- Added patches to fix journal with FSS protection enabled (bsc#1000435)
0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch 0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=952
This commit is contained in:
parent
81b3fbf7c4
commit
35fc3cae4d
@ -0,0 +1,54 @@
|
|||||||
|
From 6dac79e09ec1b45f05b3e9a5f1f445859b6eefd2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Franck Bui <fbui@suse.com>
|
||||||
|
Date: Fri, 23 Sep 2016 13:33:01 +0200
|
||||||
|
Subject: [PATCH 1/1] journal: fix HMAC calculation when appending a data
|
||||||
|
object
|
||||||
|
|
||||||
|
Since commit 5996c7c295e073ce21d41305169132c8aa993ad0 (v190 !), the
|
||||||
|
calculation of the HMAC is broken because the hash for a data object
|
||||||
|
including a field is done in the wrong order: the field object is
|
||||||
|
hashed before the data object is.
|
||||||
|
|
||||||
|
However during verification, the hash is done in the opposite order as
|
||||||
|
objects are scanned sequentially.
|
||||||
|
|
||||||
|
(cherry picked from commit 33685a5a3a98c6ded64d0cc25e37d0180ceb0a6a)
|
||||||
|
|
||||||
|
[fbui: fixes bsc#1000435]
|
||||||
|
---
|
||||||
|
src/journal/journal-file.c | 12 ++++++------
|
||||||
|
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
|
||||||
|
index a9882cf..a24d97d 100644
|
||||||
|
--- a/src/journal/journal-file.c
|
||||||
|
+++ b/src/journal/journal-file.c
|
||||||
|
@@ -1111,6 +1111,12 @@ static int journal_file_append_data(
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
+#ifdef HAVE_GCRYPT
|
||||||
|
+ r = journal_file_hmac_put_object(f, OBJECT_DATA, o, p);
|
||||||
|
+ if (r < 0)
|
||||||
|
+ return r;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* The linking might have altered the window, so let's
|
||||||
|
* refresh our pointer */
|
||||||
|
r = journal_file_move_to_object(f, OBJECT_DATA, p, &o);
|
||||||
|
@@ -1135,12 +1141,6 @@ static int journal_file_append_data(
|
||||||
|
fo->field.head_data_offset = le64toh(p);
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifdef HAVE_GCRYPT
|
||||||
|
- r = journal_file_hmac_put_object(f, OBJECT_DATA, o, p);
|
||||||
|
- if (r < 0)
|
||||||
|
- return r;
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
if (ret)
|
||||||
|
*ret = o;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.10.0
|
||||||
|
|
@ -0,0 +1,93 @@
|
|||||||
|
From 0d0bad044f8f19c472acb69d10861a66d3d267b6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vito Caputo <vcaputo@gnugeneration.com>
|
||||||
|
Date: Tue, 26 Apr 2016 23:29:43 -0700
|
||||||
|
Subject: [PATCH 1/1] journal: set STATE_ARCHIVED as part of offlining (#2740)
|
||||||
|
|
||||||
|
The only code path which makes a journal durable is via
|
||||||
|
journal_file_set_offline().
|
||||||
|
|
||||||
|
When we perform a rotate the journal's header->state is being set to
|
||||||
|
STATE_ARCHIVED prior to journal_file_set_offline() being called.
|
||||||
|
|
||||||
|
In journal_file_set_offline(), we short-circuit the entire offline when
|
||||||
|
f->header->state != STATE_ONLINE.
|
||||||
|
|
||||||
|
This all results in none of the journal_file_set_offline() fsync() calls
|
||||||
|
being reached when rotate archives a journal, so archived journals are
|
||||||
|
never explicitly made durable.
|
||||||
|
|
||||||
|
What we do now is instead of setting the f->header->state to
|
||||||
|
STATE_ARCHIVED directly in journal_file_rotate() prior to
|
||||||
|
journal_file_close(), we set an archive flag in f->archive for the
|
||||||
|
journal_file_set_offline() machinery to honor by committing
|
||||||
|
STATE_ARCHIVED instead of STATE_OFFLINE when set.
|
||||||
|
|
||||||
|
Prior to this, rotated journals were never getting fsync() explicitly
|
||||||
|
performed on them, since journal_file_set_offline() short-circuited.
|
||||||
|
Obviously this is undesirable, and depends entirely on the underlying
|
||||||
|
filesystem as to how much durability was achieved when simply closing
|
||||||
|
the file.
|
||||||
|
|
||||||
|
Note that this problem existed prior to the recent asynchronous fsync
|
||||||
|
changes, but those changes do facilitate our performing this durable
|
||||||
|
offline on rotate without blocking, regardless of the underlying
|
||||||
|
filesystem sync-on-close semantics.
|
||||||
|
|
||||||
|
(cherry picked from commit 8eb851711fd166024297c425e9261200c36f489d)
|
||||||
|
|
||||||
|
[fbui: context adjustment: the asynchronous journal_file_set_offline()
|
||||||
|
thingie doesn't exist in v228]
|
||||||
|
|
||||||
|
[fbui: this also fixes the case when we wanted to append a tag (for
|
||||||
|
FSS verification) when closing the journal. Before this patch,
|
||||||
|
journal_file_append_tag() failed (silently) because re-opening
|
||||||
|
the journal to write the tag was not possible since it was
|
||||||
|
already in "archived" mode.]
|
||||||
|
---
|
||||||
|
src/journal/journal-file.c | 10 ++++++++--
|
||||||
|
src/journal/journal-file.h | 1 +
|
||||||
|
2 files changed, 9 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
|
||||||
|
index f9ff954..e7eecad 100644
|
||||||
|
--- a/src/journal/journal-file.c
|
||||||
|
+++ b/src/journal/journal-file.c
|
||||||
|
@@ -130,7 +130,7 @@ int journal_file_set_offline(JournalFile *f) {
|
||||||
|
if (mmap_cache_got_sigbus(f->mmap, f->fd))
|
||||||
|
return -EIO;
|
||||||
|
|
||||||
|
- f->header->state = STATE_OFFLINE;
|
||||||
|
+ f->header->state = f->archive ? STATE_ARCHIVED : STATE_OFFLINE;
|
||||||
|
|
||||||
|
if (mmap_cache_got_sigbus(f->mmap, f->fd))
|
||||||
|
return -EIO;
|
||||||
|
@@ -2813,7 +2813,13 @@ int journal_file_rotate(JournalFile **f, bool compress, bool seal) {
|
||||||
|
if (r < 0 && errno != ENOENT)
|
||||||
|
return -errno;
|
||||||
|
|
||||||
|
- old_file->header->state = STATE_ARCHIVED;
|
||||||
|
+ /* Set as archive so offlining commits w/state=STATE_ARCHIVED.
|
||||||
|
+ * Previously we would set old_file->header->state to STATE_ARCHIVED directly here,
|
||||||
|
+ * but journal_file_set_offline() short-circuits when state != STATE_ONLINE, which
|
||||||
|
+ * would result in the rotated journal never getting fsync() called before closing.
|
||||||
|
+ * Now we simply queue the archive state by setting an archive bit, leaving the state
|
||||||
|
+ * as STATE_ONLINE so proper offlining occurs. */
|
||||||
|
+ old_file->archive = true;
|
||||||
|
|
||||||
|
/* Currently, btrfs is not very good with out write patterns
|
||||||
|
* and fragments heavily. Let's defrag our journal files when
|
||||||
|
diff --git a/src/journal/journal-file.h b/src/journal/journal-file.h
|
||||||
|
index 898d12d..436e5ff 100644
|
||||||
|
--- a/src/journal/journal-file.h
|
||||||
|
+++ b/src/journal/journal-file.h
|
||||||
|
@@ -76,6 +76,7 @@ typedef struct JournalFile {
|
||||||
|
bool compress_lz4:1;
|
||||||
|
bool seal:1;
|
||||||
|
bool defrag_on_close:1;
|
||||||
|
+ bool archive:1;
|
||||||
|
|
||||||
|
bool tail_entry_monotonic_valid:1;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.10.0
|
||||||
|
|
@ -0,0 +1,36 @@
|
|||||||
|
From 9f47fe6b6a9aad001e99f1fdea78a0c54ce8ae55 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Franck Bui <fbui@suse.com>
|
||||||
|
Date: Fri, 23 Sep 2016 12:12:13 +0200
|
||||||
|
Subject: [PATCH 1/1] journal: warn when we fail to append a tag to a journal
|
||||||
|
|
||||||
|
We shouldn't silently fail when appending the tag to a journal file
|
||||||
|
since FSS protection will simply be disabled in this case.
|
||||||
|
|
||||||
|
(cherry picked from commit 43cd8794839548a6f332875e8bee8bed2652bf2c)
|
||||||
|
---
|
||||||
|
src/journal/journal-file.c | 9 +++++++--
|
||||||
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
|
||||||
|
index e7eecad..a9882cf 100644
|
||||||
|
--- a/src/journal/journal-file.c
|
||||||
|
+++ b/src/journal/journal-file.c
|
||||||
|
@@ -145,8 +145,13 @@ JournalFile* journal_file_close(JournalFile *f) {
|
||||||
|
|
||||||
|
#ifdef HAVE_GCRYPT
|
||||||
|
/* Write the final tag */
|
||||||
|
- if (f->seal && f->writable)
|
||||||
|
- journal_file_append_tag(f);
|
||||||
|
+ if (f->seal && f->writable) {
|
||||||
|
+ int r;
|
||||||
|
+
|
||||||
|
+ r = journal_file_append_tag(f);
|
||||||
|
+ if (r < 0)
|
||||||
|
+ log_error_errno(r, "Failed to append tag when closing journal: %m");
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
|
||||||
|
journal_file_set_offline(f);
|
||||||
|
--
|
||||||
|
2.10.0
|
||||||
|
|
@ -1,3 +1,12 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 26 09:09:27 UTC 2016 - fbui@suse.com
|
||||||
|
|
||||||
|
- Added patches to fix journal with FSS protection enabled (bsc#1000435)
|
||||||
|
|
||||||
|
0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch
|
||||||
|
0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch
|
||||||
|
0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Sep 21 11:54:39 UTC 2016 - fbui@suse.com
|
Wed Sep 21 11:54:39 UTC 2016 - fbui@suse.com
|
||||||
|
|
||||||
|
@ -265,6 +265,9 @@ Patch529: 0001-systemctl-pid1-do-not-warn-about-missing-install-inf.patch
|
|||||||
Patch530: systemd-230-cgroup2-use-new-fstype-for-unified-hierarchy.patch
|
Patch530: systemd-230-cgroup2-use-new-fstype-for-unified-hierarchy.patch
|
||||||
# PATCH-FIX-UPSTREAM -- fixed after 231
|
# PATCH-FIX-UPSTREAM -- fixed after 231
|
||||||
Patch531: 0001-rules-block-add-support-for-pmem-devices-3683.patch
|
Patch531: 0001-rules-block-add-support-for-pmem-devices-3683.patch
|
||||||
|
Patch532: 0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch
|
||||||
|
Patch533: 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch
|
||||||
|
Patch534: 0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch
|
||||||
|
|
||||||
# UDEV PATCHES
|
# UDEV PATCHES
|
||||||
# ============
|
# ============
|
||||||
@ -611,6 +614,9 @@ cp %{SOURCE7} m4/
|
|||||||
%patch529 -p1
|
%patch529 -p1
|
||||||
%patch530 -p1
|
%patch530 -p1
|
||||||
%patch531 -p1
|
%patch531 -p1
|
||||||
|
%patch532 -p1
|
||||||
|
%patch533 -p1
|
||||||
|
%patch534 -p1
|
||||||
|
|
||||||
# udev patches
|
# udev patches
|
||||||
%patch1002 -p1
|
%patch1002 -p1
|
||||||
|
@ -1,3 +1,12 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 26 09:09:27 UTC 2016 - fbui@suse.com
|
||||||
|
|
||||||
|
- Added patches to fix journal with FSS protection enabled (bsc#1000435)
|
||||||
|
|
||||||
|
0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch
|
||||||
|
0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch
|
||||||
|
0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Sep 21 11:54:39 UTC 2016 - fbui@suse.com
|
Wed Sep 21 11:54:39 UTC 2016 - fbui@suse.com
|
||||||
|
|
||||||
|
@ -260,6 +260,9 @@ Patch529: 0001-systemctl-pid1-do-not-warn-about-missing-install-inf.patch
|
|||||||
Patch530: systemd-230-cgroup2-use-new-fstype-for-unified-hierarchy.patch
|
Patch530: systemd-230-cgroup2-use-new-fstype-for-unified-hierarchy.patch
|
||||||
# PATCH-FIX-UPSTREAM -- fixed after 231
|
# PATCH-FIX-UPSTREAM -- fixed after 231
|
||||||
Patch531: 0001-rules-block-add-support-for-pmem-devices-3683.patch
|
Patch531: 0001-rules-block-add-support-for-pmem-devices-3683.patch
|
||||||
|
Patch532: 0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch
|
||||||
|
Patch533: 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch
|
||||||
|
Patch534: 0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch
|
||||||
|
|
||||||
# UDEV PATCHES
|
# UDEV PATCHES
|
||||||
# ============
|
# ============
|
||||||
@ -606,6 +609,9 @@ cp %{SOURCE7} m4/
|
|||||||
%patch529 -p1
|
%patch529 -p1
|
||||||
%patch530 -p1
|
%patch530 -p1
|
||||||
%patch531 -p1
|
%patch531 -p1
|
||||||
|
%patch532 -p1
|
||||||
|
%patch533 -p1
|
||||||
|
%patch534 -p1
|
||||||
|
|
||||||
# udev patches
|
# udev patches
|
||||||
%patch1002 -p1
|
%patch1002 -p1
|
||||||
|
Loading…
Reference in New Issue
Block a user