0,0 +1,690 @@
@@ -726,7 +726,7 @@ index 0000000..1b12042
+ size_t cur, max;
+ _cleanup_free_ char *device = NULL, *old_device_id = NULL;
+
-+ if (sscanf(line, "%i %lu %lu %ms", &pass, &cur, &max, &device) == 4) {
++ if (sscanf(line, "%i %zu %zu %ms", &pass, &cur, &max, &device) == 4) {
+ if (!client->device_name) {
+ client->device_name = strdup(device);
+ if (!client->device_name) {
@@ -747,7 +747,7 @@ index 0000000..1b12042
+ client->max = max;
+ client->bad_input = false;
+ client->percent = compute_percent(client->pass, client->cur, client->max);
-+ log_debug("Getting progress for %s (%lu, %lu, %d) : %3.1f%%", client->device_id,
++ log_debug("Getting progress for %s (%zu, %zu, %d) : %3.1f%%", client->device_id,
+ client->cur, client->max, client->pass, client->percent);
+ } else {
+ if (errno == ENOMEM) {
diff --git a/debian/patches/logind-Don-t-try-to-emit-a-change-signal-for-the-Sessions.patch b/debian/patches/logind-Don-t-try-to-emit-a-change-signal-for-the-Sessions.patch
new file mode 100644
index 0000000..320a762
--- /dev/null
+++ b/debian/patches/logind-Don-t-try-to-emit-a-change-signal-for-the-Sessions.patch
@@ -0,0 +1,61 @@
+From: afrantzis <alexandros.frantzis at canonical.com>
+Date: Fri, 3 Feb 2017 03:39:26 +0200
+Subject: logind: Don't try to emit a change signal for the 'Sessions'
+ property (#5211)
+
+The 'Sessions' property for both org.freedesktop.login1.User and
+org.freedesktop.login1.Seat is marked as EmitsChangedSignal(false).
+Trying to emit a change signal that includes the 'Sessions' property
+leads to the signal not being sent at all.
+
+Fixes #5210.
+---
+ src/login/logind-seat.c | 2 --
+ src/login/logind-session.c | 9 +++------
+ 2 files changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/src/login/logind-seat.c b/src/login/logind-seat.c
+index ecc7bd2..a07ac34 100644
+--- a/src/login/logind-seat.c
++++ b/src/login/logind-seat.c
+@@ -541,8 +541,6 @@ int seat_attach_session(Seat *s, Session *session) {
+ LIST_PREPEND(sessions_by_seat, s->sessions, session);
+ seat_assign_position(s, session);
+
+- seat_send_changed(s, "Sessions", NULL);
+-
+ /* On seats with VTs, the VT logic defines which session is active. On
+ * seats without VTs, we automatically activate new sessions. */
+ if (!seat_has_vts(s))
+diff --git a/src/login/logind-session.c b/src/login/logind-session.c
+index e83c37a..3e2d36c 100644
+--- a/src/login/logind-session.c
++++ b/src/login/logind-session.c
+@@ -586,12 +586,10 @@ int session_start(Session *s) {
+
+ /* Send signals */
+ session_send_signal(s, true);
+- user_send_changed(s->user, "Sessions", "Display", NULL);
++ user_send_changed(s->user, "Display", NULL);
+ if (s->seat) {
+ if (s->seat->active == s)
+- seat_send_changed(s->seat, "Sessions", "ActiveSession", NULL);
+- else
+- seat_send_changed(s->seat, "Sessions", NULL);
++ seat_send_changed(s->seat, "ActiveSession", NULL);
+ }
+
+ return 0;
+@@ -698,11 +696,10 @@ int session_finalize(Session *s) {
+ seat_set_active(s->seat, NULL);
+
+ seat_save(s->seat);
+- seat_send_changed(s->seat, "Sessions", NULL);
+ }
+
+ user_save(s->user);
+- user_send_changed(s->user, "Sessions", "Display", NULL);
++ user_send_changed(s->user, "Display", NULL);
+
+ return 0;
+ }
diff --git a/debian/patches/resolved-add-the-new-KSK-to-the-built-in-resolved-trust-a.patch b/debian/patches/resolved-add-the-new-KSK-to-the-built-in-resolved-trust-a.patch
new file mode 100644
index 0000000..58c3f8d
--- /dev/null
+++ b/debian/patches/resolved-add-the-new-KSK-to-the-built-in-resolved-trust-a.patch
@@ -0,0 +1,123 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Wed, 1 Mar 2017 04:49:19 +0100
+Subject: resolved: add the new KSK to the built-in resolved trust anchor
+ (#5486)
+
+Fixes: #5482
+---
+ src/resolve/resolved-dns-trust-anchor.c | 72 +++++++++++++++++++++++----------
+ 1 file changed, 51 insertions(+), 21 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c
+index 9917b9e..5056731 100644
+--- a/src/resolve/resolved-dns-trust-anchor.c
++++ b/src/resolve/resolved-dns-trust-anchor.c
+@@ -35,11 +35,16 @@
+
+ static const char trust_anchor_dirs[] = CONF_PATHS_NULSTR("dnssec-trust-anchors.d");
+
+-/* The DS RR from https://data.iana.org/root-anchors/root-anchors.xml, retrieved December 2015 */
+-static const uint8_t root_digest[] =
++/* The first DS RR from https://data.iana.org/root-anchors/root-anchors.xml, retrieved December 2015 */
++static const uint8_t root_digest1[] =
+ { 0x49, 0xAA, 0xC1, 0x1D, 0x7B, 0x6F, 0x64, 0x46, 0x70, 0x2E, 0x54, 0xA1, 0x60, 0x73, 0x71, 0x60,
+ 0x7A, 0x1A, 0x41, 0x85, 0x52, 0x00, 0xFD, 0x2C, 0xE1, 0xCD, 0xDE, 0x32, 0xF2, 0x4E, 0x8F, 0xB5 };
+
++/* The second DS RR from https://data.iana.org/root-anchors/root-anchors.xml, retrieved February 2017 */
++static const uint8_t root_digest2[] =
++ { 0xE0, 0x6D, 0x44, 0xB8, 0x0B, 0x8F, 0x1D, 0x39, 0xA9, 0x5C, 0x0B, 0x0D, 0x7C, 0x65, 0xD0, 0x84,
++ 0x58, 0xE8, 0x80, 0x40, 0x9B, 0xBC, 0x68, 0x34, 0x57, 0x10, 0x42, 0x37, 0xC7, 0xF8, 0xEC, 0x8D };
++
+ static bool dns_trust_anchor_knows_domain_positive(DnsTrustAnchor *d, const char *name) {
+ assert(d);
+
+@@ -51,9 +56,40 @@ static bool dns_trust_anchor_knows_domain_positive(DnsTrustAnchor *d, const char
+ hashmap_contains(d->positive_by_key, &DNS_RESOURCE_KEY_CONST(DNS_CLASS_IN, DNS_TYPE_DS, name));
+ }
+
+-static int dns_trust_anchor_add_builtin_positive(DnsTrustAnchor *d) {
++static int add_root_ksk(
++ DnsAnswer *answer,
++ DnsResourceKey *key,
++ uint16_t key_tag,
++ uint8_t algorithm,
++ uint8_t digest_type,
++ const void *digest,
++ size_t digest_size) {
++
+ _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
++ int r;
++
++ rr = dns_resource_record_new(key);
++ if (!rr)
++ return -ENOMEM;
++
++ rr->ds.key_tag = key_tag;
++ rr->ds.algorithm = algorithm;
++ rr->ds.digest_type = digest_type;
++ rr->ds.digest_size = digest_size;
++ rr->ds.digest = memdup(digest, rr->ds.digest_size);
++ if (!rr->ds.digest)
++ return -ENOMEM;
++
++ r = dns_answer_add(answer, rr, 0, DNS_ANSWER_AUTHENTICATED);
++ if (r < 0)
++ return r;
++
++ return 0;
++}
++
++static int dns_trust_anchor_add_builtin_positive(DnsTrustAnchor *d) {
+ _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
++ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
+ int r;
+
+ assert(d);
+@@ -62,35 +98,29 @@ static int dns_trust_anchor_add_builtin_positive(DnsTrustAnchor *d) {
+ if (r < 0)
+ return r;
+
+- /* Only add the built-in trust anchor if there's neither a DS
+- * nor a DNSKEY defined for the root domain. That way users
+- * have an easy way to override the root domain DS/DNSKEY
+- * data. */
++ /* Only add the built-in trust anchor if there's neither a DS nor a DNSKEY defined for the root domain. That
++ * way users have an easy way to override the root domain DS/DNSKEY data. */
+ if (dns_trust_anchor_knows_domain_positive(d, "."))
+ return 0;
+
+- /* Add the RR from https://data.iana.org/root-anchors/root-anchors.xml */
+- rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "");
+- if (!rr)
++ key = dns_resource_key_new(DNS_CLASS_IN, DNS_TYPE_DS, "");
++ if (!key)
+ return -ENOMEM;
+
+- rr->ds.key_tag = 19036;
+- rr->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
+- rr->ds.digest_type = DNSSEC_DIGEST_SHA256;
+- rr->ds.digest_size = sizeof(root_digest);
+- rr->ds.digest = memdup(root_digest, rr->ds.digest_size);
+- if (!rr->ds.digest)
+- return -ENOMEM;
+-
+- answer = dns_answer_new(1);
++ answer = dns_answer_new(2);
+ if (!answer)
+ return -ENOMEM;
+
+- r = dns_answer_add(answer, rr, 0, DNS_ANSWER_AUTHENTICATED);
++ /* Add the two RRs from https://data.iana.org/root-anchors/root-anchors.xml */
++ r = add_root_ksk(answer, key, 19036, DNSSEC_ALGORITHM_RSASHA256, DNSSEC_DIGEST_SHA256, root_digest1, sizeof(root_digest1));
++ if (r < 0)
++ return r;
++
++ r = add_root_ksk(answer, key, 20326, DNSSEC_ALGORITHM_RSASHA256, DNSSEC_DIGEST_SHA256, root_digest2, sizeof(root_digest2));
+ if (r < 0)
+ return r;
+
+- r = hashmap_put(d->positive_by_key, rr->key, answer);
++ r = hashmap_put(d->positive_by_key, key, answer);
+ if (r < 0)
+ return r;
+
diff --git a/debian/patches/resolved-fix-NSEC-proofs-for-missing-TLDs.patch b/debian/patches/resolved-fix-NSEC-proofs-for-missing-TLDs.patch
new file mode 100644
index 0000000..675661f
--- /dev/null
+++ b/debian/patches/resolved-fix-NSEC-proofs-for-missing-TLDs.patch
@@ -0,0 +1,47 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Tue, 14 Feb 2017 17:54:30 +0100
+Subject: resolved: fix NSEC proofs for missing TLDs
+
+For the wildcard NSEC check we need to generate an "asterisk" domain, by
+prepend the common ancestor with "*.". So far we did that with a simple
+strappenda() which is fine for most domains, but doesn't work if the
+common ancestor is the root domain as we usually write that as "." in
+normalized form, and "*." joined with "." is "*.." and not "*." as it
+should be.
+
+Hence, use the clean way out, let's just use dns_name_concat() which
+only exists precisely for this reason, to properly concatenate labels.
+
+There's a good chance this actually fixes #5029, as this NSEC proof is
+triggered by lookups in the TLD "example", which doesn't exist in the
+Internet.
+---
+ src/resolve/resolved-dns-dnssec.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
+index 5132710..eddab58 100644
+--- a/src/resolve/resolved-dns-dnssec.c
++++ b/src/resolve/resolved-dns-dnssec.c
+@@ -1710,7 +1710,8 @@ static int dnssec_nsec_covers(DnsResourceRecord *rr, const char *name) {
+ }
+
+ static int dnssec_nsec_covers_wildcard(DnsResourceRecord *rr, const char *name) {
+- const char *common_suffix, *wc;
++ _cleanup_free_ char *wc = NULL;
++ const char *common_suffix;
+ int r;
+
+ assert(rr);
+@@ -1734,7 +1735,10 @@ static int dnssec_nsec_covers_wildcard(DnsResourceRecord *rr, const char *name)
+ if (r <= 0)
+ return r;
+
+- wc = strjoina("*.", common_suffix);
++ r = dns_name_concat("*", common_suffix, &wc);
++ if (r < 0)
++ return r;
++
+ return dns_name_between(dns_resource_key_name(rr->key), wc, rr->nsec.next_domain_name);
+ }
+
diff --git a/debian/patches/resolved-follow-CNAMES-for-DNS-stub-replies.patch b/debian/patches/resolved-follow-CNAMES-for-DNS-stub-replies.patch
new file mode 100644
index 0000000..bf49138
--- /dev/null
+++ b/debian/patches/resolved-follow-CNAMES-for-DNS-stub-replies.patch
@@ -0,0 +1,247 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Wed, 8 Feb 2017 19:12:55 +0100
+Subject: resolved: follow CNAMES for DNS stub replies
+
+Clients expect us to follow CNAMEs for them, hence do so. On the first
+iteration start putting together a packet, and then keep adding data we
+acquire through CNAMEs to it, until we finally send it off.
+
+Fixes: #3826
+---
+ src/resolve/resolved-dns-query.c | 1 +
+ src/resolve/resolved-dns-query.h | 2 +-
+ src/resolve/resolved-dns-stub.c | 126 ++++++++++++++++++++++++---------------
+ 3 files changed, 81 insertions(+), 48 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
+index e03db4d..39fb213 100644
+--- a/src/resolve/resolved-dns-query.c
++++ b/src/resolve/resolved-dns-query.c
+@@ -403,6 +403,7 @@ DnsQuery *dns_query_free(DnsQuery *q) {
+ sd_bus_track_unref(q->bus_track);
+
+ dns_packet_unref(q->request_dns_packet);
++ dns_packet_unref(q->reply_dns_packet);
+
+ if (q->request_dns_stream) {
+ /* Detach the stream from our query, in case something else keeps a reference to it. */
+diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h
+index 49a35b8..8f37899 100644
+--- a/src/resolve/resolved-dns-query.h
++++ b/src/resolve/resolved-dns-query.h
+@@ -71,7 +71,6 @@ struct DnsQuery {
+ * family */
+ bool suppress_unroutable_family;
+
+-
+ /* If true, the RR TTLs of the answer will be clamped by their current left validity in the cache */
+ bool clamp_ttl;
+
+@@ -102,6 +101,7 @@ struct DnsQuery {
+ /* DNS stub information */
+ DnsPacket *request_dns_packet;
+ DnsStream *request_dns_stream;
++ DnsPacket *reply_dns_packet;
+
+ /* Completion callback */
+ void (*complete)(DnsQuery* q);
+diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c
+index e76de6c..29c8d2b 100644
+--- a/src/resolve/resolved-dns-stub.c
++++ b/src/resolve/resolved-dns-stub.c
+@@ -29,49 +29,33 @@ static int manager_dns_stub_udp_fd(Manager *m);
+ static int manager_dns_stub_tcp_fd(Manager *m);
+
+ static int dns_stub_make_reply_packet(
+- uint16_t id,
+- int rcode,
++ DnsPacket **p,
+ DnsQuestion *q,
+- DnsAnswer *answer,
+- bool add_opt, /* add an OPT RR to this packet */
+- bool edns0_do, /* set the EDNS0 DNSSEC OK bit */
+- bool ad, /* set the DNSSEC authenticated data bit */
+- DnsPacket **ret) {
++ DnsAnswer *answer) {
+
+- _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
+ DnsResourceRecord *rr;
+ unsigned c = 0;
+ int r;
+
++ assert(p);
++
+ /* Note that we don't bother with any additional RRs, as this is stub is for local lookups only, and hence
+ * roundtrips aren't expensive. */
+
+- r = dns_packet_new(&p, DNS_PROTOCOL_DNS, 0);
+- if (r < 0)
+- return r;
+-
+- /* If the client didn't do EDNS, clamp the rcode to 4 bit */
+- if (!add_opt && rcode > 0xF)
+- rcode = DNS_RCODE_SERVFAIL;
++ if (!*p) {
++ r = dns_packet_new(p, DNS_PROTOCOL_DNS, 0);
++ if (r < 0)
++ return r;
+
+- DNS_PACKET_HEADER(p)->id = id;
+- DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
+- 1 /* qr */,
+- 0 /* opcode */,
+- 0 /* aa */,
+- 0 /* tc */,
+- 1 /* rd */,
+- 1 /* ra */,
+- ad /* ad */,
+- 0 /* cd */,
+- rcode));
++ r = dns_packet_append_question(*p, q);
++ if (r < 0)
++ return r;
+
+- r = dns_packet_append_question(p, q);
+- if (r < 0)
+- return r;
+- DNS_PACKET_HEADER(p)->qdcount = htobe16(dns_question_size(q));
++ DNS_PACKET_HEADER(*p)->qdcount = htobe16(dns_question_size(q));
++ }
+
+ DNS_ANSWER_FOREACH(rr, answer) {
++
+ r = dns_question_matches_rr(q, rr, NULL);
+ if (r < 0)
+ return r;
+@@ -86,13 +70,46 @@ static int dns_stub_make_reply_packet(
+
+ continue;
+ add:
+- r = dns_packet_append_rr(p, rr, NULL, NULL);
++ r = dns_packet_append_rr(*p, rr, NULL, NULL);
+ if (r < 0)
+ return r;
+
+ c++;
+ }
+- DNS_PACKET_HEADER(p)->ancount = htobe16(c);
++
++ DNS_PACKET_HEADER(*p)->ancount = htobe16(be16toh(DNS_PACKET_HEADER(*p)->ancount) + c);
++
++ return 0;
++}
++
++static int dns_stub_finish_reply_packet(
++ DnsPacket *p,
++ uint16_t id,
++ int rcode,
++ bool add_opt, /* add an OPT RR to this packet? */
++ bool edns0_do, /* set the EDNS0 DNSSEC OK bit? */
++ bool ad) { /* set the DNSSEC authenticated data bit? */
++
++ int r;
++
++ assert(p);
++
++ /* If the client didn't do EDNS, clamp the rcode to 4 bit */
++ if (!add_opt && rcode > 0xF)
++ rcode = DNS_RCODE_SERVFAIL;
++
++ DNS_PACKET_HEADER(p)->id = id;
++
++ DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
++ 1 /* qr */,
++ 0 /* opcode */,
++ 0 /* aa */,
++ 0 /* tc */,
++ 1 /* rd */,
++ 1 /* ra */,
++ ad /* ad */,
++ 0 /* cd */,
++ rcode));
+
+ if (add_opt) {
+ r = dns_packet_append_opt(p, ADVERTISE_DATAGRAM_SIZE_MAX, edns0_do, rcode, NULL);
+@@ -100,9 +117,6 @@ static int dns_stub_make_reply_packet(
+ return r;
+ }
+
+- *ret = p;
+- p = NULL;
+-
+ return 0;
+ }
+
+@@ -155,7 +169,11 @@ static int dns_stub_send_failure(Manager *m, DnsStream *s, DnsPacket *p, int rco
+ assert(m);
+ assert(p);
+
+- r = dns_stub_make_reply_packet(DNS_PACKET_ID(p), rcode, p->question, NULL, !!p->opt, DNS_PACKET_DO(p), false, &reply);
++ r = dns_stub_make_reply_packet(&reply, p->question, NULL);
++ if (r < 0)
++ return log_debug_errno(r, "Failed to make failure packet: %m");
++
++ r = dns_stub_finish_reply_packet(reply, DNS_PACKET_ID(p), rcode, !!p->opt, DNS_PACKET_DO(p), false);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to build failure packet: %m");
+
+@@ -170,26 +188,40 @@ static void dns_stub_query_complete(DnsQuery *q) {
+
+ switch (q->state) {
+
+- case DNS_TRANSACTION_SUCCESS: {
+- _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
++ case DNS_TRANSACTION_SUCCESS:
++
++ r = dns_stub_make_reply_packet(&q->reply_dns_packet, q->question_idna, q->answer);
++ if (r < 0) {
++ log_debug_errno(r, "Failed to build reply packet: %m");
++ break;
++ }
++
++ r = dns_query_process_cname(q);
++ if (r == -ELOOP) {
++ (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, DNS_RCODE_SERVFAIL);
++ break;
++ }
++ if (r < 0) {
++ log_debug_errno(r, "Failed to process CNAME: %m");
++ break;
++ }
++ if (r == DNS_QUERY_RESTARTED)
++ return;
+
+- r = dns_stub_make_reply_packet(
++ r = dns_stub_finish_reply_packet(
++ q->reply_dns_packet,
+ DNS_PACKET_ID(q->request_dns_packet),
+ q->answer_rcode,
+- q->question_idna,
+- q->answer,
+ !!q->request_dns_packet->opt,
+ DNS_PACKET_DO(q->request_dns_packet),
+- DNS_PACKET_DO(q->request_dns_packet) && q->answer_authenticated,
+- &reply);
++ DNS_PACKET_DO(q->request_dns_packet) && q->answer_authenticated);
+ if (r < 0) {
+- log_debug_errno(r, "Failed to build reply packet: %m");
++ log_debug_errno(r, "Failed to finish reply packet: %m");
+ break;
+ }
+
+- (void) dns_stub_send(q->manager, q->request_dns_stream, q->request_dns_packet, reply);
++ (void) dns_stub_send(q->manager, q->request_dns_stream, q->request_dns_packet, q->reply_dns_packet);
+ break;
+- }
+
+ case DNS_TRANSACTION_RCODE_FAILURE:
+ (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, q->answer_rcode);
+@@ -301,7 +333,7 @@ static void dns_stub_process_query(Manager *m, DnsStream *s, DnsPacket *p) {
+ goto fail;
+ }
+
+- r = dns_query_new(m, &q, p->question, p->question, 0, SD_RESOLVED_PROTOCOLS_ALL|SD_RESOLVED_NO_SEARCH|SD_RESOLVED_NO_CNAME);
++ r = dns_query_new(m, &q, p->question, p->question, 0, SD_RESOLVED_PROTOCOLS_ALL|SD_RESOLVED_NO_SEARCH);
+ if (r < 0) {
+ log_error_errno(r, "Failed to generate query object: %m");
+ dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL);
diff --git a/debian/patches/series b/debian/patches/series
index 561c282..76c744f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -44,6 +44,12 @@ dbus-permit-seeing-process-list-of-units-whose-unit-files.patch
install-never-hit-assert-when-we-can-t-figure-out-where-t.patch
path-lookup-try-harder-acquiring-them-HOME-of-a-user.patch
path-lookup-if-HOME-can-be-determined-but-XDG_RUNTIME_DIR.patch
+resolved-follow-CNAMES-for-DNS-stub-replies.patch
+logind-Don-t-try-to-emit-a-change-signal-for-the-Sessions.patch
+resolved-fix-NSEC-proofs-for-missing-TLDs.patch
+automount-if-an-automount-unit-is-masked-don-t-react-to-a.patch
+resolved-add-the-new-KSK-to-the-built-in-resolved-trust-a.patch
+zsh-completion-_journalctl-fixes-5165.patch
debian/Use-Debian-specific-config-files.patch
debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch
debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch
diff --git a/debian/patches/zsh-completion-_journalctl-fixes-5165.patch b/debian/patches/zsh-completion-_journalctl-fixes-5165.patch
new file mode 100644
index 0000000..4f2361c
--- /dev/null
+++ b/debian/patches/zsh-completion-_journalctl-fixes-5165.patch
@@ -0,0 +1,27 @@
+From: llua <llua at users.noreply.github.com>
+Date: Fri, 27 Jan 2017 07:50:40 -0500
+Subject: zsh-completion: _journalctl fixes (#5165)
+
+allow _journalctl to work when the rcquotes option is set, broken in ba89f80620d619867b4838973785d529c5a959f6.
+allow the completion of --file multiple times, which ba89f80620d619867b4838973785d529c5a959f6 claims is true.
+
+Fixes #4842
+---
+ shell-completion/zsh/_journalctl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/shell-completion/zsh/_journalctl b/shell-completion/zsh/_journalctl
+index ef67fcf..4a78a2e 100644
+--- a/shell-completion/zsh/_journalctl
++++ b/shell-completion/zsh/_journalctl
+@@ -107,8 +107,8 @@ _arguments -s \
+ '--user[Show messages from user services]' \
+ '(--directory -D -M --machine --root --file)'{-M+,--machine=}'[Operate on local container]:machines:_sd_machines' \
+ '(--directory -D -M --machine --root --file)'{-D+,--directory=}'[Show journal files from directory]:directories:_directories' \
+- '(--directory -D -M --machine --root --file)''--root=[Operate on catalog hierarchy under specified directory]:directories:_directories' \
+- '(--directory -D -M --machine --root)--file=[Operate on specified journal files]:file:_files' \
++ '(--directory -D -M --machine --root --file)--root=[Operate on catalog hierarchy under specified directory]:directories:_directories' \
++ '(--directory -D -M --machine --root)*--file=[Operate on specified journal files]:file:_files' \
+ '--new-id128[Generate a new 128 Bit ID]' \
+ '--header[Show journal header information]' \
+ '--disk-usage[Show total disk usage]' \
diff --git a/debian/tests/boot-and-services b/debian/tests/boot-and-services
index 2f59b69..1f962c4 100755
--- a/debian/tests/boot-and-services
+++ b/debian/tests/boot-and-services
@@ -302,6 +302,8 @@ AppArmorProfile=violator-test
self.assertNotIn('root:x', out, 'unit can read /etc/passwd')
+ at unittest.skipIf(os.path.exists('/sys/fs/cgroup/cgroup.controllers'),
+ 'test needs to be reworked on unified cgroup hierarchy')
class CgroupsTest(unittest.TestCase):
'''Check cgroup setup'''
diff --git a/debian/tests/control b/debian/tests/control
index fede694..60da5f4 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -11,7 +11,7 @@ Depends: systemd,
acl,
locales,
evemu-tools,
-Restrictions: needs-root, isolation-machine
+Restrictions: needs-root, isolation-container
Tests: unit-config
Depends: systemd,
@@ -153,7 +153,7 @@ Depends: libsystemd-dev,
policykit-1,
lightdm,
xserver-xorg-video-dummy,
-Restrictions: needs-recommends, needs-root, isolation-machine, allow-stderr, breaks-testbed
+Restrictions: needs-recommends, needs-root, isolation-container, allow-stderr, breaks-testbed
# NOUPSTREAM: Do not run these tests for upstream builds
diff --git a/debian/tests/logind b/debian/tests/logind
index e1bfa15..b921ef7 100755
--- a/debian/tests/logind
+++ b/debian/tests/logind
@@ -32,6 +32,10 @@ wait_suspend() {
}
test_suspend_on_lid() {
+ if systemd-detect-virt --quiet --container; then
+ echo " * Skipping suspend test in container"
+ return
+ fi
if ! grep -q mem /sys/power/state; then
echo " * suspend not supported on this testbed, skipping"
return
@@ -126,6 +130,10 @@ test_acl() {
echo " * Skipping ACL tests, as there is no seat"
return
fi
+ if systemd-detect-virt --quiet --container; then
+ echo " * Skipping ACL tests in container"
+ return
+ fi
# determine user
USER=`echo "$OUT" | grep seat0 | awk '{print $3}'`
diff --git a/debian/tests/root-unittests b/debian/tests/root-unittests
index 11d7a31..a258087 100644
--- a/debian/tests/root-unittests
+++ b/debian/tests/root-unittests
@@ -8,6 +8,7 @@ test-engine
test-execute
test-path
test-sched-prio
+test-journal-importer
"
# No items in catalog.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/attachments/20170312/d6fdacce/attachment-0001.sig>
More information about the Pkg-systemd-maintainers
mailing list