From fcc2b807d7d4fadff6a31bbb12147416be0937c8ecc47c35e629e414a0d1361b Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Mon, 29 Jan 2018 10:07:56 +0000 Subject: [PATCH] Accepting request 570496 from home:fbui:systemd:Factory - Do not optionally remove /usr/lib/systemd/system/tmp.mnt anymore (bsc#1071224) OBS-URL: https://build.opensuse.org/request/show/570496 OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1006 --- suse-disable-tmpfs-for-tmp.service | 33 +++++++++++++ systemd-mini.changes | 28 +++++++++++ systemd-mini.spec | 74 ++++++++++++++++-------------- systemd.changes | 28 +++++++++++ systemd.spec | 74 ++++++++++++++++-------------- 5 files changed, 167 insertions(+), 70 deletions(-) create mode 100644 suse-disable-tmpfs-for-tmp.service diff --git a/suse-disable-tmpfs-for-tmp.service b/suse-disable-tmpfs-for-tmp.service new file mode 100644 index 00000000..df598082 --- /dev/null +++ b/suse-disable-tmpfs-for-tmp.service @@ -0,0 +1,33 @@ +# +# By default, /tmp doesn't use tmpfs on SUSE distros. +# +# This service is either run automatically during the firstboot (i.e. +# only once) of the system. +# +# Or it can also be (manually) started during systemd update (%post) +# only and only if tmp.mount wasn't already installed by the admin in +# /usr/lib during %pre. In this case tmp.mount should also masked. +# +# In any cases this service will never mask tmp.mount if the service +# has been created by either the admin or fstab-generator. +# +[Unit] +Description=Mask tmp.mount by default on SUSE systems +DefaultDependencies=no +Conflicts=shutdown.target +After=systemd-remount-fs.service +Before=tmp.mount +ConditionPathIsReadWrite=/etc +ConditionPathExists=!/usr/lib/systemd/system/.disable-tmpfs-for-tmp~done + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/sh -c ' \ + case "$(systemctl show -pFragmentPath tmp.mount)" in \ + FragmentPath=/usr/lib/systemd/system/tmp.mount) \ + systemctl mask --now tmp.mount ;; \ + FragmentPath=/usr/share/systemd/tmp.mount) \ + ln -sf /usr/lib/systemd/system/tmp.mount /etc/systemd/system/ ;; \ + esac' +ExecStartPost=/usr/bin/touch /usr/lib/systemd/system/.disable-tmpfs-for-tmp~done diff --git a/systemd-mini.changes b/systemd-mini.changes index 04ab2e2c..17ec22fe 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Mon Jan 29 09:52:50 UTC 2018 - fbui@suse.com + +- Do not optionally remove /usr/lib/systemd/system/tmp.mnt anymore (bsc#1071224) + + This was done to make sure that tmpfs wouldn't be used for /tmp by + defaut in case the dir layout created by the installer did not + create a customized tmp.mount. + + But it had the bad side effect to break "rpm -V systemd" and updates + of systemd via delta-RPMs. + + Now instead of removing tmp.mount unit file, we mask it (still only + if no other tmp.mount would override the default one). It's the + official way to disable tmpfs on /tmp after all. + + Since we cannot rely on the presence of fstab during package + installations, we introduced a service which is run once on the + first boot and which figures out if tmpfs would be used. If so it + masks the unit. + + We also handle the upgrade path and make sure to preserve admin's + settings (if any). + + Another advantage of this is that we will only need to remove the + introduced service the day when tmpfs will be the default for SUSE + distros. + ------------------------------------------------------------------- Fri Jan 26 14:40:38 UTC 2018 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index 3376805e..72d027ef 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -148,6 +148,7 @@ Source7: libgcrypt.m4 Source11: after-local.service Source12: systemd-sysv-install Source14: kbd-model-map.legacy +Source15: suse-disable-tmpfs-for-tmp.service Source100: scripts-systemd-fix-machines-btrfs-subvol.sh Source101: scripts-systemd-upgrade-from-pre-210.sh @@ -513,11 +514,10 @@ rm -f %{buildroot}/etc/systemd/system/default.target # customized for openSUSE distros. install -m0644 %{S:2} %{buildroot}%{_sysconfdir}/pam.d/ -# We keep a copy of tmp.mount because it may be removed if not used -# (see %post): we want to be sure tmpfs won't be used for /tmp by -# default on Suse distros. -rm %{buildroot}/%{_prefix}/lib/systemd/system/local-fs.target.wants/tmp.mount -cp %{buildroot}/%{_prefix}/lib/systemd/system/tmp.mount %{buildroot}/%{_datadir}/systemd/ +# Install the service which will disable/mask tmpfs for /tmp (if +# needed) on first boot. +install -m0644 -D %{S:15} %{buildroot}/%{_prefix}/lib/systemd/system/suse-disable-tmpfs-for-tmp.service +ln -s ../suse-disable-tmpfs-for-tmp.service %{buildroot}/%{_prefix}/lib/systemd/system/sysinit.target.wants/ # don't enable wall ask password service, it spams every console (bnc#747783) rm %{buildroot}%{_prefix}/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path @@ -648,12 +648,19 @@ cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map %find_lang systemd +# Build of installation images uses a hard coded list of packages with +# a %pre that needs to be run during the build. systemd is one of them +# so keep the section even if it's empty. %pre -# Build of installation images uses an hard coded list of some -# packages with a %pre that needs to be run during the -# build. Unfortunately, systemd in one of them. To make thing simpler -# we use a %pre section even if it is not needed. -exit 0 +if [ $1 -gt 1 ] ; then + # Check if tmp.mount has been restored by either the admin or + # was added at package installation. In both cases do nothing + # and prevent the service to be executed during %post for the + # former case. + if test -e %{_unitdir}/tmp.mount; then + touch %{_unitdir}/.disable-tmpfs-for-tmp~done + fi +fi %post # Make /etc/machine-id an empty file during package installation. On @@ -695,16 +702,6 @@ if [ $1 -eq 1 ]; then %endif fi >/dev/null -# Keep tmp.mount if it's been enabled explicitly by the user otherwise -# make sure it wont be activated since it's the default for Suse -# distros. This unit can be pulled (implicitely) in various ways -# (private /tmp, etc..) and it's required by the basic.target -# explicitly since v220. -case $(systemctl is-enabled tmp.mount 2>/dev/null) in -enabled) ;; -*) rm -f %{_prefix}/lib/systemd/system/tmp.mount -esac - # v228 wrongly set world writable suid root permissions on timestamp # files used by permanent timers. Fix the timestamps that might have # been created by the affected versions of systemd (bsc#1020601). @@ -720,23 +717,30 @@ done # This includes all hacks needed when upgrading from SysV. %{_prefix}/lib/systemd/scripts/upgrade-from-pre-210.sh || : -# Convert /var/lib/machines subvolume to make it suitable for -# rollbacks, if needed. See bsc#992573. The installer has been fixed -# to create it at installation time. -# -# The convertion might only be problematic for openSUSE distros -# (TW/Factory) where previous versions had already created the -# subvolume at the wrong place (via tmpfiles for example) and user -# started to populate and use it. In this case we'll let the user fix -# it manually. -# -# For SLE12 this subvolume was only introduced during the upgrade from -# v210 to v228 when we added this workaround. Note that the subvolume -# is still created at the wrong place due to the call to -# tmpfiles_create macro previously however it's empty so there -# shouldn't be any issues. if [ $1 -gt 1 ]; then + # Convert /var/lib/machines subvolume to make it suitable for + # rollbacks, if needed. See bsc#992573. The installer has been fixed + # to create it at installation time. + # + # The convertion might only be problematic for openSUSE distros + # (TW/Factory) where previous versions had already created the + # subvolume at the wrong place (via tmpfiles for example) and user + # started to populate and use it. In this case we'll let the user fix + # it manually. + # + # For SLE12 this subvolume was only introduced during the upgrade from + # v210 to v228 when we added this workaround. Note that the subvolume + # is still created at the wrong place due to the call to + # tmpfiles_create macro previously however it's empty so there + # shouldn't be any issues. %{_prefix}/lib/systemd/scripts/fix-machines-btrfs-subvol.sh || : + + # Should we mask tmpfs ? If tmp.mount was already installed in + # /usr/lib then this is a nop as sysadmin restored the unit + # most likely to use tmpfs (see %pre) otherwise mask the mount + # unit unless it's overriden by a tmp.mount unit installed + # either by sysadmin or fstab-generator. + systemctl start suse-disable-tmpfs-for-tmp.service || : fi %postun diff --git a/systemd.changes b/systemd.changes index 04ab2e2c..17ec22fe 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Mon Jan 29 09:52:50 UTC 2018 - fbui@suse.com + +- Do not optionally remove /usr/lib/systemd/system/tmp.mnt anymore (bsc#1071224) + + This was done to make sure that tmpfs wouldn't be used for /tmp by + defaut in case the dir layout created by the installer did not + create a customized tmp.mount. + + But it had the bad side effect to break "rpm -V systemd" and updates + of systemd via delta-RPMs. + + Now instead of removing tmp.mount unit file, we mask it (still only + if no other tmp.mount would override the default one). It's the + official way to disable tmpfs on /tmp after all. + + Since we cannot rely on the presence of fstab during package + installations, we introduced a service which is run once on the + first boot and which figures out if tmpfs would be used. If so it + masks the unit. + + We also handle the upgrade path and make sure to preserve admin's + settings (if any). + + Another advantage of this is that we will only need to remove the + introduced service the day when tmpfs will be the default for SUSE + distros. + ------------------------------------------------------------------- Fri Jan 26 14:40:38 UTC 2018 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index f248d9a7..b889f423 100644 --- a/systemd.spec +++ b/systemd.spec @@ -146,6 +146,7 @@ Source7: libgcrypt.m4 Source11: after-local.service Source12: systemd-sysv-install Source14: kbd-model-map.legacy +Source15: suse-disable-tmpfs-for-tmp.service Source100: scripts-systemd-fix-machines-btrfs-subvol.sh Source101: scripts-systemd-upgrade-from-pre-210.sh @@ -511,11 +512,10 @@ rm -f %{buildroot}/etc/systemd/system/default.target # customized for openSUSE distros. install -m0644 %{S:2} %{buildroot}%{_sysconfdir}/pam.d/ -# We keep a copy of tmp.mount because it may be removed if not used -# (see %post): we want to be sure tmpfs won't be used for /tmp by -# default on Suse distros. -rm %{buildroot}/%{_prefix}/lib/systemd/system/local-fs.target.wants/tmp.mount -cp %{buildroot}/%{_prefix}/lib/systemd/system/tmp.mount %{buildroot}/%{_datadir}/systemd/ +# Install the service which will disable/mask tmpfs for /tmp (if +# needed) on first boot. +install -m0644 -D %{S:15} %{buildroot}/%{_prefix}/lib/systemd/system/suse-disable-tmpfs-for-tmp.service +ln -s ../suse-disable-tmpfs-for-tmp.service %{buildroot}/%{_prefix}/lib/systemd/system/sysinit.target.wants/ # don't enable wall ask password service, it spams every console (bnc#747783) rm %{buildroot}%{_prefix}/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path @@ -646,12 +646,19 @@ cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map %find_lang systemd +# Build of installation images uses a hard coded list of packages with +# a %pre that needs to be run during the build. systemd is one of them +# so keep the section even if it's empty. %pre -# Build of installation images uses an hard coded list of some -# packages with a %pre that needs to be run during the -# build. Unfortunately, systemd in one of them. To make thing simpler -# we use a %pre section even if it is not needed. -exit 0 +if [ $1 -gt 1 ] ; then + # Check if tmp.mount has been restored by either the admin or + # was added at package installation. In both cases do nothing + # and prevent the service to be executed during %post for the + # former case. + if test -e %{_unitdir}/tmp.mount; then + touch %{_unitdir}/.disable-tmpfs-for-tmp~done + fi +fi %post # Make /etc/machine-id an empty file during package installation. On @@ -693,16 +700,6 @@ if [ $1 -eq 1 ]; then %endif fi >/dev/null -# Keep tmp.mount if it's been enabled explicitly by the user otherwise -# make sure it wont be activated since it's the default for Suse -# distros. This unit can be pulled (implicitely) in various ways -# (private /tmp, etc..) and it's required by the basic.target -# explicitly since v220. -case $(systemctl is-enabled tmp.mount 2>/dev/null) in -enabled) ;; -*) rm -f %{_prefix}/lib/systemd/system/tmp.mount -esac - # v228 wrongly set world writable suid root permissions on timestamp # files used by permanent timers. Fix the timestamps that might have # been created by the affected versions of systemd (bsc#1020601). @@ -718,23 +715,30 @@ done # This includes all hacks needed when upgrading from SysV. %{_prefix}/lib/systemd/scripts/upgrade-from-pre-210.sh || : -# Convert /var/lib/machines subvolume to make it suitable for -# rollbacks, if needed. See bsc#992573. The installer has been fixed -# to create it at installation time. -# -# The convertion might only be problematic for openSUSE distros -# (TW/Factory) where previous versions had already created the -# subvolume at the wrong place (via tmpfiles for example) and user -# started to populate and use it. In this case we'll let the user fix -# it manually. -# -# For SLE12 this subvolume was only introduced during the upgrade from -# v210 to v228 when we added this workaround. Note that the subvolume -# is still created at the wrong place due to the call to -# tmpfiles_create macro previously however it's empty so there -# shouldn't be any issues. if [ $1 -gt 1 ]; then + # Convert /var/lib/machines subvolume to make it suitable for + # rollbacks, if needed. See bsc#992573. The installer has been fixed + # to create it at installation time. + # + # The convertion might only be problematic for openSUSE distros + # (TW/Factory) where previous versions had already created the + # subvolume at the wrong place (via tmpfiles for example) and user + # started to populate and use it. In this case we'll let the user fix + # it manually. + # + # For SLE12 this subvolume was only introduced during the upgrade from + # v210 to v228 when we added this workaround. Note that the subvolume + # is still created at the wrong place due to the call to + # tmpfiles_create macro previously however it's empty so there + # shouldn't be any issues. %{_prefix}/lib/systemd/scripts/fix-machines-btrfs-subvol.sh || : + + # Should we mask tmpfs ? If tmp.mount was already installed in + # /usr/lib then this is a nop as sysadmin restored the unit + # most likely to use tmpfs (see %pre) otherwise mask the mount + # unit unless it's overriden by a tmp.mount unit installed + # either by sysadmin or fstab-generator. + systemctl start suse-disable-tmpfs-for-tmp.service || : fi %postun