Merge upstream changes from core22 snap #62
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As the core22 is now based on the 22.04 rootfs, this TODO can be removed. Signed-off-by: Isaac True <[email protected]>
When `/etc/writable/faillock.enabled` is present, then we use `pam_faillock` which can lock accounts for 900 seconds after 3 wrong password.
…lock pam: add optional faillock
Because `/` is a squashfs from `/run/mnt/data`, we cannot unmount `/run/mnt/data`. (Or `/run/mnt/ubuntu-seed` during install/recovery). So we need to disable `/run/mnt/data` by adding it to `shutdown.target`. However we need also to remount read-only. To avoid with writable bind mounts, we need to do it after `umount.target`. `/usr/lib/modules` is usually kept busy by systemd-udevd which keeps running during shutdown. `/usr/lib/modules` is a bind mount of `/run/mnt/kernel`. So those two mounts also need to be kept alive. This does not remove errors from finalrd which will be fixed in a different PR. Note for testing: this happens after journald has stopped writing to logs. So you need to use serial port to properly log the errors.
Completion for `snap` must be present in `/usr/share/bash-completion/completions/` and it must point to the file in the active Snapd. Other completion will be added in `/var/lib/snapd/desktop/bash-completion/completions/` by Snapd. To be able to access those `XDG_DATA_DIRS` has to be set by Snapd's `profile.d` file. This commits also adds snap's `environment.d` file which is used by user services rather than interactive users.
…-bash-completion hooks: Add symlinks for bash completions of snap and snaps
To switch root, systemd has to recursively make all mounts private, then after it recursively make all mounts shared. However `/run/mnt/*` and `/writable` are used to be bind mounted in the rest of the file system. For example, there is no reason for mount `/snap/hello/42` to also show up as `/writable/system-data/snap/hello/42` and `/run/mnt/data/system-data/snap/hello/42`.
…-unmounting-errors Remove some unmounting errors on shutdown
…propagation Fix mount propagation
Since we do not distribute the polkit daemon, those files are useless.
This reverts commit bb8b566.
…/polkit-files Revert "Remove polkit policies and rules"
The correct name is `ssh.service`
Some mounts cannot be unmounted during `shutdown.target`. We have tried make them part of `shutdown.target` so they are kept alive. But because they depend on `system-systemd\\x2dfsck.slice` and `[email protected]` which both conflict with `shutdown.target`, it confuses systemd, and the result of what gets scheduled is not deterministic. Instead we remove conflicts of `system-systemd\\x2dfsck.slice` and `[email protected]`. Then `DefaultDependencies=no` on mounts is enough to disable unmounts.
…lict-shutdown Rework disabling of unmounts
These integrate nvidia graphics cards with logind and enable power management. Signed-off-by: Dimitri John Ledkov <[email protected]>
The security team maintains a PPA with the user-space parts of cryptsetup support for the Inline Crypto Engine (ICE) code. This needs to be included in the core build so that FDE on ICE is supported. The full ICE implementation uses: https://github.com/chrisccoulson/linux/tree/dm-blk-crypto https://github.com/chrisccoulson/cryptsetup/tree/ice-wip and is getting upstreamed by the kernel and security teams.
static: add generic nvidia udev rules
This is needed for `ln_langinfo(CODESET)` to return the right encoding.
Signed-off-by: Ondrej Kubik <[email protected]>
It always removes the clock stamp so it breaks timesyncd ability to put forward the clock to a time further than when system was last powered down, when no rtc is available.
Also use a generator to enable it instead of disabling it with conditions.
To keep consistency with other kernel command line settings.
Anything with and "A" or a "0" in the name was not parsed correctly and interpreted as a space instead.
… activated by kernel cmdline
polkit is needed in some cases for communication between services shipped in the base, for instance when systemd-networkd talks to systemd-hostnamed to set the hostname. Enable to fix these use cases. Note that this does not help yet if we want to use it from a snap. Backported from canonical#161
Because we might run `snap auto-import --mount` on a partition table block and its partition blocks at the same time, it might cause a conflict. We then get an error like `/dev/sda1 already mounted or mount point busy.`. To go around this issue, we trigger the service only for devices that are identified as filesystems.
…ervice There is a conflict between snapd.autoimport.service and [email protected]. This causes error messages because both cannot mount in the same time. So they cannot be run at the same time.
sergio-costas
approved these changes
Jun 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There's a bunch of changes in the upstream core22 snap that we never pulled into core22-desktop. Of particular interest, 6516c6a seems to be necessary to correctly seed a system running recent snapd.
The snapd change requiring that patch is canonical/snapd#13370. With this change, the ELF interpreter for programs in the snap is rewritten like so:
$ readelf -a usr/lib/snapd/snapd | grep -A2 INTERP INTERP 0x0000000000000270 0x0000000000400270 0x0000000000400270 0x0000000000000042 0x0000000000000042 R 0x1 [Requesting program interpreter: /snap/snapd/current/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2]So if the
/snap/snapd/currentpath doesn't exist, trying to run any of the programs in the snap will fail with a "file not found" error.The other changes are less necessary, but it seems better to take them all rather than picking and choosing.