From 49f845b535a5e614eba2c266f6715935c203da8656a2a8cc8e6a14415b9e35fb Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Fri, 9 Feb 2018 09:01:49 +0000 Subject: [PATCH] - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) - Don't build seccomp support in the mini package OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1010 --- suse-disable-tmpfs-for-tmp.service | 33 ---------------------------- systemd-mini.changes | 20 +++++++++++++++++ systemd-mini.spec | 35 +++++++++++------------------- systemd.changes | 20 +++++++++++++++++ systemd.spec | 35 +++++++++++------------------- 5 files changed, 66 insertions(+), 77 deletions(-) delete mode 100644 suse-disable-tmpfs-for-tmp.service diff --git a/suse-disable-tmpfs-for-tmp.service b/suse-disable-tmpfs-for-tmp.service deleted file mode 100644 index df59808..0000000 --- a/suse-disable-tmpfs-for-tmp.service +++ /dev/null @@ -1,33 +0,0 @@ -# -# By default, /tmp doesn't use tmpfs on SUSE distros. -# -# This service is either run automatically during the firstboot (i.e. -# only once) of the system. -# -# Or it can also be (manually) started during systemd update (%post) -# only and only if tmp.mount wasn't already installed by the admin in -# /usr/lib during %pre. In this case tmp.mount should also masked. -# -# In any cases this service will never mask tmp.mount if the service -# has been created by either the admin or fstab-generator. -# -[Unit] -Description=Mask tmp.mount by default on SUSE systems -DefaultDependencies=no -Conflicts=shutdown.target -After=systemd-remount-fs.service -Before=tmp.mount -ConditionPathIsReadWrite=/etc -ConditionPathExists=!/usr/lib/systemd/system/.disable-tmpfs-for-tmp~done - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/bin/sh -c ' \ - case "$(systemctl show -pFragmentPath tmp.mount)" in \ - FragmentPath=/usr/lib/systemd/system/tmp.mount) \ - systemctl mask --now tmp.mount ;; \ - FragmentPath=/usr/share/systemd/tmp.mount) \ - ln -sf /usr/lib/systemd/system/tmp.mount /etc/systemd/system/ ;; \ - esac' -ExecStartPost=/usr/bin/touch /usr/lib/systemd/system/.disable-tmpfs-for-tmp~done diff --git a/systemd-mini.changes b/systemd-mini.changes index 6c78091..7e9eb93 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Fri Feb 9 07:59:56 UTC 2018 - fbui@suse.com + +- Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) + + The previous fix couldn't work on platforms using a RO + rootfs. Therefore we don't ship /usr/lib/systemd/system/tmp.mnt but + we still ship a copy in /var. + + Users who want to use tmpfs on /tmp are supposed to add a symlink in + /etc/ pointing to the copy shipped in /var. + + To support the update path we automatically create the symlink if + tmp.mount in use is located in /usr. + +------------------------------------------------------------------- +Tue Feb 6 16:11:40 UTC 2018 - fbui@suse.com + +- Don't build seccomp support in the mini package + ------------------------------------------------------------------- Tue Feb 6 15:12:42 UTC 2018 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index 7f69f82..5d63313 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -70,6 +70,9 @@ BuildRequires: pkgconfig(liblz4) BuildRequires: pkgconfig(liblzma) BuildRequires: pkgconfig(libqrencode) BuildRequires: pkgconfig(libselinux) >= 2.1.9 +%ifarch aarch64 %ix86 x86_64 x32 %arm ppc64le s390x +BuildRequires: pkgconfig(libseccomp) >= 2.3.1 +%endif %endif BuildRequires: fdupes BuildRequires: gperf @@ -97,9 +100,6 @@ BuildRequires: pkgconfig(zlib) BuildRequires: pkgconfig(libcurl) BuildRequires: pkgconfig(libmicrohttpd) >= 0.9.33 %endif -%ifarch aarch64 %ix86 x86_64 x32 %arm ppc64le s390x -BuildRequires: pkgconfig(libseccomp) >= 2.3.1 -%endif %if %{with gnuefi} BuildRequires: gnu-efi %endif @@ -146,7 +146,6 @@ Source6: baselibs.conf Source11: after-local.service Source12: systemd-sysv-install Source14: kbd-model-map.legacy -Source15: suse-disable-tmpfs-for-tmp.service Source100: scripts-systemd-fix-machines-btrfs-subvol.sh Source101: scripts-systemd-upgrade-from-pre-210.sh @@ -421,6 +420,7 @@ Some systemd commands offer bash completion, but it is an optional dependency. -Drc-local=/etc/init.d/boot.local \ -Dhalt-local=/etc/init.d/halt.local \ -Ddebug-shell=/bin/bash \ + -Dseccomp=auto \ -Dselinux=auto \ -Dapparmor=auto \ -Dsmack=false \ @@ -499,10 +499,11 @@ rm -f %{buildroot}/etc/systemd/system/default.target # customized for openSUSE distros. install -m0644 %{S:2} %{buildroot}%{_sysconfdir}/pam.d/ -# Install the service which will disable/mask tmpfs for /tmp (if -# needed) on first boot. -install -m0644 -D %{S:15} %{buildroot}/%{_prefix}/lib/systemd/system/suse-disable-tmpfs-for-tmp.service -ln -s ../suse-disable-tmpfs-for-tmp.service %{buildroot}/%{_prefix}/lib/systemd/system/sysinit.target.wants/ +# Remove tmp.mount from the unit search path as /tmp doesn't use tmpfs +# by default on SUSE distros. We still keep a copy in /var for those +# who want to switch to tmpfs: it's still can be copied in /etc. +rm %{buildroot}/%{_prefix}/lib/systemd/system/local-fs.target.wants/tmp.mount +mv %{buildroot}/%{_prefix}/lib/systemd/system/tmp.mount %{buildroot}/%{_datadir}/systemd/ # don't enable wall ask password service, it spams every console (bnc#747783) rm %{buildroot}%{_prefix}/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path @@ -634,13 +635,10 @@ cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map # so keep the section even if it's empty. %pre if [ $1 -gt 1 ] ; then - # Check if tmp.mount has been restored by either the admin or - # was added at package installation. In both cases do nothing - # and prevent the service to be executed during %post for the - # former case. - if test -e %{_unitdir}/tmp.mount; then - touch %{_unitdir}/.disable-tmpfs-for-tmp~done - fi + case "$(systemctl show -pFragmentPath tmp.mount)" in + FragmentPath=/usr/lib/systemd/system/tmp.mount) + ln -sf %{_datadir}/systemd/tmp.mount /etc/systemd/system/ || : + esac fi %post @@ -715,13 +713,6 @@ if [ $1 -gt 1 ]; then # tmpfiles_create macro previously however it's empty so there # shouldn't be any issues. %{_prefix}/lib/systemd/scripts/fix-machines-btrfs-subvol.sh || : - - # Should we mask tmpfs ? If tmp.mount was already installed in - # /usr/lib then this is a nop as sysadmin restored the unit - # most likely to use tmpfs (see %pre) otherwise mask the mount - # unit unless it's overriden by a tmp.mount unit installed - # either by sysadmin or fstab-generator. - systemctl start suse-disable-tmpfs-for-tmp.service || : fi %postun diff --git a/systemd.changes b/systemd.changes index 6c78091..7e9eb93 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Fri Feb 9 07:59:56 UTC 2018 - fbui@suse.com + +- Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) + + The previous fix couldn't work on platforms using a RO + rootfs. Therefore we don't ship /usr/lib/systemd/system/tmp.mnt but + we still ship a copy in /var. + + Users who want to use tmpfs on /tmp are supposed to add a symlink in + /etc/ pointing to the copy shipped in /var. + + To support the update path we automatically create the symlink if + tmp.mount in use is located in /usr. + +------------------------------------------------------------------- +Tue Feb 6 16:11:40 UTC 2018 - fbui@suse.com + +- Don't build seccomp support in the mini package + ------------------------------------------------------------------- Tue Feb 6 15:12:42 UTC 2018 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index 71ffddc..138409b 100644 --- a/systemd.spec +++ b/systemd.spec @@ -68,6 +68,9 @@ BuildRequires: pkgconfig(liblz4) BuildRequires: pkgconfig(liblzma) BuildRequires: pkgconfig(libqrencode) BuildRequires: pkgconfig(libselinux) >= 2.1.9 +%ifarch aarch64 %ix86 x86_64 x32 %arm ppc64le s390x +BuildRequires: pkgconfig(libseccomp) >= 2.3.1 +%endif %endif BuildRequires: fdupes BuildRequires: gperf @@ -95,9 +98,6 @@ BuildRequires: pkgconfig(zlib) BuildRequires: pkgconfig(libcurl) BuildRequires: pkgconfig(libmicrohttpd) >= 0.9.33 %endif -%ifarch aarch64 %ix86 x86_64 x32 %arm ppc64le s390x -BuildRequires: pkgconfig(libseccomp) >= 2.3.1 -%endif %if %{with gnuefi} BuildRequires: gnu-efi %endif @@ -144,7 +144,6 @@ Source6: baselibs.conf Source11: after-local.service Source12: systemd-sysv-install Source14: kbd-model-map.legacy -Source15: suse-disable-tmpfs-for-tmp.service Source100: scripts-systemd-fix-machines-btrfs-subvol.sh Source101: scripts-systemd-upgrade-from-pre-210.sh @@ -419,6 +418,7 @@ Some systemd commands offer bash completion, but it is an optional dependency. -Drc-local=/etc/init.d/boot.local \ -Dhalt-local=/etc/init.d/halt.local \ -Ddebug-shell=/bin/bash \ + -Dseccomp=auto \ -Dselinux=auto \ -Dapparmor=auto \ -Dsmack=false \ @@ -497,10 +497,11 @@ rm -f %{buildroot}/etc/systemd/system/default.target # customized for openSUSE distros. install -m0644 %{S:2} %{buildroot}%{_sysconfdir}/pam.d/ -# Install the service which will disable/mask tmpfs for /tmp (if -# needed) on first boot. -install -m0644 -D %{S:15} %{buildroot}/%{_prefix}/lib/systemd/system/suse-disable-tmpfs-for-tmp.service -ln -s ../suse-disable-tmpfs-for-tmp.service %{buildroot}/%{_prefix}/lib/systemd/system/sysinit.target.wants/ +# Remove tmp.mount from the unit search path as /tmp doesn't use tmpfs +# by default on SUSE distros. We still keep a copy in /var for those +# who want to switch to tmpfs: it's still can be copied in /etc. +rm %{buildroot}/%{_prefix}/lib/systemd/system/local-fs.target.wants/tmp.mount +mv %{buildroot}/%{_prefix}/lib/systemd/system/tmp.mount %{buildroot}/%{_datadir}/systemd/ # don't enable wall ask password service, it spams every console (bnc#747783) rm %{buildroot}%{_prefix}/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path @@ -632,13 +633,10 @@ cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map # so keep the section even if it's empty. %pre if [ $1 -gt 1 ] ; then - # Check if tmp.mount has been restored by either the admin or - # was added at package installation. In both cases do nothing - # and prevent the service to be executed during %post for the - # former case. - if test -e %{_unitdir}/tmp.mount; then - touch %{_unitdir}/.disable-tmpfs-for-tmp~done - fi + case "$(systemctl show -pFragmentPath tmp.mount)" in + FragmentPath=/usr/lib/systemd/system/tmp.mount) + ln -sf %{_datadir}/systemd/tmp.mount /etc/systemd/system/ || : + esac fi %post @@ -713,13 +711,6 @@ if [ $1 -gt 1 ]; then # tmpfiles_create macro previously however it's empty so there # shouldn't be any issues. %{_prefix}/lib/systemd/scripts/fix-machines-btrfs-subvol.sh || : - - # Should we mask tmpfs ? If tmp.mount was already installed in - # /usr/lib then this is a nop as sysadmin restored the unit - # most likely to use tmpfs (see %pre) otherwise mask the mount - # unit unless it's overriden by a tmp.mount unit installed - # either by sysadmin or fstab-generator. - systemctl start suse-disable-tmpfs-for-tmp.service || : fi %postun