Accepting request 1164306 from Base:System

- Move systemd-repart from experimental to udev.

- Add 0001-Drop-support-for-efivar-SystemdOptions.patch (bsc#1220338)
  Upstream deprecated it and plan to drop it in the future.
  Let's get ahead and drop it now as this feature is unlikely to be used on SUSE
  distros and it might be used to gain access to encrypted SLEM systems with
  unattended disk unlock and with secure boot disabled.

- The following patches have been merged into SUSE/v255 branch hence removed
  from the OBS project.
  5006-cgroup-Add-EffectiveMemoryMax-EffectiveMemoryHigh-an.patch
  5007-test-Convert-rlimit-test-to-subtest-of-generic-limit.patch
  5008-test-Add-effective-cgroup-limits-testing.patch
  5009-cgroup-Restrict-effective-limits-with-global-resourc.patch
  5010-cgroup-Rename-effective-limits-internal-table.patch
- Import commit 56b53b17bcd8311dfb53f05b359b2812593883ab
  56b53b17bc cgroup: Rename effective limits internal table (jsc#PED-5659)
  7c9202317c cgroup: Restrict effective limits with global resource provision (jsc#PED-5659)
  da858e68eb test: Add effective cgroup limits testing (jsc#PED-5659)
  2f013357a5 test: Convert rlimit test to subtest of generic limit testing (jsc#PED-5659)
  0a3ea7f367 cgroup: Add EffectiveMemoryMax=, EffectiveMemoryHigh= and EffectiveTasksMax= properties (jsc#PED-5659)

- Drop split_usr build conditional since both split-usr and unmerged-usr
  supports have been removed since v255.
- Don't use the "Patch:" directive with a suffix number as since the suffix
  doesn't serve any purpose.

OBS-URL: https://build.opensuse.org/request/show/1164306
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/systemd?expand=0&rev=419
This commit is contained in:
Ana Guerrero 2024-04-04 20:24:04 +00:00 committed by Git OBS Bridge
commit bc7435dd98
13 changed files with 171 additions and 1077 deletions

View File

@ -0,0 +1,80 @@
From 72d766c5a17fc31902b367e949c4d90193f823b9 Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Fri, 22 Mar 2024 12:07:34 +0100
Subject: [PATCH 1/1] Drop support for efivar SystemdOptions
Upstream deprecated it and plan to drop it in the future.
Let's get ahead and drop it now as this feature might be used to gain access to
encrypted SLEM systems with unattended disk unlock and with secure boot
disabled.
[fbui: fixes bsc#1220338]
---
src/basic/efivars.c | 27 ++++++--------------------
src/boot/bootctl-systemd-efi-options.c | 4 ++++
2 files changed, 10 insertions(+), 21 deletions(-)
diff --git a/src/basic/efivars.c b/src/basic/efivars.c
index 9011ae29a3..01ab7e5092 100644
--- a/src/basic/efivars.c
+++ b/src/basic/efivars.c
@@ -351,29 +351,14 @@ SecureBootMode efi_get_secure_boot_mode(void) {
}
static int read_efi_options_variable(char **ret) {
- int r;
- /* In SecureBoot mode this is probably not what you want. As your cmdline is cryptographically signed
- * like when using Type #2 EFI Unified Kernel Images (https://uapi-group.org/specifications/specs/boot_loader_specification)
- * The user's intention is then that the cmdline should not be modified. You want to make sure that
- * the system starts up as exactly specified in the signed artifact.
- *
- * (NB: For testing purposes, we still check the $SYSTEMD_EFI_OPTIONS env var before accessing this
- * cache, even when in SecureBoot mode.) */
- if (is_efi_secure_boot()) {
- /* Let's be helpful with the returned error and check if the variable exists at all. If it
- * does, let's return a recognizable error (EPERM), and if not ENODATA. */
-
- if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), F_OK) < 0)
- return errno == ENOENT ? -ENODATA : -errno;
-
- return -EPERM;
- }
+ /* For SUSE distros, support for SystemdOptions has already been dropped as it might be a security
+ * concern for systems with unattended disk unlock and with disabled secure boot. */
- r = efi_get_variable_string(EFI_SYSTEMD_VARIABLE(SystemdOptions), ret);
- if (r == -ENOENT)
- return -ENODATA;
- return r;
+ if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), F_OK) < 0)
+ return errno == ENOENT ? -ENODATA : -errno;
+
+ return log_warning_errno(SYNTHETIC_ERRNO(EPERM), "Boot options passed via SystemdOptions EFI variable is no more supported, ignoring: %m");
}
int cache_efi_options_variable(void) {
diff --git a/src/boot/bootctl-systemd-efi-options.c b/src/boot/bootctl-systemd-efi-options.c
index 7f8308fc3d..216b99546f 100644
--- a/src/boot/bootctl-systemd-efi-options.c
+++ b/src/boot/bootctl-systemd-efi-options.c
@@ -6,6 +6,7 @@
#include "efi-loader.h"
int verb_systemd_efi_options(int argc, char *argv[], void *userdata) {
+#if 0
int r;
/* This is obsolete and subject to removal */
@@ -40,4 +41,7 @@ int verb_systemd_efi_options(int argc, char *argv[], void *userdata) {
}
return 0;
+#else
+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for the SystemdOptions EFI variable has been dropped.");
+#endif
}
--
2.35.3

View File

@ -1,668 +0,0 @@
From 840527985f03a4327fc0fe78e45d889742601698 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
Date: Fri, 11 Aug 2023 13:51:20 +0200
Subject: [PATCH 5006/5010] cgroup: Add EffectiveMemoryMax=,
EffectiveMemoryHigh= and EffectiveTasksMax= properties
Users become perplexed when they run their workload in a unit with no
explicit limits configured (moreover, listing the limit property would
even show it's infinity) but they experience unexpected resource
limitation.
The memory and pid limits come as the most visible, therefore add new
unit read-only properties:
- EffectiveMemoryMax=,
- EffectiveMemoryHigh=,
- EffectiveTasksMax=.
These properties represent the most stringent limit systemd is aware of
for the given unit -- and that is typically(*) the effective value.
Implement the properties by simply traversing all parents in the
leaf-slice tree and picking the minimum value. Note that effective
limits are thus defined even for units that don't enable explicit
accounting (because of the hierarchy).
(*) The evasive case is when systemd runs in a cgroupns and cannot
reason about outer setup. Complete solution would need kernel support.
(cherry picked from commit 4fb0d2dc140c9a2c01c236d2a8dc09a44157e896)
[mkoutny: fixes jsc#PED-5659]
---
man/org.freedesktop.systemd1.xml | 126 ++++++++++++++++++++++++++++++
man/systemd.resource-control.xml | 11 ++-
src/core/cgroup.c | 48 ++++++++++++
src/core/cgroup.h | 13 +++
src/core/dbus-unit.c | 25 ++++++
src/shared/bus-print-properties.c | 6 +-
6 files changed, 224 insertions(+), 5 deletions(-)
diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index a1bcbba02f..59733c0039 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -2786,6 +2786,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t MemoryAvailable = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveMemoryMax = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveMemoryHigh = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t CPUUsageNSec = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly ay EffectiveCPUs = [...];
@@ -2794,6 +2798,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t TasksCurrent = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveTasksMax = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t IPIngressBytes = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t IPIngressPackets = ...;
@@ -3419,6 +3425,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<!--property MemoryZSwapCurrent is not documented!-->
+ <!--property EffectiveMemoryMax is not documented!-->
+
+ <!--property EffectiveMemoryHigh is not documented!-->
+
<!--property CPUUsageNSec is not documented!-->
<!--property EffectiveCPUs is not documented!-->
@@ -3427,6 +3437,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<!--property TasksCurrent is not documented!-->
+ <!--property EffectiveTasksMax is not documented!-->
+
<!--property IPIngressBytes is not documented!-->
<!--property IPIngressPackets is not documented!-->
@@ -4061,6 +4073,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<variablelist class="dbus-property" generated="True" extra-ref="MemoryAvailable"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveMemoryMax"/>
+
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveMemoryHigh"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="CPUUsageNSec"/>
<variablelist class="dbus-property" generated="True" extra-ref="EffectiveCPUs"/>
@@ -4069,6 +4085,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<variablelist class="dbus-property" generated="True" extra-ref="TasksCurrent"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveTasksMax"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="IPIngressBytes"/>
<variablelist class="dbus-property" generated="True" extra-ref="IPIngressPackets"/>
@@ -4865,6 +4883,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t MemoryAvailable = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveMemoryMax = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveMemoryHigh = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t CPUUsageNSec = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly ay EffectiveCPUs = [...];
@@ -4873,6 +4895,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t TasksCurrent = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveTasksMax = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t IPIngressBytes = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t IPIngressPackets = ...;
@@ -5508,6 +5532,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<!--property MemoryZSwapCurrent is not documented!-->
+ <!--property EffectiveMemoryMax is not documented!-->
+
+ <!--property EffectiveMemoryHigh is not documented!-->
+
<!--property CPUUsageNSec is not documented!-->
<!--property EffectiveCPUs is not documented!-->
@@ -5516,6 +5544,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<!--property TasksCurrent is not documented!-->
+ <!--property EffectiveTasksMax is not documented!-->
+
<!--property IPIngressBytes is not documented!-->
<!--property IPIngressPackets is not documented!-->
@@ -6132,6 +6162,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<variablelist class="dbus-property" generated="True" extra-ref="MemoryAvailable"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveMemoryMax"/>
+
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveMemoryHigh"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="CPUUsageNSec"/>
<variablelist class="dbus-property" generated="True" extra-ref="EffectiveCPUs"/>
@@ -6140,6 +6174,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<variablelist class="dbus-property" generated="True" extra-ref="TasksCurrent"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveTasksMax"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="IPIngressBytes"/>
<variablelist class="dbus-property" generated="True" extra-ref="IPIngressPackets"/>
@@ -6810,6 +6846,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t MemoryAvailable = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveMemoryMax = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveMemoryHigh = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t CPUUsageNSec = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly ay EffectiveCPUs = [...];
@@ -6818,6 +6858,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t TasksCurrent = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveTasksMax = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t IPIngressBytes = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t IPIngressPackets = ...;
@@ -7381,6 +7423,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<!--property MemoryZSwapCurrent is not documented!-->
+ <!--property EffectiveMemoryMax is not documented!-->
+
+ <!--property EffectiveMemoryHigh is not documented!-->
+
<!--property CPUUsageNSec is not documented!-->
<!--property EffectiveCPUs is not documented!-->
@@ -7389,6 +7435,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<!--property TasksCurrent is not documented!-->
+ <!--property EffectiveTasksMax is not documented!-->
+
<!--property IPIngressBytes is not documented!-->
<!--property IPIngressPackets is not documented!-->
@@ -7919,6 +7967,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<variablelist class="dbus-property" generated="True" extra-ref="MemoryAvailable"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveMemoryMax"/>
+
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveMemoryHigh"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="CPUUsageNSec"/>
<variablelist class="dbus-property" generated="True" extra-ref="EffectiveCPUs"/>
@@ -7927,6 +7979,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<variablelist class="dbus-property" generated="True" extra-ref="TasksCurrent"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveTasksMax"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="IPIngressBytes"/>
<variablelist class="dbus-property" generated="True" extra-ref="IPIngressPackets"/>
@@ -8720,6 +8774,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t MemoryAvailable = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveMemoryMax = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveMemoryHigh = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t CPUUsageNSec = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly ay EffectiveCPUs = [...];
@@ -8728,6 +8786,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t TasksCurrent = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveTasksMax = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t IPIngressBytes = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t IPIngressPackets = ...;
@@ -9277,6 +9337,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<!--property MemoryZSwapCurrent is not documented!-->
+ <!--property EffectiveMemoryMax is not documented!-->
+
+ <!--property EffectiveMemoryHigh is not documented!-->
+
<!--property CPUUsageNSec is not documented!-->
<!--property EffectiveCPUs is not documented!-->
@@ -9285,6 +9349,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<!--property TasksCurrent is not documented!-->
+ <!--property EffectiveTasksMax is not documented!-->
+
<!--property IPIngressBytes is not documented!-->
<!--property IPIngressPackets is not documented!-->
@@ -9801,6 +9867,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<variablelist class="dbus-property" generated="True" extra-ref="MemoryAvailable"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveMemoryMax"/>
+
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveMemoryHigh"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="CPUUsageNSec"/>
<variablelist class="dbus-property" generated="True" extra-ref="EffectiveCPUs"/>
@@ -9809,6 +9879,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<variablelist class="dbus-property" generated="True" extra-ref="TasksCurrent"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveTasksMax"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="IPIngressBytes"/>
<variablelist class="dbus-property" generated="True" extra-ref="IPIngressPackets"/>
@@ -10461,6 +10533,10 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t MemoryAvailable = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveMemoryMax = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveMemoryHigh = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t CPUUsageNSec = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly ay EffectiveCPUs = [...];
@@ -10469,6 +10545,8 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t TasksCurrent = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveTasksMax = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t IPIngressBytes = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t IPIngressPackets = ...;
@@ -10644,6 +10722,10 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
<!--property MemoryZSwapCurrent is not documented!-->
+ <!--property EffectiveMemoryMax is not documented!-->
+
+ <!--property EffectiveMemoryHigh is not documented!-->
+
<!--property CPUUsageNSec is not documented!-->
<!--property EffectiveCPUs is not documented!-->
@@ -10652,6 +10734,8 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
<!--property TasksCurrent is not documented!-->
+ <!--property EffectiveTasksMax is not documented!-->
+
<!--property IPIngressBytes is not documented!-->
<!--property IPIngressPackets is not documented!-->
@@ -10832,6 +10916,10 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
<variablelist class="dbus-property" generated="True" extra-ref="MemoryAvailable"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveMemoryMax"/>
+
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveMemoryHigh"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="CPUUsageNSec"/>
<variablelist class="dbus-property" generated="True" extra-ref="EffectiveCPUs"/>
@@ -10840,6 +10928,8 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
<variablelist class="dbus-property" generated="True" extra-ref="TasksCurrent"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveTasksMax"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="IPIngressBytes"/>
<variablelist class="dbus-property" generated="True" extra-ref="IPIngressPackets"/>
@@ -11046,6 +11136,10 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t MemoryAvailable = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveMemoryMax = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveMemoryHigh = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t CPUUsageNSec = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly ay EffectiveCPUs = [...];
@@ -11054,6 +11148,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t TasksCurrent = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+ readonly t EffectiveTasksMax = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t IPIngressBytes = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly t IPIngressPackets = ...;
@@ -11249,6 +11345,10 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
<!--property MemoryZSwapCurrent is not documented!-->
+ <!--property EffectiveMemoryMax is not documented!-->
+
+ <!--property EffectiveMemoryHigh is not documented!-->
+
<!--property CPUUsageNSec is not documented!-->
<!--property EffectiveCPUs is not documented!-->
@@ -11257,6 +11357,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
<!--property TasksCurrent is not documented!-->
+ <!--property EffectiveTasksMax is not documented!-->
+
<!--property IPIngressBytes is not documented!-->
<!--property IPIngressPackets is not documented!-->
@@ -11467,6 +11569,10 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
<variablelist class="dbus-property" generated="True" extra-ref="MemoryAvailable"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveMemoryMax"/>
+
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveMemoryHigh"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="CPUUsageNSec"/>
<variablelist class="dbus-property" generated="True" extra-ref="EffectiveCPUs"/>
@@ -11475,6 +11581,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
<variablelist class="dbus-property" generated="True" extra-ref="TasksCurrent"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="EffectiveTasksMax"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="IPIngressBytes"/>
<variablelist class="dbus-property" generated="True" extra-ref="IPIngressPackets"/>
@@ -11866,6 +11974,9 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>MemorySwapCurrent</varname>,
<varname>MemorySwapPeak</varname>, and
<varname>MemoryZSwapCurrent</varname> were added in version 255.</para>
+ <para><varname>EffectiveMemoryHigh</varname>,
+ <varname>EffectiveMemoryMax</varname>,
+ <varname>EffectiveTasksMax</varname> were added in version 256.</para>
</refsect2>
<refsect2>
<title>Socket Unit Objects</title>
@@ -11897,6 +12008,9 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>MemorySwapCurrent</varname>,
<varname>MemorySwapPeak</varname>, and
<varname>MemoryZSwapCurrent</varname> were added in version 255.</para>
+ <para><varname>EffectiveMemoryHigh</varname>,
+ <varname>EffectiveMemoryMax</varname>,
+ <varname>EffectiveTasksMax</varname> were added in version 256.</para>
</refsect2>
<refsect2>
<title>Mount Unit Objects</title>
@@ -11926,6 +12040,9 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>MemorySwapCurrent</varname>,
<varname>MemorySwapPeak</varname>, and
<varname>MemoryZSwapCurrent</varname> were added in version 255.</para>
+ <para><varname>EffectiveMemoryHigh</varname>,
+ <varname>EffectiveMemoryMax</varname>,
+ <varname>EffectiveTasksMax</varname> were added in version 256.</para>
</refsect2>
<refsect2>
<title>Swap Unit Objects</title>
@@ -11955,6 +12072,9 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>MemorySwapCurrent</varname>,
<varname>MemorySwapPeak</varname>, and
<varname>MemoryZSwapCurrent</varname> were added in version 255.</para>
+ <para><varname>EffectiveMemoryHigh</varname>,
+ <varname>EffectiveMemoryMax</varname>,
+ <varname>EffectiveTasksMax</varname> were added in version 256.</para>
</refsect2>
<refsect2>
<title>Slice Unit Objects</title>
@@ -11975,6 +12095,9 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>MemorySwapCurrent</varname>,
<varname>MemorySwapPeak</varname>, and
<varname>MemoryZSwapCurrent</varname> were added in version 255.</para>
+ <para><varname>EffectiveMemoryHigh</varname>,
+ <varname>EffectiveMemoryMax</varname>,
+ <varname>EffectiveTasksMax</varname> were added in version 256.</para>
</refsect2>
<refsect2>
<title>Scope Unit Objects</title>
@@ -11996,6 +12119,9 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>MemorySwapCurrent</varname>,
<varname>MemorySwapPeak</varname>, and
<varname>MemoryZSwapCurrent</varname> were added in version 255.</para>
+ <para><varname>EffectiveMemoryHigh</varname>,
+ <varname>EffectiveMemoryMax</varname>,
+ <varname>EffectiveTasksMax</varname> were added in version 256.</para>
</refsect2>
<refsect2>
<title>Job Objects</title>
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index 42f265c950..bd8b6a5719 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -406,7 +406,9 @@ CPUWeight=20 DisableControllers=cpu / \
system. If assigned the
special value <literal>infinity</literal>, no memory throttling is applied. This controls the
<literal>memory.high</literal> control group attribute. For details about this control group attribute, see
- <ulink url="https://docs.kernel.org/admin-guide/cgroup-v2.html#memory-interface-files">Memory Interface Files</ulink>.</para>
+ <ulink url="https://docs.kernel.org/admin-guide/cgroup-v2.html#memory-interface-files">Memory Interface Files</ulink>.
+ The effective configuration is reported as <varname>EffectiveMemoryHigh=</varname>
+ (see also <varname>EffectiveMemoryMax=</varname>).</para>
<para>While <varname>StartupMemoryHigh=</varname> applies to the startup and shutdown phases of the system,
<varname>MemoryHigh=</varname> applies to normal runtime of the system, and if the former is not set also to
@@ -434,7 +436,9 @@ CPUWeight=20 DisableControllers=cpu / \
percentage value may be specified, which is taken relative to the installed physical memory on the system. If
assigned the special value <literal>infinity</literal>, no memory limit is applied. This controls the
<literal>memory.max</literal> control group attribute. For details about this control group attribute, see
- <ulink url="https://docs.kernel.org/admin-guide/cgroup-v2.html#memory-interface-files">Memory Interface Files</ulink>.</para>
+ <ulink url="https://docs.kernel.org/admin-guide/cgroup-v2.html#memory-interface-files">Memory Interface Files</ulink>.
+ The effective configuration is reported as <varname>EffectiveMemoryMax=</varname> (the value is
+ the most stringent limit of the unit and parent slices).</para>
<para>While <varname>StartupMemoryMax=</varname> applies to the startup and shutdown phases of the system,
<varname>MemoryMax=</varname> applies to normal runtime of the system, and if the former is not set also to
@@ -560,7 +564,8 @@ CPUWeight=20 DisableControllers=cpu / \
limit is applied. This controls the <literal>pids.max</literal> control group attribute. For
details about this control group attribute, the
<ulink url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html#pid">pids controller
- </ulink>.</para>
+ </ulink>.
+ The effective configuration is reported as <varname>EffectiveTasksMax=</varname>.</para>
<para>The system default for this setting may be controlled with
<varname>DefaultTasksMax=</varname> in
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 61ac4df1a6..78ca67216a 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -4243,6 +4243,46 @@ int unit_get_ip_accounting(
return r;
}
+static uint64_t unit_get_effective_limit_one(Unit *u, CGroupLimitType type) {
+ CGroupContext *cc;
+
+ assert(u);
+ assert(UNIT_HAS_CGROUP_CONTEXT(u));
+
+ cc = unit_get_cgroup_context(u);
+ switch (type) {
+ /* Note: on legacy/hybrid hierarchies memory_max stays CGROUP_LIMIT_MAX unless configured
+ * explicitly. Effective value of MemoryLimit= (cgroup v1) is not implemented. */
+ case CGROUP_LIMIT_MEMORY_MAX:
+ return cc->memory_max;
+ case CGROUP_LIMIT_MEMORY_HIGH:
+ return cc->memory_high;
+ case CGROUP_LIMIT_TASKS_MAX:
+ return cgroup_tasks_max_resolve(&cc->tasks_max);
+ default:
+ assert_not_reached();
+ }
+}
+
+int unit_get_effective_limit(Unit *u, CGroupLimitType type, uint64_t *ret) {
+ uint64_t infimum;
+
+ assert(u);
+ assert(ret);
+ assert(type >= 0);
+ assert(type < _CGROUP_LIMIT_TYPE_MAX);
+
+ if (!UNIT_HAS_CGROUP_CONTEXT(u))
+ return -EINVAL;
+
+ infimum = unit_get_effective_limit_one(u, type);
+ for (Unit *slice = UNIT_GET_SLICE(u); slice; slice = UNIT_GET_SLICE(slice))
+ infimum = MIN(infimum, unit_get_effective_limit_one(slice, type));
+
+ *ret = infimum;
+ return 0;
+}
+
static int unit_get_io_accounting_raw(Unit *u, uint64_t ret[static _CGROUP_IO_ACCOUNTING_METRIC_MAX]) {
static const char *const field_names[_CGROUP_IO_ACCOUNTING_METRIC_MAX] = {
[CGROUP_IO_READ_BYTES] = "rbytes=",
@@ -4663,3 +4703,11 @@ static const char* const cgroup_memory_accounting_metric_table[_CGROUP_MEMORY_AC
};
DEFINE_STRING_TABLE_LOOKUP(cgroup_memory_accounting_metric, CGroupMemoryAccountingMetric);
+
+static const char *const cgroup_limit_type_table[_CGROUP_LIMIT_TYPE_MAX] = {
+ [CGROUP_LIMIT_MEMORY_MAX] = "EffectiveMemoryMax",
+ [CGROUP_LIMIT_MEMORY_HIGH] = "EffectiveMemoryHigh",
+ [CGROUP_LIMIT_TASKS_MAX] = "EffectiveTasksMax",
+};
+
+DEFINE_STRING_TABLE_LOOKUP(cgroup_limit_type, CGroupLimitType);
diff --git a/src/core/cgroup.h b/src/core/cgroup.h
index f1b674b4b7..54bce91ea1 100644
--- a/src/core/cgroup.h
+++ b/src/core/cgroup.h
@@ -276,6 +276,15 @@ typedef enum CGroupMemoryAccountingMetric {
_CGROUP_MEMORY_ACCOUNTING_METRIC_INVALID = -EINVAL,
} CGroupMemoryAccountingMetric;
+/* Used for limits whose value sets have infimum */
+typedef enum CGroupLimitType {
+ CGROUP_LIMIT_MEMORY_MAX,
+ CGROUP_LIMIT_MEMORY_HIGH,
+ CGROUP_LIMIT_TASKS_MAX,
+ _CGROUP_LIMIT_TYPE_MAX,
+ _CGROUP_LIMIT_INVALID = -EINVAL,
+} CGroupLimitType;
+
typedef struct Unit Unit;
typedef struct Manager Manager;
typedef enum ManagerState ManagerState;
@@ -374,6 +383,7 @@ int unit_get_tasks_current(Unit *u, uint64_t *ret);
int unit_get_cpu_usage(Unit *u, nsec_t *ret);
int unit_get_io_accounting(Unit *u, CGroupIOAccountingMetric metric, bool allow_cache, uint64_t *ret);
int unit_get_ip_accounting(Unit *u, CGroupIPAccountingMetric metric, uint64_t *ret);
+int unit_get_effective_limit(Unit *u, CGroupLimitType type, uint64_t *ret);
int unit_reset_cpu_accounting(Unit *u);
void unit_reset_memory_accounting_last(Unit *u);
@@ -425,5 +435,8 @@ CGroupIPAccountingMetric cgroup_ip_accounting_metric_from_string(const char *s)
const char* cgroup_io_accounting_metric_to_string(CGroupIOAccountingMetric m) _const_;
CGroupIOAccountingMetric cgroup_io_accounting_metric_from_string(const char *s) _pure_;
+const char* cgroup_limit_type_to_string(CGroupLimitType m) _const_;
+CGroupLimitType cgroup_limit_type_from_string(const char *s) _pure_;
+
const char* cgroup_memory_accounting_metric_to_string(CGroupMemoryAccountingMetric m) _const_;
CGroupMemoryAccountingMetric cgroup_memory_accounting_metric_from_string(const char *s) _pure_;
diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
index 1a037b7035..ac6add4700 100644
--- a/src/core/dbus-unit.c
+++ b/src/core/dbus-unit.c
@@ -1441,6 +1441,28 @@ static int property_get_io_counter(
return sd_bus_message_append(reply, "t", value);
}
+static int property_get_effective_limit(
+ sd_bus *bus,
+ const char *path,
+ const char *interface,
+ const char *property,
+ sd_bus_message *reply,
+ void *userdata,
+ sd_bus_error *error) {
+
+ uint64_t value = CGROUP_LIMIT_MAX;
+ Unit *u = ASSERT_PTR(userdata);
+ ssize_t type;
+
+ assert(bus);
+ assert(reply);
+ assert(property);
+
+ assert_se((type = cgroup_limit_type_from_string(property)) >= 0);
+ (void) unit_get_effective_limit(u, type, &value);
+ return sd_bus_message_append(reply, "t", value);
+}
+
int bus_unit_method_attach_processes(sd_bus_message *message, void *userdata, sd_bus_error *error) {
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
_cleanup_set_free_ Set *pids = NULL;
@@ -1562,10 +1584,13 @@ const sd_bus_vtable bus_unit_cgroup_vtable[] = {
SD_BUS_PROPERTY("MemorySwapPeak", "t", property_get_memory_accounting, 0, 0),
SD_BUS_PROPERTY("MemoryZSwapCurrent", "t", property_get_memory_accounting, 0, 0),
SD_BUS_PROPERTY("MemoryAvailable", "t", property_get_available_memory, 0, 0),
+ SD_BUS_PROPERTY("EffectiveMemoryMax", "t", property_get_effective_limit, 0, 0),
+ SD_BUS_PROPERTY("EffectiveMemoryHigh", "t", property_get_effective_limit, 0, 0),
SD_BUS_PROPERTY("CPUUsageNSec", "t", property_get_cpu_usage, 0, 0),
SD_BUS_PROPERTY("EffectiveCPUs", "ay", property_get_cpuset_cpus, 0, 0),
SD_BUS_PROPERTY("EffectiveMemoryNodes", "ay", property_get_cpuset_mems, 0, 0),
SD_BUS_PROPERTY("TasksCurrent", "t", property_get_current_tasks, 0, 0),
+ SD_BUS_PROPERTY("EffectiveTasksMax", "t", property_get_effective_limit, 0, 0),
SD_BUS_PROPERTY("IPIngressBytes", "t", property_get_ip_counter, 0, 0),
SD_BUS_PROPERTY("IPIngressPackets", "t", property_get_ip_counter, 0, 0),
SD_BUS_PROPERTY("IPEgressBytes", "t", property_get_ip_counter, 0, 0),
diff --git a/src/shared/bus-print-properties.c b/src/shared/bus-print-properties.c
index 6704e1ef3d..99b1cc7c70 100644
--- a/src/shared/bus-print-properties.c
+++ b/src/shared/bus-print-properties.c
@@ -164,9 +164,11 @@ static int bus_print_property(const char *name, const char *expected_value, sd_b
bus_print_property_value(name, expected_value, flags, "[not set]");
- else if ((ENDSWITH_SET(name, "MemoryLow", "MemoryMin", "MemoryHigh", "MemoryMax", "MemorySwapMax", "MemoryZSwapMax", "MemoryLimit") &&
+ else if ((ENDSWITH_SET(name, "MemoryLow", "MemoryMin",
+ "MemoryHigh", "MemoryMax",
+ "MemorySwapMax", "MemoryZSwapMax", "MemoryLimit") &&
u == CGROUP_LIMIT_MAX) ||
- (STR_IN_SET(name, "TasksMax", "DefaultTasksMax") && u == UINT64_MAX) ||
+ (endswith(name, "TasksMax") && u == UINT64_MAX) ||
(startswith(name, "Limit") && u == UINT64_MAX) ||
(startswith(name, "DefaultLimit") && u == UINT64_MAX))
--
2.35.3

View File

@ -1,97 +0,0 @@
From 207784eeaab0c274dc087056f20523d7c10939fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
Date: Wed, 9 Aug 2023 22:42:36 +0200
Subject: [PATCH 5007/5010] test: Convert rlimit test to subtest of generic
limit testing
No functional change intended. Preparation for new tests.
(cherry picked from commit 834ca54624ae1d61ec4fcf3a63b10271c38c4860)
[mkoutny: fixes jsc#PED-5659]
---
test/units/testsuite-05.rlimit.sh | 25 +++++++++++++++++++++++++
test/units/testsuite-05.service | 2 +-
test/units/testsuite-05.sh | 22 +++-------------------
3 files changed, 29 insertions(+), 20 deletions(-)
create mode 100755 test/units/testsuite-05.rlimit.sh
diff --git a/test/units/testsuite-05.rlimit.sh b/test/units/testsuite-05.rlimit.sh
new file mode 100755
index 0000000000..bbf3adbe65
--- /dev/null
+++ b/test/units/testsuite-05.rlimit.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+P=/run/systemd/system.conf.d
+mkdir $P
+
+cat >$P/rlimits.conf <<EOF
+[Manager]
+DefaultLimitNOFILE=10000:16384
+EOF
+
+systemctl daemon-reload
+
+[[ "$(systemctl show -P DefaultLimitNOFILESoft)" = "10000" ]]
+[[ "$(systemctl show -P DefaultLimitNOFILE)" = "16384" ]]
+
+[[ "$(systemctl show -P LimitNOFILESoft testsuite-05.service)" = "10000" ]]
+[[ "$(systemctl show -P LimitNOFILE testsuite-05.service)" = "16384" ]]
+
+# shellcheck disable=SC2016
+systemd-run --wait -t bash -c '[[ "$(ulimit -n -S)" = "10000" ]]'
+# shellcheck disable=SC2016
+systemd-run --wait -t bash -c '[[ "$(ulimit -n -H)" = "16384" ]]'
diff --git a/test/units/testsuite-05.service b/test/units/testsuite-05.service
index ab72d8fe27..cf32accb8c 100644
--- a/test/units/testsuite-05.service
+++ b/test/units/testsuite-05.service
@@ -1,6 +1,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Unit]
-Description=TEST-05-RLIMITS
+Description=TEST-05-LIMITS
[Service]
ExecStartPre=rm -f /failed /testok
diff --git a/test/units/testsuite-05.sh b/test/units/testsuite-05.sh
index 870845d14b..9c2a033aa9 100755
--- a/test/units/testsuite-05.sh
+++ b/test/units/testsuite-05.sh
@@ -3,25 +3,9 @@
set -eux
set -o pipefail
-P=/run/systemd/system.conf.d
-mkdir $P
+# shellcheck source=test/units/test-control.sh
+. "$(dirname "$0")"/test-control.sh
-cat >$P/rlimits.conf <<EOF
-[Manager]
-DefaultLimitNOFILE=10000:16384
-EOF
-
-systemctl daemon-reload
-
-[[ "$(systemctl show -P DefaultLimitNOFILESoft)" = "10000" ]]
-[[ "$(systemctl show -P DefaultLimitNOFILE)" = "16384" ]]
-
-[[ "$(systemctl show -P LimitNOFILESoft testsuite-05.service)" = "10000" ]]
-[[ "$(systemctl show -P LimitNOFILE testsuite-05.service)" = "16384" ]]
-
-# shellcheck disable=SC2016
-systemd-run --wait -t bash -c '[[ "$(ulimit -n -S)" = "10000" ]]'
-# shellcheck disable=SC2016
-systemd-run --wait -t bash -c '[[ "$(ulimit -n -H)" = "16384" ]]'
+run_subtests
touch /testok
--
2.35.3

View File

@ -1,111 +0,0 @@
From 10d8f042c0bf685d41b95d7151214999a8ff68c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
Date: Wed, 9 Aug 2023 22:43:31 +0200
Subject: [PATCH 5008/5010] test: Add effective cgroup limits testing
(cherry picked from commit ce35bb95c7b6fe9a48d2b8628bd690279b17fffa)
[mkoutny: fixes jsc#PED-5659]
---
test/units/testsuite-05.effective-limit.sh | 68 ++++++++++++++++++++++
test/units/util.sh | 9 +++
2 files changed, 77 insertions(+)
create mode 100755 test/units/testsuite-05.effective-limit.sh
diff --git a/test/units/testsuite-05.effective-limit.sh b/test/units/testsuite-05.effective-limit.sh
new file mode 100755
index 0000000000..3ff8e83140
--- /dev/null
+++ b/test/units/testsuite-05.effective-limit.sh
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+pre=test05
+cat >/run/systemd/system/"$pre"alpha.slice <<EOF
+[Slice]
+MemoryMax=40M
+MemoryHigh=40M
+TasksMax=400
+EOF
+
+cat >/run/systemd/system/"$pre"alpha-beta.slice <<EOF
+[Slice]
+MemoryMax=10M
+MemoryHigh=10M
+TasksMax=100
+EOF
+
+cat >/run/systemd/system/"$pre"alpha-beta-gamma.slice <<EOF
+[Slice]
+MemoryMax=20M
+MemoryHigh=20M
+TasksMax=200
+EOF
+
+systemctl daemon-reload
+
+srv=probe.service
+slc0="$pre"alpha.slice
+slc="$pre"alpha-beta-gamma.slice
+
+systemd-run --unit "$srv" --slice "$slc" \
+ -p MemoryMax=5M \
+ -p MemoryHigh=5M \
+ -p TasksMax=50 \
+ sleep inf
+
+# Compare with inequality because test can run in a constrained container
+assert_le "$(systemctl show -P EffectiveMemoryMax "$srv")" "5242880"
+assert_le "$(systemctl show -P EffectiveMemoryHigh "$srv")" "5242880"
+assert_le "$(systemctl show -P EffectiveTasksMax "$srv")" "50"
+
+systemctl stop "$srv"
+
+systemd-run --unit "$srv" --slice "$slc" \
+ sleep inf
+
+assert_le "$(systemctl show -P EffectiveMemoryMax "$srv")" "10485760"
+assert_le "$(systemctl show -P EffectiveMemoryHigh "$srv")" "10485760"
+assert_le "$(systemctl show -P EffectiveTasksMax "$srv")" "100"
+
+systemctl set-property "$slc0" \
+ MemoryMax=5M \
+ MemoryHigh=5M \
+ TasksMax=50
+
+assert_le "$(systemctl show -P EffectiveMemoryMax "$srv")" "5242880"
+assert_le "$(systemctl show -P EffectiveMemoryHigh "$srv")" "5242880"
+assert_le "$(systemctl show -P EffectiveTasksMax "$srv")" "50"
+
+systemctl stop "$srv"
+
+rm -f /run/systemd/system/"$pre"* || :
diff --git a/test/units/util.sh b/test/units/util.sh
index b5ed73237c..567cda2845 100755
--- a/test/units/util.sh
+++ b/test/units/util.sh
@@ -28,6 +28,15 @@ assert_eq() {(
fi
)}
+assert_le() {(
+ set +ex
+
+ if [[ "${1:?}" -gt "${2:?}" ]]; then
+ echo "FAIL: '$1' > '$2'" >&2
+ exit 1
+ fi
+)}
+
assert_in() {(
set +ex
--
2.35.3

View File

@ -1,56 +0,0 @@
From 355275a7708d09f7be27ea239478cb3c6defbb9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
Date: Mon, 14 Aug 2023 19:59:57 +0200
Subject: [PATCH 5009/5010] cgroup: Restrict effective limits with global
resource provision
Global resource (whole system or root cg's (e.g. in a container)) is
also a well-defined limit for memory and tasks, take it into account
when calculating effective limits.
(cherry picked from commit 93f8e88d23bd383b5134f32c1e2ee315ac3a38c8)
[mkoutny: fixes jsc#PED-5659]
---
man/systemd.resource-control.xml | 2 +-
src/core/cgroup.c | 11 +++++++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index bd8b6a5719..c2aa5b57e8 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -438,7 +438,7 @@ CPUWeight=20 DisableControllers=cpu / \
<literal>memory.max</literal> control group attribute. For details about this control group attribute, see
<ulink url="https://docs.kernel.org/admin-guide/cgroup-v2.html#memory-interface-files">Memory Interface Files</ulink>.
The effective configuration is reported as <varname>EffectiveMemoryMax=</varname> (the value is
- the most stringent limit of the unit and parent slices).</para>
+ the most stringent limit of the unit and parent slices and it is capped by physical memory).</para>
<para>While <varname>StartupMemoryMax=</varname> applies to the startup and shutdown phases of the system,
<varname>MemoryMax=</varname> applies to normal runtime of the system, and if the former is not set also to
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 78ca67216a..285fa200d6 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -4249,6 +4249,17 @@ static uint64_t unit_get_effective_limit_one(Unit *u, CGroupLimitType type) {
assert(u);
assert(UNIT_HAS_CGROUP_CONTEXT(u));
+ if (unit_has_name(u, SPECIAL_ROOT_SLICE))
+ switch (type) {
+ case CGROUP_LIMIT_MEMORY_MAX:
+ case CGROUP_LIMIT_MEMORY_HIGH:
+ return physical_memory();
+ case CGROUP_LIMIT_TASKS_MAX:
+ return system_tasks_max();
+ default:
+ assert_not_reached();
+ }
+
cc = unit_get_cgroup_context(u);
switch (type) {
/* Note: on legacy/hybrid hierarchies memory_max stays CGROUP_LIMIT_MAX unless configured
--
2.35.3

View File

@ -1,66 +0,0 @@
From ae7d09f074e554a241ba66a2dee2a0cb4b3a0162 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
Date: Mon, 22 Jan 2024 16:58:18 +0100
Subject: [PATCH 5010/5010] cgroup: Rename effective limits internal table
Post-merge fixup of commit 4fb0d2dc14 ("cgroup: Add EffectiveMemoryMax=,
EffectiveMemoryHigh= and EffectiveTasksMax= properties"), no functional
change intended.
(cherry picked from commit 8ad614890bba66b5f6b590d6a3e1b8b04a920126)
[mkoutny: fixes jsc#PED-5659]
---
src/core/cgroup.c | 4 ++--
src/core/cgroup.h | 4 ++--
src/core/dbus-unit.c | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 285fa200d6..0c30aefe80 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -4715,10 +4715,10 @@ static const char* const cgroup_memory_accounting_metric_table[_CGROUP_MEMORY_AC
DEFINE_STRING_TABLE_LOOKUP(cgroup_memory_accounting_metric, CGroupMemoryAccountingMetric);
-static const char *const cgroup_limit_type_table[_CGROUP_LIMIT_TYPE_MAX] = {
+static const char *const cgroup_effective_limit_type_table[_CGROUP_LIMIT_TYPE_MAX] = {
[CGROUP_LIMIT_MEMORY_MAX] = "EffectiveMemoryMax",
[CGROUP_LIMIT_MEMORY_HIGH] = "EffectiveMemoryHigh",
[CGROUP_LIMIT_TASKS_MAX] = "EffectiveTasksMax",
};
-DEFINE_STRING_TABLE_LOOKUP(cgroup_limit_type, CGroupLimitType);
+DEFINE_STRING_TABLE_LOOKUP(cgroup_effective_limit_type, CGroupLimitType);
diff --git a/src/core/cgroup.h b/src/core/cgroup.h
index 54bce91ea1..6e3d05b7d2 100644
--- a/src/core/cgroup.h
+++ b/src/core/cgroup.h
@@ -435,8 +435,8 @@ CGroupIPAccountingMetric cgroup_ip_accounting_metric_from_string(const char *s)
const char* cgroup_io_accounting_metric_to_string(CGroupIOAccountingMetric m) _const_;
CGroupIOAccountingMetric cgroup_io_accounting_metric_from_string(const char *s) _pure_;
-const char* cgroup_limit_type_to_string(CGroupLimitType m) _const_;
-CGroupLimitType cgroup_limit_type_from_string(const char *s) _pure_;
+const char* cgroup_effective_limit_type_to_string(CGroupLimitType m) _const_;
+CGroupLimitType cgroup_effective_limit_type_from_string(const char *s) _pure_;
const char* cgroup_memory_accounting_metric_to_string(CGroupMemoryAccountingMetric m) _const_;
CGroupMemoryAccountingMetric cgroup_memory_accounting_metric_from_string(const char *s) _pure_;
diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
index ac6add4700..bb19831814 100644
--- a/src/core/dbus-unit.c
+++ b/src/core/dbus-unit.c
@@ -1458,7 +1458,7 @@ static int property_get_effective_limit(
assert(reply);
assert(property);
- assert_se((type = cgroup_limit_type_from_string(property)) >= 0);
+ assert_se((type = cgroup_effective_limit_type_from_string(property)) >= 0);
(void) unit_get_effective_limit(u, type, &value);
return sd_bus_message_append(reply, "t", value);
}
--
2.35.3

View File

@ -6,16 +6,10 @@
%dir %{_prefix}/lib/pcrlock.d/500-separator.pcrlock.d
%dir %{_prefix}/lib/pcrlock.d/700-action-efi-exit-boot-services.pcrlock.d
%dir %{_sysconfdir}/systemd/oomd.conf.d
%dir %{_systemd_util_dir}/repart
%dir %{_systemd_util_dir}/repart/definitions
%dir %{_systemd_util_dir}/repart/definitions/confext.repart.d
%dir %{_systemd_util_dir}/repart/definitions/portable.repart.d
%dir %{_systemd_util_dir}/repart/definitions/sysext.repart.d
%if %{with sd_boot}
%dir %{_unitdir}/initrd.target.wants
%endif
%{_bindir}/oomctl
%{_bindir}/systemd-repart
%{_bindir}/systemd-vmspawn
%if %{with sd_boot}
%{_bindir}/ukify
@ -38,7 +32,6 @@
%{_mandir}/man5/oomd.conf.5.gz
%{_mandir}/man5/oomd.conf.d.5.gz
%{_mandir}/man5/org.freedesktop.oom1.5.gz
%{_mandir}/man5/repart.d.5.gz
%{_mandir}/man5/systemd.pcrlock.5.gz
%{_mandir}/man5/systemd.pcrlock.d.5.gz
%{_mandir}/man5/sysupdate.d.5.gz
@ -65,8 +58,6 @@
%{_mandir}/man8/systemd-pcrphase-sysinit.service.8.gz
%{_mandir}/man8/systemd-pcrphase.service.8.gz
%endif
%{_mandir}/man8/systemd-repart.8.gz
%{_mandir}/man8/systemd-repart.service.8.gz
%{_mandir}/man8/systemd-storagetm.8.gz
%{_mandir}/man8/systemd-storagetm.service.8.gz
%{_mandir}/man8/systemd-sysupdate-reboot.service.8.gz
@ -94,17 +85,6 @@
%{_prefix}/lib/pcrlock.d/950-shutdown.pcrlock
%{_prefix}/lib/pcrlock.d/990-final.pcrlock
%{_systemd_util_dir}/oomd.conf
%{_systemd_util_dir}/repart/definitions/confext.repart.d/10-root.conf
%{_systemd_util_dir}/repart/definitions/confext.repart.d/20-root-verity.conf
%{_systemd_util_dir}/repart/definitions/confext.repart.d/30-root-verity-sig.conf
%{_systemd_util_dir}/repart/definitions/portable.repart.d/10-root.conf
%{_systemd_util_dir}/repart/definitions/portable.repart.d/20-root-verity.conf
%{_systemd_util_dir}/repart/definitions/portable.repart.d/30-root-verity-sig.conf
%{_systemd_util_dir}/repart/definitions/sysext.repart.d/10-root.conf
%{_systemd_util_dir}/repart/definitions/sysext.repart.d/20-root-verity.conf
%{_systemd_util_dir}/repart/definitions/sysext.repart.d/30-root-verity-sig.conf
%{_systemd_util_dir}/system/initrd-root-fs.target.wants/systemd-repart.service
%{_systemd_util_dir}/system/sysinit.target.wants/systemd-repart.service
%{_systemd_util_dir}/systemd-bsod
%{_systemd_util_dir}/systemd-measure
%{_systemd_util_dir}/systemd-oomd
@ -155,7 +135,6 @@
%{_unitdir}/systemd-pcrphase-sysinit.service
%{_unitdir}/systemd-pcrphase.service
%endif
%{_unitdir}/systemd-repart.service
%{_unitdir}/systemd-storagetm.service
%{_unitdir}/systemd-sysupdate-reboot.service
%{_unitdir}/systemd-sysupdate-reboot.timer

View File

@ -652,11 +652,3 @@
%{_unitdir}/user@.service.d/10-login-barrier.conf
%{_unitdir}/user@0.service.d/10-login-barrier.conf
%{xinitconfdir}/xinitrc.d/50-systemd-user.sh
%if %{with split_usr}
/bin/systemctl
/sbin/halt
/sbin/init
/sbin/poweroff
/sbin/reboot
/sbin/shutdown
%endif

View File

@ -22,6 +22,13 @@
%dir %{_sysconfdir}/udev/iocost.conf.d
%dir %{_sysconfdir}/udev/rules.d
%dir %{_systemd_util_dir}/network
%if %{without bootstrap}
%dir %{_systemd_util_dir}/repart
%dir %{_systemd_util_dir}/repart/definitions
%dir %{_systemd_util_dir}/repart/definitions/confext.repart.d
%dir %{_systemd_util_dir}/repart/definitions/portable.repart.d
%dir %{_systemd_util_dir}/repart/definitions/sysext.repart.d
%endif
%dir %{_systemd_util_dir}/system-sleep
%dir %{_udevhwdbdir}
%dir %{_udevrulesdir}
@ -40,6 +47,9 @@
%{_bindir}/systemd-cryptsetup
%endif
%{_bindir}/systemd-hwdb
%if %{without bootstrap}
%{_bindir}/systemd-repart
%endif
%{_bindir}/udevadm
%if %{without bootstrap}
%{_datadir}/bash-completion/completions/bootctl
@ -66,6 +76,7 @@
%{_mandir}/man5/modules-load.d.5.gz
%{_mandir}/man5/pstore.conf.5.gz
%{_mandir}/man5/pstore.conf.d.5.gz
%{_mandir}/man5/repart.d.5.gz
%{_mandir}/man5/sleep.conf.d.5.gz
%{_mandir}/man5/systemd-sleep.conf.5.gz
%{_mandir}/man5/timesyncd.conf.5.gz
@ -117,6 +128,8 @@
%{_mandir}/man8/systemd-random-seed.service.8.gz
%{_mandir}/man8/systemd-remount-fs.8.gz
%{_mandir}/man8/systemd-remount-fs.service.8.gz
%{_mandir}/man8/systemd-repart.8.gz
%{_mandir}/man8/systemd-repart.service.8.gz
%{_mandir}/man8/systemd-rfkill.8.gz
%{_mandir}/man8/systemd-rfkill.service.8.gz
%{_mandir}/man8/systemd-rfkill.socket.8.gz
@ -160,7 +173,22 @@
%{_systemd_util_dir}/network/99-default.link
%{_systemd_util_dir}/ntp-units.d/80-systemd-timesync.list
%{_systemd_util_dir}/pstore.conf
%if %{without bootstrap}
%{_systemd_util_dir}/repart/definitions/confext.repart.d/10-root.conf
%{_systemd_util_dir}/repart/definitions/confext.repart.d/20-root-verity.conf
%{_systemd_util_dir}/repart/definitions/confext.repart.d/30-root-verity-sig.conf
%{_systemd_util_dir}/repart/definitions/portable.repart.d/10-root.conf
%{_systemd_util_dir}/repart/definitions/portable.repart.d/20-root-verity.conf
%{_systemd_util_dir}/repart/definitions/portable.repart.d/30-root-verity-sig.conf
%{_systemd_util_dir}/repart/definitions/sysext.repart.d/10-root.conf
%{_systemd_util_dir}/repart/definitions/sysext.repart.d/20-root-verity.conf
%{_systemd_util_dir}/repart/definitions/sysext.repart.d/30-root-verity-sig.conf
%endif
%{_systemd_util_dir}/sleep.conf
%if %{without bootstrap}
%{_systemd_util_dir}/system/initrd-root-fs.target.wants/systemd-repart.service
%{_systemd_util_dir}/system/sysinit.target.wants/systemd-repart.service
%endif
%{_systemd_util_dir}/systemd-backlight
%{_systemd_util_dir}/systemd-battery-check
%if %{without bootstrap}
@ -341,6 +369,9 @@
%endif
%{_unitdir}/systemd-random-seed.service
%{_unitdir}/systemd-remount-fs.service
%if %{without bootstrap}
%{_unitdir}/systemd-repart.service
%endif
%{_unitdir}/systemd-rfkill.service
%{_unitdir}/systemd-rfkill.socket
%{_unitdir}/systemd-suspend-then-hibernate.service
@ -359,6 +390,3 @@
%{_unitdir}/veritysetup-pre.target
%{_unitdir}/veritysetup.target
%endif
%if %{with split_usr}
/sbin/udevadm
%endif

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e2e2c1c6c6acd082a80b9c2b3503ba2a62589c04070235756925a34f4f1418d4
size 10771792

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a55e1ddf7c66e69b057cf1bc8a51c0c6d3936b1633881c42c1585a9c8cfda53e
size 10774060

View File

@ -1,3 +1,48 @@
-------------------------------------------------------------------
Wed Apr 3 07:03:59 UTC 2024 - Franck Bui <fbui@suse.com>
- Move systemd-repart from experimental to udev.
-------------------------------------------------------------------
Fri Mar 22 11:28:59 UTC 2024 - Franck Bui <fbui@suse.com>
- Add 0001-Drop-support-for-efivar-SystemdOptions.patch (bsc#1220338)
Upstream deprecated it and plan to drop it in the future.
Let's get ahead and drop it now as this feature is unlikely to be used on SUSE
distros and it might be used to gain access to encrypted SLEM systems with
unattended disk unlock and with secure boot disabled.
-------------------------------------------------------------------
Thu Mar 21 13:37:16 UTC 2024 - Franck Bui <fbui@suse.com>
- The following patches have been merged into SUSE/v255 branch hence removed
from the OBS project.
5006-cgroup-Add-EffectiveMemoryMax-EffectiveMemoryHigh-an.patch
5007-test-Convert-rlimit-test-to-subtest-of-generic-limit.patch
5008-test-Add-effective-cgroup-limits-testing.patch
5009-cgroup-Restrict-effective-limits-with-global-resourc.patch
5010-cgroup-Rename-effective-limits-internal-table.patch
- Import commit 56b53b17bcd8311dfb53f05b359b2812593883ab
56b53b17bc cgroup: Rename effective limits internal table (jsc#PED-5659)
7c9202317c cgroup: Restrict effective limits with global resource provision (jsc#PED-5659)
da858e68eb test: Add effective cgroup limits testing (jsc#PED-5659)
2f013357a5 test: Convert rlimit test to subtest of generic limit testing (jsc#PED-5659)
0a3ea7f367 cgroup: Add EffectiveMemoryMax=, EffectiveMemoryHigh= and EffectiveTasksMax= properties (jsc#PED-5659)
-------------------------------------------------------------------
Wed Mar 20 17:31:16 UTC 2024 - Franck Bui <fbui@suse.com>
- Drop split_usr build conditional since both split-usr and unmerged-usr
supports have been removed since v255.
- Don't use the "Patch:" directive with a suffix number as since the suffix
doesn't serve any purpose.
-------------------------------------------------------------------
Mon Mar 18 20:14:57 UTC 2024 - Franck Bui <fbui@suse.com>

View File

@ -28,7 +28,7 @@
%else
%define systemd_version 255.4
%define systemd_release 0
%define archive_version +suse.17.gbe772961ad
%define archive_version +suse.22.g56b53b17bc
%endif
%define systemd_major %{sub %systemd_version 1 3}
@ -76,7 +76,6 @@
# The following features are kept to ease migrations toward SLE. Their default
# value is independent of the build flavor.
%bcond_without filetriggers
%bcond_with split_usr
# We stopped shipping main config files in /etc but we have to restore any
# config files that might have been backed up by rpm during the migration of the
@ -225,28 +224,21 @@ Source213: files.devel-doc
# only relevant for SUSE distros. Special rewards for those who will manage to
# get rid of one of them !
#
Patch3: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch
Patch: 0001-Drop-support-for-efivar-SystemdOptions.patch
Patch: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch
%if %{with sysvcompat}
Patch4: 0002-rc-local-fix-ordering-startup-for-etc-init.d-boot.lo.patch
Patch5: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
Patch: 0002-rc-local-fix-ordering-startup-for-etc-init.d-boot.lo.patch
Patch: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
%endif
%if %{without upstream}
# Patches listed below are put in quarantine. Normally all changes must go to
# upstream first and then are cherry-picked in the SUSE git repository. But for
# very few cases, some stuff might be broken in upstream and need to be fixed or
# worked around quickly. In these cases, the patches are added temporarily and
# will be removed as soon as a proper fix will be merged by upstream.
Patch5001: 5001-Revert-udev-update-devlink-with-the-newer-device-nod.patch
Patch5002: 5002-Revert-udev-revert-workarounds-for-issues-caused-by-.patch
# jsc#PED-5659
Patch5006: 5006-cgroup-Add-EffectiveMemoryMax-EffectiveMemoryHigh-an.patch
Patch5007: 5007-test-Convert-rlimit-test-to-subtest-of-generic-limit.patch
Patch5008: 5008-test-Add-effective-cgroup-limits-testing.patch
Patch5009: 5009-cgroup-Restrict-effective-limits-with-global-resourc.patch
Patch5010: 5010-cgroup-Rename-effective-limits-internal-table.patch
Patch: 5001-Revert-udev-update-devlink-with-the-newer-device-nod.patch
Patch: 5002-Revert-udev-revert-workarounds-for-issues-caused-by-.patch
%endif
%description
@ -350,6 +342,8 @@ Requires(postun):coreutils
# 'regenerate_initrd_post' macro is expanded during build, hence this BR.
BuildRequires: suse-module-tools
%if %{without bootstrap}
# fdisk is a build requirement for repart
BuildRequires: pkgconfig(fdisk)
BuildRequires: pkgconfig(libcryptsetup) >= 1.6.0
BuildRequires: pkgconfig(libkmod) >= 15
# Enable fido2 and tpm supports in systemd-cryptsetup, systemd-enroll. However
@ -709,8 +703,6 @@ Summary: Experimental systemd features
License: LGPL-2.1-or-later
Requires: %{name} = %{version}-%{release}
%systemd_requires
# fdisk is a build requirement for repart
BuildRequires: pkgconfig(fdisk)
%description experimental
This package contains optional extra services that are considered as previews
@ -725,7 +717,8 @@ change without the usual backwards-compatibility promises.
Components that turn out to be stable and considered as fully supported will be
merged into the main package or moved into a dedicated package.
Currently this package contains: repart, oomd, measure, pcrphase and ukify.
Currently this package contains: bsod, oomd, measure, pcrextend, pcrlock,
storagetm, sysupdate, tpm2-setup, userwork and ukify.
Have fun (at your own risk).
%endif
@ -755,10 +748,6 @@ export CFLAGS="%{optflags} -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
-Dmode=release \
-Dversion-tag=%{version}%{archive_version} \
-Ddocdir=%{_docdir}/systemd \
%if %{with split_usr}
-Drootprefix=/usr \
-Dsplit-usr=true \
%endif
-Dconfigfiledir=/usr/lib \
-Dsplit-bin=true \
-Dsystem-uid-max=499 \
@ -832,6 +821,7 @@ export CFLAGS="%{optflags} -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
-Dpasswdqc=%{when_not bootstrap} \
-Dpwquality=%{when_not bootstrap} \
-Dseccomp=%{when_not bootstrap} \
-Drepart=%{when_not bootstrap} \
-Dstoragetm=%{when_not bootstrap} \
-Dtpm=%{when_not bootstrap} \
-Dtpm2=%{when_not bootstrap} \
@ -867,7 +857,6 @@ export CFLAGS="%{optflags} -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
-Dresolve=%{when resolved} \
\
-Doomd=%{when experimental} \
-Drepart=%{when experimental} \
-Dsysupdate=%{when experimental} \
%if %{with sd_boot}
-Dukify=%{when experimental} \
@ -912,27 +901,6 @@ install -m0755 %{SOURCE100} %{buildroot}%{_systemd_util_dir}/rpm/
%endif
install -m0755 %{SOURCE101} %{buildroot}%{_systemd_util_dir}/rpm/
%if %{with split_usr}
mkdir -p %{buildroot}/{bin,sbin}
# Legacy paths
ln -s ../usr/bin/udevadm %{buildroot}/sbin/
ln -s ../usr/bin/systemctl %{buildroot}/bin/
ln -s ../usr/lib/systemd/systemd %{buildroot}/sbin/init
ln -s ../usr/bin/systemctl %{buildroot}/sbin/reboot
ln -s ../usr/bin/systemctl %{buildroot}/sbin/halt
ln -s ../usr/bin/systemctl %{buildroot}/sbin/shutdown
ln -s ../usr/bin/systemctl %{buildroot}/sbin/poweroff
# Legacy sysvinit tools
%if %{with sysvcompat}
ln -s ../usr/bin/systemctl %{buildroot}/sbin/telinit
ln -s ../usr/bin/systemctl %{buildroot}/sbin/runlevel
%endif
# kmod keeps insisting on using /lib/modprobe.d only.
mkdir -p %{buildroot}%{_modprobedir}
mv %{buildroot}/usr/lib/modprobe.d/* %{buildroot}%{_modprobedir}/
%endif
# Make sure /usr/lib/modules-load.d exists in udev(-mini)?, so other
# packages can install modules without worry
mkdir -p %{buildroot}%{_modulesloaddir}