| |
rpm id |
test |
status |
message |
 |
NetworkManager-openconnect-1.2.10-alt2.x86_64 |
file-in-usr-marked-as-conffile |
warn |
Files below /usr may not be marked as conffiles, since
/usr might be mounted read-only and thus, the local system
administrator would not have a chance to modify this configuration
file. |
|
NetworkManager-sstp-1.3.2-alt2.x86_64 |
file-in-usr-marked-as-conffile |
warn |
Files below /usr may not be marked as conffiles, since
/usr might be mounted read-only and thus, the local system
administrator would not have a chance to modify this configuration
file. |
 |
acmed-0.25.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
agola-0.5.0-alt3.src |
specfile-useradd-n |
warn |
-n in useradd is compat option and can be removed any time. Use -N instead. |
|
agola-0.5.0-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
anubis-1.19.1-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
 |
arrow-glib-doc-12.0.0-alt2.3.x86_64 |
arch-dep-package-consists-of-usr-share |
info |
The package consists of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
branding-alt-container-11-alt1.src |
requires-ImageMagick |
info |
Dependency on ImageMagick (compat package) found. It probably should be replaced with more specific dependency like /usr/bin/convert or ImageMagick-tools, or it can be already autodetected by findreq-shell. |
|
branding-alt-container-notes-11-alt1.noarch |
file-in-usr-marked-as-conffile |
warn |
Files below /usr may not be marked as conffiles, since
/usr might be mounted read-only and thus, the local system
administrator would not have a chance to modify this configuration
file. |
|
branding-alt-server-11.0-alt26.src |
requires-ImageMagick |
info |
Dependency on ImageMagick (compat package) found. It probably should be replaced with more specific dependency like /usr/bin/convert or ImageMagick-tools, or it can be already autodetected by findreq-shell. |
|
branding-alt-server-notes-11.0-alt26.noarch |
file-in-usr-marked-as-conffile |
warn |
Files below /usr may not be marked as conffiles, since
/usr might be mounted read-only and thus, the local system
administrator would not have a chance to modify this configuration
file. |
|
branding-alt-virtualization-pve-11.0-alt0.7.src |
requires-ImageMagick |
info |
Dependency on ImageMagick (compat package) found. It probably should be replaced with more specific dependency like /usr/bin/convert or ImageMagick-tools, or it can be already autodetected by findreq-shell. |
|
branding-alt-virtualization-pve-notes-11.0-alt0.7.noarch |
file-in-usr-marked-as-conffile |
warn |
Files below /usr may not be marked as conffiles, since
/usr might be mounted read-only and thus, the local system
administrator would not have a chance to modify this configuration
file. |
|
branding-alt-virtualization-pve-release-11.0-alt0.7.noarch |
rpm-filesystem-conflict-file-file |
warn |
File /etc/altlinux-release conflicts with the package altlinux-release-sisyphus-20201124-alt1.noarch. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
caddy-2.10.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
cert-manager-1.15.3-alt1.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
File /usr/bin/webhook conflicts with the package webhook-2.8.2-alt1.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
cloud-init-24.4.1-alt1.noarch |
big-changelog |
info |
Package contains big ChangeLog. Gzip it. |
|
cloud-init-24.4.1-alt1.noarch |
file-in-usr-marked-as-conffile |
warn |
Files below /usr may not be marked as conffiles, since
/usr might be mounted read-only and thus, the local system
administrator would not have a chance to modify this configuration
file. |
|
cloud-init-24.4.1-alt1.noarch |
init-condrestart |
warn |
/etc/rc.d/init.d/cloud-config: missing condstop target. Note: alt-specific script %_sbindir/preun_service (used in %preun_service macro) depends on condstop. It is wise to add condstop anyway./etc/rc.d/init.d/cloud-final: missing condstop target. Note: alt-specific script %_sbindir/preun_service (used in %preun_service macro) depends on condstop. It is wise to add condstop anyway./etc/rc.d/init.d/cloud-init: missing condstop target. Note: alt-specific script %_sbindir/preun_service (used in %preun_service macro) depends on condstop. It is wise to add condstop anyway./etc/rc.d/init.d/cloud-init-local: missing condstop target. Note: alt-specific script %_sbindir/preun_service (used in %preun_service macro) depends on condstop. It is wise to add condstop anyway. |
 |
cloud-init-24.4.1-alt1.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/cloud-init-24.4.1-alt1.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/cloud-init.conf sisyphus_check: check-fhs ERROR: FHS violation /ALT/Sisyphus/files/noarch/RPMS/cloud-init-24.4.1-alt1.noarch.rpm: invalid udev rules path: /usr/lib/udev/rules.d/66-azure-ephemeral.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
cni-plugins-1.7.1-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/cni-plugins-1.7.1-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/cni-plugins.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
cni-plugins-1.7.1-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
connman-1.44-alt1.x86_64 |
init-lsb |
fail |
/etc/rc.d/init.d/connmand: not systemd compatible: lsb init header missing and connmand.service is not present. See http://www.altlinux.org/Services_Policy for details. |
|
connman-1.44-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/connman-1.44-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/connman_resolvconf.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
cri-o1.23-1.23.5-alt4.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
cri-o1.24-1.24.6-alt4.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
cri-o1.25-1.25.5-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
cri-o1.26-1.26.4-alt5.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
cri-o1.27-1.27.8-alt2.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
cri-o1.28-1.28.11-alt2.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
dmeventd-1.02.207-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
dmsetup-1.02.207-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/dmsetup-1.02.207-alt1.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/10-dm.rules /usr/lib/udev/rules.d/11-dm-lvm.rules /usr/lib/udev/rules.d/13-dm-disk.rules /usr/lib/udev/rules.d/95-dm-notify.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
dracut-107-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
dracut-107-alt1.x86_64 |
unsafe-tmp-usage-in-scripts |
fail |
0755 |
|
dracut-live-107-alt1.noarch |
unsafe-tmp-usage-in-scripts |
fail |
The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/dracut/modules.d/90livenet/parse-livenet.sh: $ grep /tmp/ /usr/lib/dracut/modules.d/90livenet/parse-livenet.sh # live updates updates=$(getarg live.updates=) if [ "$updates" ]; then # make sure network comes up even if we're doing a local live device if [ "$netroot" ]; then echo > /tmp/net.ifaces fi echo "$updates" > /tmp/liveupdates.info echo '[ /tmp/liveupdates.done ]' > "$hookdir"/initqueue/finished/liveupdates.sh fi str_starts "$root" "live:" && liveurl="$root" str_starts "$liveurl" "live:" || return liveurl="${liveurl#live:}" Found error in /usr/lib/dracut/modules.d/90livenet/livenetroot.sh: $ grep /tmp/ /usr/lib/dracut/modules.d/90livenet/livenetroot.sh PATH=/usr/sbin:/usr/bin:/sbin:/bin RETRIES=${RETRIES:-100} SLEEP=${SLEEP:-5} [ /tmp/livenet.downloaded ] && exit 0 # args get passed from 40network/netroot netroot="$2" liveurl="${netroot#livenet:}" info "fetching $liveurl" sleep "$SLEEP" fi i=$((i + 1)) done > /tmp/livenet.downloaded # TODO: couldn't dmsquash-live-root handle this? if [ "${imgfile##*.}" = "iso" ]; then root=$(losetup -f) losetup "$root" "$imgfile" Found error in /usr/lib/dracut/modules.d/90dmsquash-live-autooverlay/create-overlay.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/90dmsquash-live-autooverlay/create-overlay.sh #!/bin/sh command -v getarg > /dev/null || . /lib/dracut-lib.sh if getargbool 0 rd.live.debug; then exec > /tmp/create-overlay.$$.out exec 2>> /tmp/create-overlay.$$.out set -x fi gatherData() { overlay=$(getarg rd.live.overlay) Found error in /usr/lib/dracut/modules.d/90dmsquash-live/iso-scan.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/90dmsquash-live/iso-scan.sh do_iso_scan() { local _name local dev for dev in /dev/disk/by-uuid/*; do _name=$(dev_unit_name "$dev") [ -e /tmp/isoscan-"${_name}" ] && continue : > /tmp/isoscan-"${_name}" mount -t auto -o ro "$dev" "/run/initramfs/isoscan" || continue if [ -f "/run/initramfs/isoscan/$isofile" ]; then losetup -f "/run/initramfs/isoscan/$isofile" udevadm trigger --action=add > /dev/null 2>&1 ln -s "$dev" /run/initramfs/isoscandev Found error in /usr/lib/dracut/modules.d/90dmsquash-live/dmsquash-live-root.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/90dmsquash-live/dmsquash-live-root.sh command -v unpack_archive > /dev/null || . /lib/img-lib.sh PATH=/usr/sbin:/usr/bin:/sbin:/bin if getargbool 0 rd.live.debug; then exec > /tmp/liveroot.$$.out exec 2>> /tmp/liveroot.$$.out set -x fi [ -z "$1" ] && exit 1 livedev="$1" |
|
dracut-network-manager-107-alt1.noarch |
unsafe-tmp-usage-in-scripts |
fail |
The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/dracut/modules.d/35network-manager/nm-run.sh: $ grep /tmp/ /usr/lib/dracut/modules.d/35network-manager/nm-run.sh for _i in /sys/class/net/*; do [ "$_i" ] || continue state="/run/NetworkManager/devices/$(cat "$_i"/ifindex)" grep '^connection-uuid=' "$state" 2> /dev/null || continue ifname="${_i##*/}" dhcpopts_create "$state" > /tmp/dhclient."$ifname".dhcpopts source_hook initqueue/online "$ifname" /sbin/netroot "$ifname" done : > /tmp/nm.done |
|
driverctl-0.111-alt1.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
fapolicyd-1.3.3-alt2.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/fapolicyd-1.3.3-alt2.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/fapolicyd.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
fapolicyd-1.3.3-alt2.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
fcoe-utils-1.0.34-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
fcoe-utils-1.0.34-alt3.x86_64 |
systemd-check-socket-name |
experimental |
in fcoe-utils-1.0.34-alt3.x86_64: there is a socket fcoemon.socket but no service fcoemon.service. Ask ildar@ why it is not right. |
|
fence-sanlock-3.9.5-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/fence-sanlock-3.9.5-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/fence_sanlockd.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
fish-4.0.2-alt1.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
fish-4.0.2-alt1.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
File /usr/share/fish/completions/yadm.fish conflicts with the package yadm-3.5.0-alt1.noarch. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
flannel-0.27.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/flannel-0.27.0-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/flannel.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
flannel-0.27.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
foomuuri-0.28-alt1.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/foomuuri-0.28-alt1.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/foomuuri.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
foomuuri-0.28-alt1.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
forgejo-11.0.2-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
freeradius-3.2.7-alt1.src |
specfile-useradd-n |
warn |
-n in useradd is compat option and can be removed any time. Use -N instead. |
|
freeradius-3.2.7-alt1.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
freeradius-3.2.7-alt1.x86_64 |
init-lsb |
fail |
/etc/rc.d/init.d/radiusd: not systemd compatible: lsb init header missing and radiusd.service is not present. See http://www.altlinux.org/Services_Policy for details. |
|
freeradius-3.2.7-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/freeradius-3.2.7-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/radiusd.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
frr-10.3.1-alt1.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
frr-10.3.1-alt1.x86_64 |
init-condrestart |
fail |
/etc/rc.d/init.d/frr: missing condstop target. ERROR: alt-specific script %_sbindir/preun_service (used in your %preun_service macro) depends on condstop. Please, fix. |
|
frr-10.3.1-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/frr-10.3.1-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/frr.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
fwbuilder-6.0.0-alt2.beta.106.a5e1.x86_64 |
big-changelog |
info |
Package contains big ChangeLog. Gzip it. |
|
fwbuilder-6.0.0-alt2.beta.106.a5e1.x86_64 |
freedesktop-desktop |
info |
desktop-file-validate utility printed the following message(s): /usr/share/applications/fwbuilder.desktop: hint: value "System;Settings;Security;Qt;" for key "Categories" in group "Desktop Entry" contains more than one main category; application might appear more than once in the application menu |
|
galera-garbd-26.4.19-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/galera-garbd-26.4.19-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/garbd.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
gdm-data-48.0-alt4.noarch |
file-in-usr-marked-as-conffile |
warn |
Files below /usr may not be marked as conffiles, since
/usr might be mounted read-only and thus, the local system
administrator would not have a chance to modify this configuration
file. |
|
gdm-data-48.0-alt4.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/gdm-data-48.0-alt4.noarch.rpm: invalid udev rules path: /usr/lib/udev/rules.d/61-gdm.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
gdm-libs-48.0-alt4.x86_64 |
library-pkgnames |
info |
package contains public library which is used in external packages: name should be lib* according to http://altlinux.org/Drafts/SharedLibs |
|
gerbera-2.4.1-alt2.src |
specfile-useradd-n |
warn |
-n in useradd is compat option and can be removed any time. Use -N instead. |
|
gerbera-2.4.1-alt2.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
gitea-act-0.2.11-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
gitea-tea-0.10.1-alt1.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
File /usr/bin/tea conflicts with the package tea-63.1.0-alt1.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
gnome-boxes-48.0-alt1.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
gnome-boxes-48.0-alt1.x86_64 |
freedesktop-desktop |
info |
desktop-file-validate utility printed the following message(s): /usr/share/applications/org.gnome.Boxes.desktop: hint: value "GNOME;GTK;System;Development;Emulator;" for key "Categories" in group "Desktop Entry" contains more than one main category; application might appear more than once in the application menu |
|
grafana-11.5.2-alt1.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
grafana-11.5.2-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/grafana-11.5.2-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/grafana.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
guacd-1.5.5-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
guestfs-data-0.6-alt3.x86_64 |
missing-url |
info |
Missing Url: in a package. |
|
hivex-1.3.24-alt1.x86_64 |
library-pkgnames |
info |
package contains public library which is used in external packages: name should be lib* according to http://altlinux.org/Drafts/SharedLibs |
|
ignition-2.19.0-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
influxdb-1.12.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/influxdb-1.12.0-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/influxdb.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
influxdb-1.12.0-alt1.x86_64 |
subdir-in-var-run |
info |
Found a subdir in /var/run or /var/lock. /var/run and /var/lock may be mounted as temporary filesystems, so the init.d scripts must handle this correctly. This will typically amount to creating any required subdirectories dynamically when the init.d script is run, rather than including them in the package and relying on rpm to create them. |
|
installer-distro-alt-server-v-stage2-10.1.0-alt2.noarch |
rpm-filesystem-conflict-file-file |
warn |
Files /usr/share/install2/alterator-menu/module-expert-list /usr/share/install2/alterator-menu/module-order-list /usr/share/install2/installer-steps conflict with the package installer-distro-virtualization-pve-stage2-11.0.0-alt0.4.noarch. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
installer-distro-virtualization-pve-stage2-11.0.0-alt0.4.noarch |
rpm-filesystem-conflict-file-file |
warn |
Files /usr/share/install2/alterator-menu/module-expert-list /usr/share/install2/alterator-menu/module-order-list /usr/share/install2/installer-steps conflict with the package installer-distro-virtualization-one-stage2-11.0.0-alt0.1.noarch. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
iwpmd-57.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/iwpmd-57.0-alt1.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/90-iwpmd.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
kapacitor-1.5.9-alt1.x86_64 |
subdir-in-var-run |
info |
Found a subdir in /var/run or /var/lock. /var/run and /var/lock may be mounted as temporary filesystems, so the init.d scripts must handle this correctly. This will typically amount to creating any required subdirectories dynamically when the init.d script is run, rather than including them in the package and relying on rpm to create them. |
|
kea-common-3.0.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/kea-common-3.0.0-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/kea.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
kea-ctrl-agent-3.0.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kea-dhcp-ddns-3.0.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kea-dhcp4-3.0.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kea-dhcp6-3.0.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kea-doc-3.0.0-alt1.noarch |
big-changelog |
info |
Package contains big ChangeLog. Gzip it. |
|
kmscon-9.0.0-alt2.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
knot-3.4.7-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
knot-resolver-6.0.12-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/knot-resolver-6.0.12-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/knot-resolver.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
knot-resolver-6.0.12-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kpartx-0.11.1-alt3.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/kpartx-0.11.1-alt3.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/66-kpartx.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
kubernetes1.23-common-1.23.17-alt4.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/kubernetes1.23-common-1.23.17-alt4.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/kubernetes.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
kubernetes1.23-kubelet-1.23.17-alt4.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.23-master-1.23.17-alt4.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.23-node-1.23.17-alt4.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.24-common-1.24.17-alt3.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/kubernetes1.24-common-1.24.17-alt3.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/kubernetes.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
kubernetes1.24-kubelet-1.24.17-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.24-master-1.24.17-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.24-node-1.24.17-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.25-common-1.25.16-alt3.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/kubernetes1.25-common-1.25.16-alt3.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/kubernetes.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
kubernetes1.25-kubelet-1.25.16-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.25-master-1.25.16-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.25-node-1.25.16-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.26-common-1.26.15-alt3.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/kubernetes1.26-common-1.26.15-alt3.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/kubernetes.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
kubernetes1.26-kubelet-1.26.15-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.26-master-1.26.15-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.26-node-1.26.15-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.27-common-1.27.16-alt3.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/kubernetes1.27-common-1.27.16-alt3.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/kubernetes.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
kubernetes1.27-kubelet-1.27.16-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.27-master-1.27.16-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.27-node-1.27.16-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.28-common-1.28.15-alt3.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/kubernetes1.28-common-1.28.15-alt3.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/kubernetes.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
kubernetes1.28-kubelet-1.28.15-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.28-master-1.28.15-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
kubernetes1.28-node-1.28.15-alt3.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
libdevmapper-event-1.02.207-alt1.x86_64 |
altlinux-policy-shared-lib-contains-devel-so |
info |
SharedLibs Policy Draft violation: Shared Lib package should not contain symlink /usr/lib64/libdevmapper-event-lvm2.so but just /usr/lib64/libdevmapper-event-lvm2.so.2.03. According to SharedLibs Policy Draft, symlink /usr/lib64/libdevmapper-event-lvm2.so should be placed in a special subpackage named lib-devel. If you have already packaged this symlink in lib-devel, just append \%exclude /usr/lib64/libdevmapper-event-lvm2.so to \%files of libdevmapper-event-1.02.207-alt1.x86_64. Otherwise, move the symlink into the subpackage lib-devel. There is a known exception for case the .so file is not a shared lib but a plugin that is never directly linked with. Please report such a case to repocop test. |
|
liberasurecode-doc-1.6.5-alt1.x86_64 |
arch-dep-package-consists-of-usr-share |
info |
The package consists of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
libgadu-devel-1.12.2-alt1.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
libguac-client-kubernetes-1.5.5-alt1.x86_64 |
altlinux-policy-shared-lib-contains-devel-so |
info |
SharedLibs Policy Draft violation: Shared Lib package should not contain symlink /usr/lib64/libguac-client-kubernetes.so but just /usr/lib64/libguac-client-kubernetes.so.0.0.0. According to SharedLibs Policy Draft, symlink /usr/lib64/libguac-client-kubernetes.so should be placed in a special subpackage named lib-devel. If you have already packaged this symlink in lib-devel, just append \%exclude /usr/lib64/libguac-client-kubernetes.so to \%files of libguac-client-kubernetes-1.5.5-alt1.x86_64. Otherwise, move the symlink into the subpackage lib-devel. There is a known exception for case the .so file is not a shared lib but a plugin that is never directly linked with. Please report such a case to repocop test. |
|
libguac-client-rdp-1.5.5-alt1.x86_64 |
altlinux-policy-shared-lib-contains-devel-so |
info |
SharedLibs Policy Draft violation: Shared Lib package should not contain symlink /usr/lib64/libguac-client-rdp.so but just /usr/lib64/libguac-client-rdp.so.0.0.0. According to SharedLibs Policy Draft, symlink /usr/lib64/libguac-client-rdp.so should be placed in a special subpackage named lib-devel. If you have already packaged this symlink in lib-devel, just append \%exclude /usr/lib64/libguac-client-rdp.so to \%files of libguac-client-rdp-1.5.5-alt1.x86_64. Otherwise, move the symlink into the subpackage lib-devel. There is a known exception for case the .so file is not a shared lib but a plugin that is never directly linked with. Please report such a case to repocop test. |
|
libguac-client-ssh-1.5.5-alt1.x86_64 |
altlinux-policy-shared-lib-contains-devel-so |
info |
SharedLibs Policy Draft violation: Shared Lib package should not contain symlink /usr/lib64/libguac-client-ssh.so but just /usr/lib64/libguac-client-ssh.so.0.0.0. According to SharedLibs Policy Draft, symlink /usr/lib64/libguac-client-ssh.so should be placed in a special subpackage named lib-devel. If you have already packaged this symlink in lib-devel, just append \%exclude /usr/lib64/libguac-client-ssh.so to \%files of libguac-client-ssh-1.5.5-alt1.x86_64. Otherwise, move the symlink into the subpackage lib-devel. There is a known exception for case the .so file is not a shared lib but a plugin that is never directly linked with. Please report such a case to repocop test. |
|
libguac-client-telnet-1.5.5-alt1.x86_64 |
altlinux-policy-shared-lib-contains-devel-so |
info |
SharedLibs Policy Draft violation: Shared Lib package should not contain symlink /usr/lib64/libguac-client-telnet.so but just /usr/lib64/libguac-client-telnet.so.0.0.0. According to SharedLibs Policy Draft, symlink /usr/lib64/libguac-client-telnet.so should be placed in a special subpackage named lib-devel. If you have already packaged this symlink in lib-devel, just append \%exclude /usr/lib64/libguac-client-telnet.so to \%files of libguac-client-telnet-1.5.5-alt1.x86_64. Otherwise, move the symlink into the subpackage lib-devel. There is a known exception for case the .so file is not a shared lib but a plugin that is never directly linked with. Please report such a case to repocop test. |
|
libguac-client-vnc-1.5.5-alt1.x86_64 |
altlinux-policy-shared-lib-contains-devel-so |
info |
SharedLibs Policy Draft violation: Shared Lib package should not contain symlink /usr/lib64/libguac-client-vnc.so but just /usr/lib64/libguac-client-vnc.so.0.0.0. According to SharedLibs Policy Draft, symlink /usr/lib64/libguac-client-vnc.so should be placed in a special subpackage named lib-devel. If you have already packaged this symlink in lib-devel, just append \%exclude /usr/lib64/libguac-client-vnc.so to \%files of libguac-client-vnc-1.5.5-alt1.x86_64. Otherwise, move the symlink into the subpackage lib-devel. There is a known exception for case the .so file is not a shared lib but a plugin that is never directly linked with. Please report such a case to repocop test. |
|
libguac-devel-1.5.5-alt1.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
libpcsclite-2.3.3-alt2.x86_64 |
altlinux-policy-shared-lib-contains-devel-so |
info |
SharedLibs Policy Draft violation: Shared Lib package should not contain symlink /usr/lib64/libpcsclite_real.so but just /usr/lib64/libpcsclite_real.so.1. According to SharedLibs Policy Draft, symlink /usr/lib64/libpcsclite_real.so should be placed in a special subpackage named lib-devel. If you have already packaged this symlink in lib-devel, just append \%exclude /usr/lib64/libpcsclite_real.so to \%files of libpcsclite-2.3.3-alt2.x86_64. Otherwise, move the symlink into the subpackage lib-devel. There is a known exception for case the .so file is not a shared lib but a plugin that is never directly linked with. Please report such a case to repocop test. |
|
libpcsclite-devel-2.3.3-alt2.x86_64 |
altlinux-policy-shared-lib-contains-devel-so |
info |
SharedLibs Policy Draft violation: Shared Lib package should not contain symlink /usr/lib64/libpcscspy.so but just /usr/lib64/libpcscspy.so.0. According to SharedLibs Policy Draft, symlink /usr/lib64/libpcscspy.so should be placed in a special subpackage named lib-devel. If you have already packaged this symlink in lib-devel, just append \%exclude /usr/lib64/libpcscspy.so to \%files of libpcsclite-devel-2.3.3-alt2.x86_64. Otherwise, move the symlink into the subpackage lib-devel. There is a known exception for case the .so file is not a shared lib but a plugin that is never directly linked with. Please report such a case to repocop test. |
|
libproxy-tools-0.5.9-alt1.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
File /usr/bin/proxy conflicts with the package python3-module-proxy-py-2.4.10-alt1.1.noarch. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives.
ernatives. |
|
libsmi-0.5.0-alt3.x86_64 |
big-changelog |
info |
Package contains big ChangeLog. Gzip it. |
|
libvirt-daemon-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-11.5.0-alt1.x86_64: there is a socket libvirtd-admin.socket but no service libvirtd-admin.service. Ask ildar@ why it is not right.
in libvirt-daemon-11.5.0-alt1.x86_64: there is a socket libvirtd-ro.socket but no service libvirtd-ro.service. Ask ildar@ why it is not right.
in libvirt-daemon-11.5.0-alt1.x86_64: there is a socket libvirtd-tcp.socket but no service libvirtd-tcp.service. Ask ildar@ why it is not right.
in libvirt-daemon-11.5.0-alt1.x86_64: there is a socket libvirtd-tls.socket but no service libvirtd-tls.service. Ask ildar@ why it is not right. |
|
libvirt-daemon-common-11.5.0-alt1.x86_64 |
init-condrestart |
fail |
/etc/rc.d/init.d/libvirt-guests: missing condrestart target. Note: alt-specific script %_sbindir/post_service (used in %post_service macro) depends on condrestart. It is wise to add condrestart anyway./etc/rc.d/init.d/libvirt-guests: missing condstop target. ERROR: alt-specific script %_sbindir/preun_service (used in your %preun_service macro) depends on condstop. Please, fix. |
|
libvirt-daemon-driver-interface-11.5.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
libvirt-daemon-driver-interface-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-driver-interface-11.5.0-alt1.x86_64: there is a socket virtinterfaced-admin.socket but no service virtinterfaced-admin.service. Ask ildar@ why it is not right.
in libvirt-daemon-driver-interface-11.5.0-alt1.x86_64: there is a socket virtinterfaced-ro.socket but no service virtinterfaced-ro.service. Ask ildar@ why it is not right. |
|
libvirt-daemon-driver-lxc-11.5.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
libvirt-daemon-driver-lxc-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-driver-lxc-11.5.0-alt1.x86_64: there is a socket virtlxcd-admin.socket but no service virtlxcd-admin.service. Ask ildar@ why it is not right.
in libvirt-daemon-driver-lxc-11.5.0-alt1.x86_64: there is a socket virtlxcd-ro.socket but no service virtlxcd-ro.service. Ask ildar@ why it is not right. |
|
libvirt-daemon-driver-network-11.5.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
libvirt-daemon-driver-network-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-driver-network-11.5.0-alt1.x86_64: there is a socket virtnetworkd-admin.socket but no service virtnetworkd-admin.service. Ask ildar@ why it is not right.
in libvirt-daemon-driver-network-11.5.0-alt1.x86_64: there is a socket virtnetworkd-ro.socket but no service virtnetworkd-ro.service. Ask ildar@ why it is not right. |
|
libvirt-daemon-driver-nodedev-11.5.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
libvirt-daemon-driver-nodedev-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-driver-nodedev-11.5.0-alt1.x86_64: there is a socket virtnodedevd-admin.socket but no service virtnodedevd-admin.service. Ask ildar@ why it is not right.
in libvirt-daemon-driver-nodedev-11.5.0-alt1.x86_64: there is a socket virtnodedevd-ro.socket but no service virtnodedevd-ro.service. Ask ildar@ why it is not right. |
|
libvirt-daemon-driver-nwfilter-11.5.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
libvirt-daemon-driver-nwfilter-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-driver-nwfilter-11.5.0-alt1.x86_64: there is a socket virtnwfilterd-admin.socket but no service virtnwfilterd-admin.service. Ask ildar@ why it is not right.
in libvirt-daemon-driver-nwfilter-11.5.0-alt1.x86_64: there is a socket virtnwfilterd-ro.socket but no service virtnwfilterd-ro.service. Ask ildar@ why it is not right. |
|
libvirt-daemon-driver-qemu-11.5.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
libvirt-daemon-driver-qemu-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-driver-qemu-11.5.0-alt1.x86_64: there is a socket virtqemud-admin.socket but no service virtqemud-admin.service. Ask ildar@ why it is not right.
in libvirt-daemon-driver-qemu-11.5.0-alt1.x86_64: there is a socket virtqemud-ro.socket but no service virtqemud-ro.service. Ask ildar@ why it is not right. |
|
libvirt-daemon-driver-secret-11.5.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
libvirt-daemon-driver-secret-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-driver-secret-11.5.0-alt1.x86_64: there is a socket virtsecretd-admin.socket but no service virtsecretd-admin.service. Ask ildar@ why it is not right.
in libvirt-daemon-driver-secret-11.5.0-alt1.x86_64: there is a socket virtsecretd-ro.socket but no service virtsecretd-ro.service. Ask ildar@ why it is not right. |
|
libvirt-daemon-driver-storage-core-11.5.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
libvirt-daemon-driver-storage-core-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-driver-storage-core-11.5.0-alt1.x86_64: there is a socket virtstoraged-admin.socket but no service virtstoraged-admin.service. Ask ildar@ why it is not right.
in libvirt-daemon-driver-storage-core-11.5.0-alt1.x86_64: there is a socket virtstoraged-ro.socket but no service virtstoraged-ro.service. Ask ildar@ why it is not right. |
|
libvirt-daemon-driver-vbox-11.5.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
libvirt-daemon-driver-vbox-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-driver-vbox-11.5.0-alt1.x86_64: there is a socket virtvboxd-admin.socket but no service virtvboxd-admin.service. Ask ildar@ why it is not right.
in libvirt-daemon-driver-vbox-11.5.0-alt1.x86_64: there is a socket virtvboxd-ro.socket but no service virtvboxd-ro.service. Ask ildar@ why it is not right. |
|
libvirt-daemon-lock-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-lock-11.5.0-alt1.x86_64: there is a socket virtlockd-admin.socket but no service virtlockd-admin.service. Ask ildar@ why it is not right. |
|
libvirt-daemon-log-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-log-11.5.0-alt1.x86_64: there is a socket virtlogd-admin.socket but no service virtlogd-admin.service. Ask ildar@ why it is not right. |
|
libvirt-daemon-proxy-11.5.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
libvirt-daemon-proxy-11.5.0-alt1.x86_64 |
systemd-check-socket-name |
experimental |
in libvirt-daemon-proxy-11.5.0-alt1.x86_64: there is a socket virtproxyd-admin.socket but no service virtproxyd-admin.service. Ask ildar@ why it is not right.
in libvirt-daemon-proxy-11.5.0-alt1.x86_64: there is a socket virtproxyd-ro.socket but no service virtproxyd-ro.service. Ask ildar@ why it is not right.
in libvirt-daemon-proxy-11.5.0-alt1.x86_64: there is a socket virtproxyd-tcp.socket but no service virtproxyd-tcp.service. Ask ildar@ why it is not right.
in libvirt-daemon-proxy-11.5.0-alt1.x86_64: there is a socket virtproxyd-tls.socket but no service virtproxyd-tls.service. Ask ildar@ why it is not right. |
|
libvirt-libs-11.5.0-alt1.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
linstor-common-1.31.1-alt4.x86_64 |
arch-dep-package-consists-of-usr-share |
info |
The package consists of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
linstor-controller-1.31.1-alt4.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
linstor-controller-1.31.1-alt4.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
linstor-satellite-1.31.1-alt4.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
lldpad-1.1.1-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
loki-3.5.1-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
lvm2-2.03.33-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/lvm2-2.03.33-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/lvm2.conf sisyphus_check: check-fhs ERROR: FHS violation /ALT/Sisyphus/files/x86_64/RPMS/lvm2-2.03.33-alt1.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/69-dm-lvm.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
lvm2-cmirrord-2.03.33-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
lvm2-lockd-2.03.33-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
lxc-templates-6.0.4-alt1.noarch |
rpm-filesystem-conflict-file-file |
warn |
Files /usr/share/lxc/templates/lxc-local /usr/share/lxc/templates/lxc-oci conflict with the package pve-lxc-6.0.0-alt2.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
mariadb-11.8.2-alt2.src |
specfile-useradd-n |
warn |
-n in useradd is compat option and can be removed any time. Use -N instead. |
|
mariadb-client-debuginfo-11.8.2-alt2.x86_64 |
rpm-filesystem-conflict-symlink-file |
warn |
symlink /usr/lib/debug/usr/bin/mysqltest.debug is a file in the package MySQL-client-debuginfo-8.0.42-alt2.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives.
.
ives. |
|
mariadb-server-11.8.2-alt2.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
There are file conflicts with the package MySQL-client-8.0.42-alt2.x86_64, for example, /usr/share/man/man1/myisam_ftdump.1.xz (4 file conflicts in total). Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
mariadb-server-11.8.2-alt2.x86_64 |
rpm-filesystem-conflict-symlink-file |
warn |
symlink /usr/share/man/man1/mysql_upgrade.1.xz is a file in the package MySQL-client-8.0.42-alt2.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives.
ives.
ives. |
|
mariadb-server-11.8.2-alt2.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/mariadb-server-11.8.2-alt2.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/mariadb.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
mariadb-server-debuginfo-11.8.2-alt2.x86_64 |
rpm-filesystem-conflict-symlink-file |
warn |
symlink /usr/lib/debug/usr/sbin/mysqld.debug is a file in the package MySQL-server-debuginfo-8.0.42-alt2.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives.
ives.
ives. |
|
mariadb-server-galera-11.8.2-alt2.x86_64 |
bin-permissions |
info |
not executable file /usr/bin/wsrep_sst_common |
|
mariadb-server-galera-11.8.2-alt2.x86_64 |
systemd-check-socket-name |
experimental |
in mariadb-server-galera-11.8.2-alt2.x86_64: there is a socket mariadbcheck.socket but no service mariadbcheck.service. Ask ildar@ why it is not right. |
|
mariadb-server-perl-11.8.2-alt2.noarch |
rpm-filesystem-conflict-symlink-file |
warn |
symlink /usr/share/man/man1/mysqldumpslow.1.xz is a file in the package MySQL-client-8.0.42-alt2.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
matchbox-0.11.0-alt1.x86_64 |
rpm-filesystem-conflict-dir-dir |
fail |
directory /etc/matchbox is a directory in package matchbox-window-manager-1.2-alt5.1.x86_64 with different user,group or permissions. You should add explicit conflicts. |
|
matchbox-0.11.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
mdadm-4.4-alt3.x86_64 |
init-lsb |
fail |
/etc/rc.d/init.d/mdadm: not systemd compatible: lsb init header missing and mdadm.service is not present. See http://www.altlinux.org/Services_Policy for details. |
|
mdadm-4.4-alt3.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/mdadm-4.4-alt3.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/01-md-raid-creating.rules /usr/lib/udev/rules.d/63-md-raid-arrays.rules /usr/lib/udev/rules.d/64-md-raid-assembly.rules /usr/lib/udev/rules.d/69-md-clustered-confirm-device.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
mdevctl-1.4.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/mdevctl-1.4.0-alt1.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/60-mdevctl.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
memcached-1.6.38-alt1.src |
specfile-useradd-n |
warn |
-n in useradd is compat option and can be removed any time. Use -N instead. |
|
minio-2025.02.07-alt1.src |
specfile-useradd-n |
warn |
-n in useradd is compat option and can be removed any time. Use -N instead. |
|
minio-2025.02.07-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
moosefs-chunkserver-4.57.7-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/moosefs-chunkserver-4.57.7-alt1.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/80-moosefs-chunkserver.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
mstflint-4.32.0.1-alt1.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
multipath-tools-0.11.1-alt3.x86_64 |
init-lsb |
fail |
/etc/rc.d/init.d/multipathd: not systemd compatible: lsb init header missing and multipathd.service is not present. See http://www.altlinux.org/Services_Policy for details. |
|
multipath-tools-0.11.1-alt3.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/multipath-tools-0.11.1-alt3.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/multipath.conf sisyphus_check: check-fhs ERROR: FHS violation /ALT/Sisyphus/files/x86_64/RPMS/multipath-tools-0.11.1-alt3.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/11-dm-mpath.rules /usr/lib/udev/rules.d/11-dm-parts.rules /usr/lib/udev/rules.d/56-multipath.rules /usr/lib/udev/rules.d/68-del-part-nodes.rules /usr/lib/udev/rules.d/99-z-dm-mpath-late.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
net-snmp-clients-5.9.4-alt1.1.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
There are file conflicts with the package python3-module-snmpclitools-0.7.2-alt1.noarch, for example, /usr/bin/snmpbulkwalk (6 file conflicts in total). Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
net-snmp-common-5.9.4-alt1.1.noarch |
unsafe-tmp-usage-in-scripts |
fail |
The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/doc/net-snmp-common-5.9.4/passtest: $ grep /tmp/ /usr/share/doc/net-snmp-common-5.9.4/passtest # Process SET requests by simply logging the assigned value # Note that such "assignments" are not persistent, # nor is the syntax or requested value validated # if [ "$1" = "-s" ]; then echo $* >> /tmp/passtest.log exit 0 fi # # GETNEXT requests - determine next valid instance |
|
net-snmp-snmpd-5.9.4-alt1.1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/net-snmp-snmpd-5.9.4-alt1.1.x86_64.rpm: license not found in '/usr/share/license' directory: BSD-like /ALT/Sisyphus/files/x86_64/RPMS/net-snmp-snmpd-5.9.4-alt1.1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/net-snmp.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
netavark-1.15.2-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
nfs-ganesha-6.5-alt1.x86_64 |
altlinux-policy-shared-lib-contains-devel-so |
info |
SharedLibs Policy Draft violation: Shared Lib package should not contain symlink /usr/lib64/libganesha_nfsd.so but just /usr/lib64/libganesha_nfsd.so.6.5. According to SharedLibs Policy Draft, symlink /usr/lib64/libganesha_nfsd.so should be placed in a special subpackage named lib-devel. If you have already packaged this symlink in lib-devel, just append \%exclude /usr/lib64/libganesha_nfsd.so to \%files of nfs-ganesha-6.5-alt1.x86_64. Otherwise, move the symlink into the subpackage lib-devel. There is a known exception for case the .so file is not a shared lib but a plugin that is never directly linked with. Please report such a case to repocop test. |
|
nfs-ganesha-6.5-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
nmstate-2.1.4-alt2.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
open-iscsi-iscsiuio-2.1.10-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
open-vm-tools-13.0.0-alt1.x86_64 |
big-changelog |
info |
Package contains big ChangeLog. Gzip it. |
|
open-vm-tools-13.0.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/open-vm-tools-13.0.0-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/open-vm-tools-vgauthd.conf sisyphus_check: check-fhs ERROR: FHS violation /ALT/Sisyphus/files/x86_64/RPMS/open-vm-tools-13.0.0-alt1.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/90-vmware-guest-tools.rules /usr/lib/udev/rules.d/98-open-vm-tools.rules /usr/lib/udev/rules.d/99-vmware-scsi-udev.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
open-vm-tools-13.0.0-alt1.x86_64 |
subdir-in-var-run |
info |
Found a subdir in /var/run or /var/lock. /var/run and /var/lock may be mounted as temporary filesystems, so the init.d scripts must handle this correctly. This will typically amount to creating any required subdirectories dynamically when the init.d script is run, rather than including them in the package and relying on rpm to create them. |
|
open-vm-tools-desktop-13.0.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/open-vm-tools-desktop-13.0.0-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/open-vm-tools-desktop.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
opennebula-context-6.6.1-alt1.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
openuds-actor-3.6.0-alt4.noarch |
freedesktop-categories |
warn |
Menu-related Additional Categories (http://standards.freedesktop.org/menu-spec/latest/apa.html) not found in /usr/share/applications/UDS_Actor_Configuration.desktop. Please add it or report a bug against this test if you already have registered one (not including menu unrelated ones as Core or Qt). |
|
openuds-actor-3.6.0-alt4.noarch |
freedesktop-desktop |
info |
desktop-file-validate utility printed the following message(s): /usr/share/applications/UDS_Actor_Configuration.desktop: hint: value "Settings;System;" for key "Categories" in group "Desktop Entry" contains more than one main category; application might appear more than once in the application menu |
|
openuds-client-3.6.0-alt2.noarch |
freedesktop-categories |
warn |
Menu-related Additional Categories (http://standards.freedesktop.org/menu-spec/latest/apa.html) not found in /usr/share/applications/UDSClient.desktop. Please add it or report a bug against this test if you already have registered one (not including menu unrelated ones as Core or Qt). |
|
openuds-server-3.6.0-alt11.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
openuds-server-nginx-3.6.0-alt11.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/openuds-server-nginx-3.6.0-alt11.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/openuds.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
openuds-server-nginx-3.6.0-alt11.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
openuds-tunnel-3.6.0-alt1.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
ovirt-imageio-daemon-2.4.7-alt1.1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
ovirt-vmconsole-host-1.0.9-alt1.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
ovirt-vmconsole-proxy-1.0.9-alt1.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
ovn-24.03.5-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/ovn-24.03.5-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/ovn.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
ovn-central-24.03.5-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
ovn-host-24.03.5-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
ovn-vtep-24.03.5-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
pcsc-lite-2.3.3-alt2.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/pcsc-lite-2.3.3-alt2.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/pcsc-lite.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
pdns-4.9.1-alt1.1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
pdns-ixfrdist-4.9.1-alt1.1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
pgbouncer-1.24.1-alt1.x86_64 |
init-lsb |
fail |
/etc/rc.d/init.d/pgbouncer: not systemd compatible: lsb init header missing and pgbouncer.service is not present. See http://www.altlinux.org/Services_Policy for details. |
|
pgbouncer-1.24.1-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/pgbouncer-1.24.1-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/pgbouncer.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
podman-5.5.1-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/podman-5.5.1-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/podman.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
podman-5.5.1-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
podman-docker-5.5.1-alt1.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/podman-docker-5.5.1-alt1.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/podman-docker.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
postgresql13-repmgr-5.5.0-alt1.x86_64 |
init-lsb |
fail |
/etc/rc.d/init.d/repmgr: not systemd compatible: lsb init header missing and repmgr.service is not present. See http://www.altlinux.org/Services_Policy for details. |
|
postgresql13-repmgr-5.5.0-alt1.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
There are file conflicts with the package postgresql17-repmgr-5.5.0-alt1.x86_64, for example, /usr/bin/repmgr (5 file conflicts in total). Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
postgresql13-repmgr-5.5.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/postgresql13-repmgr-5.5.0-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/repmgr.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
postgresql14-repmgr-5.5.0-alt1.x86_64 |
init-lsb |
fail |
/etc/rc.d/init.d/repmgr: not systemd compatible: lsb init header missing and repmgr.service is not present. See http://www.altlinux.org/Services_Policy for details. |
|
postgresql14-repmgr-5.5.0-alt1.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
There are file conflicts with the package postgresql17-repmgr-5.5.0-alt1.x86_64, for example, /usr/bin/repmgr (4 file conflicts in total). Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives.
e, consider using alternatives. |
|
postgresql14-repmgr-5.5.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/postgresql14-repmgr-5.5.0-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/repmgr.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
postgresql15-repmgr-5.5.0-alt1.x86_64 |
init-lsb |
fail |
/etc/rc.d/init.d/repmgr: not systemd compatible: lsb init header missing and repmgr.service is not present. See http://www.altlinux.org/Services_Policy for details. |
|
postgresql15-repmgr-5.5.0-alt1.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
Files /usr/bin/repmgr /usr/bin/repmgrd /usr/lib64/pgsql/bitcode/repmgr/repmgr.bc conflict with the package postgresql17-repmgr-5.5.0-alt1.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives.
ider using alternatives. |
|
postgresql15-repmgr-5.5.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/postgresql15-repmgr-5.5.0-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/repmgr.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
pptpd-1.5.0-alt1.x86_64 |
init-lsb |
fail |
/etc/rc.d/init.d/pptpd: not systemd compatible: lsb init header missing and pptpd.service is not present. See http://www.altlinux.org/Services_Policy for details. |
|
prometheus-common-3.4.1-alt1.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/prometheus-common-3.4.1-alt1.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/prometheus.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
promtail-3.5.1-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
proxmox-backup-server-3.3.3.1-alt5.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/proxmox-backup-server-3.3.3.1-alt5.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/60-proxmox-backup-server.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
proxmox-backup-server-3.3.3.1-alt5.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
pve-acme-1.5.1-alt1.x86_64 |
arch-dep-package-consists-of-usr-share |
info |
The package consists of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
pve-backup-restore-image-0.5-alt1.x86_64 |
file-in-usr-marked-as-conffile |
warn |
Files below /usr may not be marked as conffiles, since
/usr might be mounted read-only and thus, the local system
administrator would not have a chance to modify this configuration
file. |
|
pve-backup-restore-image-0.5-alt1.x86_64 |
missing-url |
info |
Missing Url: in a package. |
|
pve-backup-restore-image-0.5-alt1.x86_64 |
rpm-package-is-obsoleted |
warn |
The package is obsoleted by the package proxmox-backup-restore-image-3.3.3.1-alt1.x86_64, but is still alive and in the repository. Consider removing the package, or, if you want the package to be alive, ask the maintainer of proxmox-backup-restore-image-3.3.3.1-alt1.x86_64 to remove Obsoletes: tag. |
|
pve-cluster-8.1.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
pve-container-5.2.6-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
pve-firewall-5.1.1-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/pve-firewall-5.1.1-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/pve-firewall.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
pve-firewall-5.1.1-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
pve-ha-manager-4.0.6-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
pve-lxc-6.0.0-alt2.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
Files /usr/share/lxc/templates/lxc-local /usr/share/lxc/templates/lxc-oci conflict with the package lxc-templates-6.0.4-alt1.noarch. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
pve-lxc-6.0.0-alt2.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
pve-manager-8.4.1-alt2.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
pve-manager-8.4.1-alt2.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/pve-manager-8.4.1-alt2.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/pve-manager.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
pve-manager-8.4.1-alt2.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
pve-qemu-common-9.2.0-alt5.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
pve-qemu-common-9.2.0-alt5.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
File /usr/share/qemu/trace-events-all conflicts with the package qemu-tools-9.2.3-alt2.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
pve-qemu-server-8.3.12-alt2.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
pve-qemu-system-9.2.0-alt5.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
File /usr/bin/qemu-vmsr-helper conflicts with the package qemu-vmsr-helper-9.2.3-alt2.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives.
ives.
ves.
explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
pve-storage-8.3.6-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/pve-storage-8.3.6-alt1.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/50-rbd-pve.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
qemu-common-9.2.3-alt2.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
Files /usr/libexec/qemu-bridge-helper /usr/share/man/man1/qemu.1.xz conflict with the package pve-qemu-system-9.2.0-alt5.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
qemu-device-display-vhost-user-gpu-9.2.3-alt2.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
File /usr/libexec/vhost-user-gpu conflicts with the package pve-qemu-system-9.2.0-alt5.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
qemu-guest-agent-9.2.3-alt2.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/qemu-guest-agent-9.2.3-alt2.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/90-qemu-guest-agent.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
qemu-img-9.2.3-alt2.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
Files /usr/bin/qemu-storage-daemon /usr/share/man/man1/qemu-storage-daemon.1.xz /usr/share/man/man7/qemu-storage-daemon-qmp-ref.7.xz conflict with the package pve-qemu-system-9.2.0-alt5.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
qemu-pr-helper-9.2.3-alt2.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
qemu-system-aarch64-core-9.2.3-alt2.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
File /usr/bin/qemu-system-aarch64 conflicts with the package pve-qemu-system-9.2.0-alt5.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
qemu-system-ppc-core-9.2.3-alt2.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
qemu-system-x86-core-9.2.3-alt2.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
File /usr/bin/qemu-system-x86_64 conflicts with the package pve-qemu-system-9.2.0-alt5.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
qemu-tools-9.2.3-alt2.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
File /usr/share/qemu/trace-events-all conflicts with the package pve-qemu-common-9.2.0-alt5.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
qemu-vmsr-helper-9.2.3-alt2.x86_64 |
rpm-filesystem-conflict-file-file |
warn |
File /usr/bin/qemu-vmsr-helper conflicts with the package pve-qemu-system-9.2.0-alt5.x86_64. Moreover, the packages have no explicit conflicts with each other. You should add explicit conflicts, or, if conflicts are avoidable, consider using alternatives. |
|
qemu-vmsr-helper-9.2.3-alt2.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
rdma-core-57.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/rdma-core-57.0-alt1.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/60-rdma-ndd.rules /usr/lib/udev/rules.d/60-rdma-persistent-naming.rules /usr/lib/udev/rules.d/75-rdma-description.rules /usr/lib/udev/rules.d/90-rdma-hw-modules.rules /usr/lib/udev/rules.d/90-rdma-ulp-modules.rules /usr/lib/udev/rules.d/90-rdma-umad.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
remmina-1.4.40-alt1.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
remmina-1.4.40-alt1.x86_64 |
freedesktop-categories |
warn |
Menu-related Additional Categories (http://standards.freedesktop.org/menu-spec/latest/apa.html) not found in /usr/share/applications/org.remmina.Remmina.desktop. Please add it or report a bug against this test if you already have registered one (not including menu unrelated ones as Core or Qt). |
|
resource-agents-4.16.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/resource-agents-4.16.0-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/resource-agents.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
resource-agents-4.16.0-alt1.x86_64 |
unsafe-tmp-usage-in-scripts |
fail |
The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/ocf/resource.d/heartbeat/rabbitmq-server-ha: $ grep /tmp/ /usr/lib/ocf/resource.d/heartbeat/rabbitmq-server-ha The debug flag for agent (${OCF_RESKEY_binary}) instance. In the /tmp/ directory will be created rmq-* files for log some operations and ENV values inside OCF-script. AMQP server (${OCF_RESKEY_binary}) debug flag local rc=$OCF_ERR_GENERIC local LH="${LL} monitor:" ocf_log debug "${LH} action start." if ocf_is_true "${OCF_RESKEY_debug}"; then d=`date '+%Y%m%d %H:%M:%S'` echo $d >> /tmp/rmq-monitor.log env >> /tmp/rmq-monitor.log echo "$d [monitor] start='${OCF_RESKEY_CRM_meta_notify_start_uname}' stop='${OCF_RESKEY_CRM_meta_notify_stop_uname}' active='${OCF_RESKEY_CRM_meta_notify_active_uname}' inactive='${OCF_RESKEY_CRM_meta_notify_inactive_uname}'" >> /tmp/rmq-ocf.log fi get_monitor rc=$? ocf_log debug "${LH} role: ${OCF_RESKEY_CRM_meta_role}" ocf_log debug "${LH} result: $rc" -- local LH="${LL} start:" local nowtime if ocf_is_true "${OCF_RESKEY_debug}"; then d=`date '+%Y%m%d %H:%M:%S'` echo $d >> /tmp/rmq-start.log env >> /tmp/rmq-start.log echo "$d [start] start='${OCF_RESKEY_CRM_meta_notify_start_uname}' stop='${OCF_RESKEY_CRM_meta_notify_stop_uname}' active='${OCF_RESKEY_CRM_meta_notify_active_uname}' inactive='${OCF_RESKEY_CRM_meta_notify_inactive_uname}'" >> /tmp/rmq-ocf.log fi ocf_log info "${LH} action begin." get_status -- local rc=$OCF_ERR_GENERIC local LH="${LL} stop:" if ocf_is_true "${OCF_RESKEY_debug}"; then d=$(date '+%Y%m%d %H:%M:%S') echo $d >> /tmp/rmq-stop.log env >> /tmp/rmq-stop.log echo "$d [stop] start='${OCF_RESKEY_CRM_meta_notify_start_uname}' stop='${OCF_RESKEY_CRM_meta_notify_stop_uname}' active='${OCF_RESKEY_CRM_meta_notify_active_uname}' inactive='${OCF_RESKEY_CRM_meta_notify_inactive_uname}'" >> /tmp/rmq-ocf.log fi ocf_log info "${LH} action begin." ocf_log info "${LH} Deleting master attribute" -- local LH="${LL} notify:" local nodelist if ocf_is_true "${OCF_RESKEY_debug}"; then d=`date '+%Y%m%d %H:%M:%S'` echo $d >> /tmp/rmq-notify.log env >> /tmp/rmq-notify.log echo "$d [notify] ${OCF_RESKEY_CRM_meta_notify_type}-${OCF_RESKEY_CRM_meta_notify_operation} promote='${OCF_RESKEY_CRM_meta_notify_promote_uname}' demote='${OCF_RESKEY_CRM_meta_notify_demote_uname}' master='${OCF_RESKEY_CRM_meta_notify_master_uname}' slave='${OCF_RESKEY_CRM_meta_notify_slave_uname}' start='${OCF_RESKEY_CRM_meta_notify_start_uname}' stop='${OCF_RESKEY_CRM_meta_notify_stop_uname}' active='${OCF_RESKEY_CRM_meta_notify_active_uname}' inactive='${OCF_RESKEY_CRM_meta_notify_inactive_uname}'" >> /tmp/rmq-ocf.log fi if [ "${OCF_RESKEY_CRM_meta_notify_type}" = 'post' ] ; then # POST- anything notify section case "$OCF_RESKEY_CRM_meta_notify_operation" in -- local rc=$OCF_ERR_GENERIC local LH="${LL} promote:" if ocf_is_true "${OCF_RESKEY_debug}"; then d=$(date '+%Y%m%d %H:%M:%S') echo $d >> /tmp/rmq-promote.log env >> /tmp/rmq-promote.log echo "$d [promote] start='${OCF_RESKEY_CRM_meta_notify_start_uname}' stop='${OCF_RESKEY_CRM_meta_notify_stop_uname}' active='${OCF_RESKEY_CRM_meta_notify_active_uname}' inactive='${OCF_RESKEY_CRM_meta_notify_inactive_uname}'" >> /tmp/rmq-ocf.log fi ocf_log info "${LH} action begin." get_monitor |
|
rsyslog-8.2502.0-alt3.x86_64 |
big-changelog |
info |
Package contains big ChangeLog. Gzip it. |
|
rygel-0.44.2-alt1.x86_64 |
freedesktop-categories |
warn |
Menu-related Additional Categories (http://standards.freedesktop.org/menu-spec/latest/apa.html) not found in /usr/share/applications/rygel-preferences.desktop. Please add it or report a bug against this test if you already have registered one (not including menu unrelated ones as Core or Qt). |
|
sanlock-3.9.5-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/sanlock-3.9.5-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/sanlock.conf /usr/lib/tmpfiles.d/wdmd.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
shorewall6-5.2.8-alt2.noarch |
uncompressed-manpages |
info |
Package contains uncompressed manual pages. |
|
snapd-2.66.1-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/snapd-2.66.1-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/snapd.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
snapd-2.66.1-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
spice-vdagent-0.22.1-alt2.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/spice-vdagent-0.22.1-alt2.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/spice-vdagentd.conf sisyphus_check: check-fhs ERROR: FHS violation /ALT/Sisyphus/files/x86_64/RPMS/spice-vdagent-0.22.1-alt2.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/70-spice-vdagentd.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
squid-7.0.2-alt1.x86_64 |
init-lsb |
fail |
/etc/rc.d/init.d/squid: not systemd compatible: lsb init header missing and squid.service is not present. See http://www.altlinux.org/Services_Policy for details. |
|
squid-7.0.2-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/squid-7.0.2-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/squid.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
squid-7.0.2-alt1.x86_64 |
subdir-in-var-run |
info |
Found a subdir in /var/run or /var/lock. /var/run and /var/lock may be mounted as temporary filesystems, so the init.d scripts must handle this correctly. This will typically amount to creating any required subdirectories dynamically when the init.d script is run, rather than including them in the package and relying on rpm to create them. |
|
squid-doc-7.0.2-alt1.noarch |
big-changelog |
info |
Package contains big ChangeLog. Gzip it. |
|
srp_daemon-57.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/srp_daemon-57.0-alt1.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/60-srp_daemon.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
systemd-257.7-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/systemd-257.7-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/20-systemd-shell-extra.conf /usr/lib/tmpfiles.d/20-systemd-ssh-generator.conf /usr/lib/tmpfiles.d/20-systemd-stub.conf /usr/lib/tmpfiles.d/20-systemd-userdb.conf /usr/lib/tmpfiles.d/README /usr/lib/tmpfiles.d/credstore.conf /usr/lib/tmpfiles.d/journal-nocow.conf /usr/lib/tmpfiles.d/provision.conf /usr/lib/tmpfiles.d/systemd-nologin.conf /usr/lib/tmpfiles.d/systemd-pstore.conf /usr/lib/tmpfiles.d/systemd-tmp.conf /usr/lib/tmpfiles.d/systemd.conf sisyphus_check: check-fhs ERROR: FHS violation /ALT/Sisyphus/files/x86_64/RPMS/systemd-257.7-alt1.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/70-uaccess.rules /usr/lib/udev/rules.d/71-seat.rules /usr/lib/udev/rules.d/73-seat-late.rules /usr/lib/udev/rules.d/90-vconsole.rules /usr/lib/udev/rules.d/99-systemd.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
systemd-container-257.7-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/systemd-container-257.7-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/systemd-nspawn.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
systemd-networkd-257.7-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/systemd-networkd-257.7-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/systemd-network.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
systemd-portable-257.7-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/systemd-portable-257.7-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/portables.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
systemd-stateless-257.7-alt1.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/systemd-stateless-257.7-alt1.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/etc.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
systemd-tests-257.7-alt1.x86_64 |
unsafe-tmp-usage-in-scripts |
fail |
The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/systemd/tests/testdata/units/TEST-87-AUX-UTILS-VM.modules-load.sh: $ grep /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-87-AUX-UTILS-VM.modules-load.sh "$MODULES_LOAD_BIN" # Explicit config file modprobe dummy printf "dummy" >"$CONFIG_FILE" "$MODULES_LOAD_BIN" "$CONFIG_FILE" |& tee /tmp/out.log grep "Inserted module .*dummy" /tmp/out.log # Implicit config file modprobe dummy printf "dummy" >"$CONFIG_FILE" "$MODULES_LOAD_BIN" |& tee /tmp/out.log grep "Inserted module .*dummy" /tmp/out.log # Valid & invalid data mixed together modprobe dummy cat >"$CONFIG_FILE" </tmp/core.redirected test -s /tmp/core.redirected coredumpctl dump -o /tmp/core.output "${CORE_TEST_BIN##*/}" test -s /tmp/core.output rm -f /tmp/core.{output,redirected} # Unprivileged stuff # Related issue: https://github.com/systemd/systemd/issues/26912 UNPRIV_CMD=(systemd-run --user --wait --pipe -M "testuser@.host" --) # Trigger a couple of coredumps as an unprivileged user -- "${UNPRIV_CMD[@]}" coredumpctl info "$CORE_TEST_UNPRIV_BIN" "${UNPRIV_CMD[@]}" coredumpctl info "${CORE_TEST_UNPRIV_BIN##*/}" (! "${UNPRIV_CMD[@]}" coredumpctl info --all "$CORE_TEST_BIN") (! "${UNPRIV_CMD[@]}" coredumpctl info --all "${CORE_TEST_BIN##*/}") # We should have a couple of externally stored coredumps "${UNPRIV_CMD[@]}" coredumpctl --field=COREDUMP_FILENAME | tee /tmp/coredumpctl.out grep "/var/lib/systemd/coredump/core" /tmp/coredumpctl.out rm -f /tmp/coredumpctl.out "${UNPRIV_CMD[@]}" coredumpctl debug --debugger=/bin/true "$CORE_TEST_UNPRIV_BIN" "${UNPRIV_CMD[@]}" coredumpctl debug --debugger=/bin/true --debugger-arguments="-this --does --not 'do anything' -a -t --all" "${CORE_TEST_UNPRIV_BIN##*/}" "${UNPRIV_CMD[@]}" coredumpctl dump "$CORE_TEST_UNPRIV_BIN" >/tmp/core.redirected test -s /tmp/core.redirected "${UNPRIV_CMD[@]}" coredumpctl dump -o /tmp/core.output "${CORE_TEST_UNPRIV_BIN##*/}" test -s /tmp/core.output rm -f /tmp/core.{output,redirected} (! "${UNPRIV_CMD[@]}" coredumpctl dump "$CORE_TEST_BIN" >/dev/null) # --backtrace mode # Pass one of the existing journal coredump records to systemd-coredump. # Use our PID as the source to be able to create a PIDFD and to make matching easier. Found error in /usr/lib/systemd/tests/testdata/units/TEST-87-AUX-UTILS-VM.bootctl.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-87-AUX-UTILS-VM.bootctl.sh return 0 ) testcase_bootctl_image() { IMAGE_DIR="$(mktemp --directory /tmp/test-bootctl.XXXXXXXXXX)" trap cleanup_image RETURN truncate -s 256m "${IMAGE_DIR}/image" cat >"${IMAGE_DIR}/partscript" </dev/null; then echo "mkfs.btrfs not found, skipping." return 0 fi IMAGE_DIR="$(mktemp --directory /tmp/test-bootctl.XXXXXXXXXX)" trap cleanup_raid RETURN truncate -s 256m "${IMAGE_DIR}/image1" truncate -s 256m "${IMAGE_DIR}/image2" -- SYSTEMD_LOG_TARGET=console varlinkctl call --json=short /run/systemd/io.systemd.BootControl io.systemd.BootControl.SetRebootToFirmware '{"state":true}' --graceful=io.systemd.BootControl.RebootToFirmwareNotSupported SYSTEMD_LOG_TARGET=console varlinkctl call --json=short /run/systemd/io.systemd.BootControl io.systemd.BootControl.SetRebootToFirmware '{"state":false}' --graceful=io.systemd.BootControl.RebootToFirmwareNotSupported } testcase_bootctl_secure_boot_auto_enroll() { cat >/tmp/openssl.conf </tmp/nextroot-lower/lower # Copy os-release away, so that we can manipulate it and check that it is updated in the propagate # directory across soft reboots. Try to cover corner cases by truncating it. mkdir -p /tmp/nextroot-lower/etc grep ID /etc/os-release >/tmp/nextroot-lower/etc/os-release echo MARKER=1 >>/tmp/nextroot-lower/etc/os-release cmp /etc/os-release /run/systemd/propagate/.os-release-stage/os-release (! grep -q MARKER=1 /etc/os-release) mount -t overlay nextroot /run/nextroot -o lowerdir=/tmp/nextroot-lower:/,ro # Bind our current root into the target so that we later can return to it mount --bind / /run/nextroot/original-root # Restart the unit that is not supposed to survive -- systemd-run --collect --service-type=exec -p DefaultDependencies=no -p IgnoreOnIsolate=yes -p SetCredential=gone:hoge --unit=TEST-82-SOFTREBOOT-nosurvive.service sleep infinity # Ensure that the unit doesn't get deactivated by dependencies on the source file. Given it's a verity # image that is already open, even if the tmpfs with the image goes away, the file will be pinned by the # kernel and will keep working. cp /usr/share/minimal_0.* /tmp/ # Configure these transient units to survive the soft reboot - they will not conflict with shutdown.target # and it will be ignored on the isolate that happens in the next boot. The first will use argv[0][0] = # '@', and the second will use SurviveFinalKillSignal=yes. Both should survive. # By writing to stdout, which is connected to the journal, we also ensure logging doesn't break across -- --property SetCredential=preserve:yay \ "$survive_argv" # shellcheck disable=SC2016 systemd-run --service-type=exec --unit=TEST-82-SOFTREBOOT-survive.service \ --property TemporaryFileSystem="/run /tmp /var" \ --property RootImage=/tmp/minimal_0.raw \ --property SurviveFinalKillSignal=yes \ --property IgnoreOnIsolate=yes \ --property DefaultDependencies=no \ --property After=basic.target \ --property "Conflicts=reboot.target kexec.target poweroff.target halt.target emergency.target rescue.target" \ Found error in /usr/lib/systemd/tests/testdata/units/TEST-81-GENERATORS.system-update-generator.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-81-GENERATORS.system-update-generator.sh # shellcheck source=test/units/generator-utils.sh . "$(dirname "$0")/generator-utils.sh" GENERATOR_BIN="/usr/lib/systemd/system-generators/systemd-system-update-generator" OUT_DIR="$(mktemp -d /tmp/system-update-generator-generator.XXX)" at_exit() { rm -frv "${OUT_DIR:?}" /system-update } -- link_endswith "$OUT_DIR/early/default.target" "/lib/systemd/system/system-update.target" : "system-update-generator: kernel cmdline warnings" # We should warn if the default target is overridden on the kernel cmdline # by a runlevel or systemd.unit=, but still generate the symlink SYSTEMD_PROC_CMDLINE="systemd.unit=foo.bar 3" run_and_list "$GENERATOR_BIN" "$OUT_DIR" |& tee /tmp/system-update-generator.log link_endswith "$OUT_DIR/early/default.target" "/lib/systemd/system/system-update.target" grep -qE "Offline system update overridden .* systemd.unit=" /tmp/system-update-generator.log grep -qE "Offline system update overridden .* runlevel" /tmp/system-update-generator.log Found error in /usr/lib/systemd/tests/testdata/units/TEST-81-GENERATORS.getty-generator.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-81-GENERATORS.getty-generator.sh # shellcheck source=test/units/generator-utils.sh . "$(dirname "$0")/generator-utils.sh" GENERATOR_BIN="/usr/lib/systemd/system-generators/systemd-getty-generator" OUT_DIR="$(mktemp -d /tmp/getty-generator.XXX)" at_exit() { rm -frv "${OUT_DIR:?}" } -- done # Sneak in one "not-a-tty" console touch /dev/notatty99 # Temporarily replace /sys/class/tty/console/active with our list of dummy # consoles so getty-generator can process them echo -ne "${DUMMY_ACTIVE_CONSOLES[@]}" /dev/notatty99 >/tmp/dummy-active-consoles mount -v --bind /tmp/dummy-active-consoles /sys/class/tty/console/active : "getty-generator: no arguments" # Sneak in an invalid value for $SYSTEMD_GETTY_AUTO to test things out PID1_ENVIRON="SYSTEMD_GETTY_AUTO=foo" run_and_list "$GENERATOR_BIN" "$OUT_DIR" for console in "${DUMMY_ACTIVE_CONSOLES[@]}"; do Found error in /usr/lib/systemd/tests/testdata/units/TEST-80-NOTIFYACCESS.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-80-NOTIFYACCESS.sh set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh mkfifo /tmp/syncfifo1 /tmp/syncfifo2 sync_in() { read -r x < /tmp/syncfifo1 test "$x" = "$1" } sync_out() { echo "$1" > /tmp/syncfifo2 } export SYSTEMD_LOG_LEVEL=debug # Test NotifyAccess= override through sd_notify() -- assert_eq "$(systemctl show notify.service -p NotifyAccess --value)" "none" systemctl stop notify.service assert_eq "$(systemctl show notify.service -p NotifyAccess --value)" "all" rm /tmp/syncfifo1 /tmp/syncfifo2 # Explicitly test busctl's BUSERROR= reporting and systemctl status should show it (! systemd-run --wait --unit="TEST-80-BUSERROR.service" -p NotifyAccess=main busctl introspect org.freedesktop.systemd1 /bogus/001) assert_eq "$(systemctl show TEST-80-BUSERROR.service -P StatusBusError)" "org.freedesktop.DBus.Error.UnknownObject" assert_in "D-Bus: org.freedesktop.DBus.Error.UnknownObject" "$(systemctl status TEST-80-BUSERROR.service)" # Now test basic fdstore behaviour MYSCRIPT="/tmp/myscript$RANDOM.sh" cat >> "$MYSCRIPT" <<'EOF' #!/usr/bin/env bash set -eux set -o pipefail test "$FDSTORE" -eq 7 N="/tmp/$RANDOM" echo $RANDOM > "$N" systemd-notify --fd=4 --fdname=quux --pid=parent 4< "$N" rm "$N" systemd-notify --ready exec sleep infinity -- MYUNIT="myunit$RANDOM.service" systemd-run -u "$MYUNIT" -p Type=notify -p FileDescriptorStoreMax=7 "$MYSCRIPT" test "$(systemd-analyze fdstore "$MYUNIT" | wc -l)" -eq 2 systemd-analyze fdstore "$MYUNIT" --json=short systemd-analyze fdstore "$MYUNIT" --json=short | grep -P -q '\[{"fdname":"quux","type":.*,"devno":\[.*\],"inode":.*,"rdevno":null,"path":"/tmp/.*","flags":"ro"}\]' systemctl stop "$MYUNIT" rm "$MYSCRIPT" systemd-analyze log-level debug Found error in /usr/lib/systemd/tests/testdata/units/TEST-76-SYSCTL.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-76-SYSCTL.sh # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh export SYSTEMD_LOG_LEVEL=debug echo "foo.bar=42" >/tmp/foo.conf assert_rc 0 /usr/lib/systemd/systemd-sysctl /tmp/foo.conf assert_rc 1 /usr/lib/systemd/systemd-sysctl --strict /tmp/foo.conf echo "-foo.foo=42" >/tmp/foo.conf assert_rc 0 /usr/lib/systemd/systemd-sysctl /tmp/foo.conf assert_rc 0 /usr/lib/systemd/systemd-sysctl --strict /tmp/foo.conf if ! systemd-detect-virt --quiet --container; then ip link add hoge type dummy udevadm wait /sys/class/net/hoge cat >/tmp/foo.conf </proc/sys/net/ipv4/conf/hoge/drop_gratuitous_arp echo 0 >/proc/sys/net/ipv4/conf/hoge/bootp_relay echo 0 >/proc/sys/net/ipv4/conf/hoge/disable_policy assert_rc 0 /usr/lib/systemd/systemd-sysctl --prefix=/net/ipv4/conf/hoge /tmp/foo.conf assert_eq "$(cat /proc/sys/net/ipv4/conf/hoge/drop_gratuitous_arp)" "1" assert_eq "$(cat /proc/sys/net/ipv4/conf/hoge/bootp_relay)" "1" assert_eq "$(cat /proc/sys/net/ipv4/conf/hoge/disable_policy)" "0" fi Found error in /usr/lib/systemd/tests/testdata/units/TEST-74-AUX-UTILS.socket.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-74-AUX-UTILS.socket.sh systemctl daemon-reload systemctl start per-source-limit.socket systemctl status per-source-limit.socket # So these two should take up the first two connection slots socat -U - UNIX-CONNECT:/run/per-source-limit.sk | tee /tmp/foo.conn1 & J1="$!" socat -U - UNIX-CONNECT:/run/per-source-limit.sk | tee /tmp/foo.conn2 & J2="$!" waitfor() { local file="${1:?}" -- echo >&2 "Timeout while waiting for the expected output" return 1 } # Wait until the word "waldo" shows in the output files waitfor /tmp/foo.conn1 waitfor /tmp/foo.conn2 # The next connection should fail, because the limit is hit socat -U - UNIX-CONNECT:/run/per-source-limit.sk | tee /tmp/foo.conn3 & J3="$!" # But this one should work, because done under a different UID setpriv --reuid=1 socat -U - UNIX-CONNECT:/run/per-source-limit.sk | tee /tmp/foo.conn4 & J4="$!" waitfor /tmp/foo.conn4 # The third job should fail quickly, wait for it wait "$J3" # The other jobs will hang forever, since we run "sleep infinity" on the server side. Let's kill the jobs now. kill "$J1" kill "$J2" kill "$J4" # The 3rd connection should not have seen "waldo", since it should have been refused too early (! grep -q "waldo" /tmp/foo.conn3 ) Found error in /usr/lib/systemd/tests/testdata/units/TEST-74-AUX-UTILS.sbsign.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-74-AUX-UTILS.sbsign.sh if [[ ! -d /usr/lib/systemd/boot/efi ]]; then echo "systemd-boot is not installed, skipping." exit 0 fi cat >/tmp/openssl.conf </dev/null; then echo "sbverify not found, skipping." exit 0 fi SD_BOOT="$(find /usr/lib/systemd/boot/efi/ -name "systemd-boot*.efi" | head -n1)" (! sbverify --cert /tmp/sb.crt "$SD_BOOT") /usr/lib/systemd/systemd-sbsign sign --certificate /tmp/sb.crt --private-key /tmp/sb.key --output /tmp/sdboot "$SD_BOOT" sbverify --cert /tmp/sb.crt /tmp/sdboot # Make sure appending signatures to an existing certificate table works as well. /usr/lib/systemd/systemd-sbsign sign --certificate /tmp/sb.crt --private-key /tmp/sb.key --output /tmp/sdboot /tmp/sdboot sbverify --cert /tmp/sb.crt /tmp/sdboot } run_testcases Found error in /usr/lib/systemd/tests/testdata/units/TEST-74-AUX-UTILS.keyutil.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-74-AUX-UTILS.keyutil.sh if ! command -v /usr/lib/systemd/systemd-keyutil >/dev/null; then echo "systemd-keyutil not found, skipping." exit 0 fi cat >/tmp/openssl.conf </tmp/borked set +e SYSTEMD_MEASURE_LOG_USERSPACE=/tmp/borked "$SD_PCRLOCK" cel --no-pager --json=pretty ret=$? set -e # If it crashes the exit code will be 149 test $ret -eq 1 -- PIN=huhu "$SD_PCRLOCK" make-policy --pcr="$PCRS" --recovery-pin=query # Repeat immediately (this call will have to reuse the nvindex, rather than create it) "$SD_PCRLOCK" make-policy --pcr="$PCRS" "$SD_PCRLOCK" make-policy --pcr="$PCRS" --force img="/tmp/pcrlock.img" truncate -s 20M "$img" echo -n hoho >/tmp/pcrlockpwd chmod 0600 /tmp/pcrlockpwd cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$img" /tmp/pcrlockpwd systemd-cryptenroll --unlock-key-file=/tmp/pcrlockpwd --tpm2-device=auto --tpm2-pcrlock=/var/lib/systemd/pcrlock.json --tpm2-public-key= --wipe-slot=tpm2 "$img" systemd-cryptsetup attach pcrlock "$img" - tpm2-device=auto,tpm2-pcrlock=/var/lib/systemd/pcrlock.json,headless systemd-cryptsetup detach pcrlock # Ensure systemd-pcrlock not crashing on empty variant directory mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d -- openssl rsa -pubout -in "$img".private.pem -out "$img".public.pem systemd-cryptenroll --unlock-tpm2-device=auto --tpm2-device=auto --tpm2-pcrlock=/var/lib/systemd/pcrlock.json --tpm2-public-key="$img".public.pem --wipe-slot=tpm2 "$img" "$SD_MEASURE" sign --current --bank=sha256 --private-key="$img".private.pem --public-key="$img".public.pem --phase=: | tee "$img".pcrsign SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach pcrlock "$img" - "tpm2-device=auto,tpm2-pcrlock=/var/lib/systemd/pcrlock.json,tpm2-signature=$img.pcrsign,headless" systemd-cryptsetup detach pcrlock systemd-cryptenroll --unlock-key-file=/tmp/pcrlockpwd --tpm2-device=auto --tpm2-pcrlock=/var/lib/systemd/pcrlock.json --tpm2-public-key= --wipe-slot=tpm2 "$img" rm "$img".public.pem "$img".private.pem "$img".pcrsign # Now use the root fs support, i.e. make the tool write a copy of the pcrlock # file as service credential to some temporary dir and remove the local copy, so that # it has to use the credential version. mkdir /tmp/fakexbootldr SYSTEMD_XBOOTLDR_PATH=/tmp/fakexbootldr SYSTEMD_RELAX_XBOOTLDR_CHECKS=1 "$SD_PCRLOCK" make-policy --pcr="$PCRS" --force mv /var/lib/systemd/pcrlock.json /var/lib/systemd/pcrlock.json.gone ls -al /tmp/fakexbootldr/loader/credentials CREDENTIAL_FILE="$(echo /tmp/fakexbootldr/loader/credentials/pcrlock.*.cred)" test -f "$CREDENTIAL_FILE" # Strip dir and .cred suffix from file name. CREDENTIAL_NAME=${CREDENTIAL_FILE#/tmp/fakexbootldr/loader/credentials/} CREDENTIAL_NAME=${CREDENTIAL_NAME%.cred} systemd-creds decrypt --name="$CREDENTIAL_NAME" "$CREDENTIAL_FILE" ln -s "$CREDENTIAL_FILE" /tmp/fakexbootldr/loader/credentials/"$CREDENTIAL_NAME" test -f /tmp/fakexbootldr/loader/credentials/"$CREDENTIAL_NAME" SYSTEMD_ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY=/tmp/fakexbootldr/loader/credentials systemd-cryptsetup attach pcrlock "$img" - tpm2-device=auto,headless systemd-cryptsetup detach pcrlock mv /var/lib/systemd/pcrlock.json.gone /var/lib/systemd/pcrlock.json SYSTEMD_XBOOTLDR_PATH=/tmp/fakexbootldr SYSTEMD_RELAX_XBOOTLDR_CHECKS=1 "$SD_PCRLOCK" remove-policy "$SD_PCRLOCK" unlock-firmware-config "$SD_PCRLOCK" unlock-gpt "$SD_PCRLOCK" unlock-machine-id "$SD_PCRLOCK" unlock-file-system -- varlinkctl call /run/systemd/io.systemd.PCRLock io.systemd.PCRLock.RemovePolicy '{}' varlinkctl call /run/systemd/io.systemd.PCRLock io.systemd.PCRLock.MakePolicy '{}' varlinkctl call --collect --json=pretty /run/systemd/io.systemd.PCRLock io.systemd.PCRLock.ReadEventLog '{}' rm "$img" /tmp/pcrlockpwd # For issue #35746 for _ in {0..10}; do run0 /usr/lib/systemd/systemd-pcrlock done Found error in /usr/lib/systemd/tests/testdata/units/TEST-70-TPM2.measure.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-70-TPM2.measure.sh if [[ ! -x "${SD_MEASURE:?}" ]]; then echo "$SD_MEASURE not found, skipping the test" exit 0 fi IMAGE="$(mktemp /tmp/systemd-measure-XXX.image)" echo HALLO >/tmp/tpmdata1 echo foobar >/tmp/tpmdata2 cat >/tmp/result </tmp/result.json </tmp/result </tmp/result.json </dev/null; then MEASURE_BANKS+=("--bank=sha1") fi # Sign current PCR state with it "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: | tee "/tmp/pcrsign.sig" dd if=/dev/urandom of=/tmp/pcrtestdata bs=1024 count=64 systemd-creds encrypt /tmp/pcrtestdata /tmp/pcrtestdata.encrypted --with-key=host+tpm2-with-public-key --tpm2-public-key="/tmp/pcrsign-public.pem" systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" | cmp - /tmp/pcrtestdata # Invalidate PCR, decrypting should fail now tpm2_pcrextend 11:sha256=0000000000000000000000000000000000000000000000000000000000000000 (! systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" >/dev/null) # Sign new PCR state, decrypting should work now. "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: >"/tmp/pcrsign.sig2" systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig2" | cmp - /tmp/pcrtestdata # Now, do the same, but with a cryptsetup binding truncate -s 20M "$IMAGE" cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/passphrase # Ensure that an unrelated signature, when not requested, is not used touch /run/systemd/tpm2-pcr-signature.json systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" "$IMAGE" # Reset and use the signature now rm -f /run/systemd/tpm2-pcr-signature.json systemd-cryptenroll --wipe-slot=tpm2 "$IMAGE" systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" --tpm2-signature="/tmp/pcrsign.sig2" "$IMAGE" # Check if we can activate that (without the token module stuff) SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup detach test-volume2 # Check if we can activate that (and a second time with the token module stuff enabled) SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 systemd-cryptsetup detach test-volume2 # After extending the PCR things should fail tpm2_pcrextend 11:sha256=0000000000000000000000000000000000000000000000000000000000000000 (! SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1) (! SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1) # But once we sign the current PCRs, we should be able to unlock again "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: >"/tmp/pcrsign.sig3" SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1 systemd-cryptsetup detach test-volume2 SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1 systemd-cryptsetup detach test-volume2 # Test --append mode and de-duplication. With the same parameters signing should not add a new entry "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: --append="/tmp/pcrsign.sig3" >"/tmp/pcrsign.sig4" cmp "/tmp/pcrsign.sig3" "/tmp/pcrsign.sig4" # Sign one more phase, this should "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=quux:waldo --append="/tmp/pcrsign.sig4" >"/tmp/pcrsign.sig5" (! cmp "/tmp/pcrsign.sig4" "/tmp/pcrsign.sig5") # Should still be good to unlock, given the old entry still exists SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig5",headless=1 systemd-cryptsetup detach test-volume2 # Adding both signatures once more should not change anything, due to the deduplication "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: --append="/tmp/pcrsign.sig5" >"/tmp/pcrsign.sig6" "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=quux:waldo --append="/tmp/pcrsign.sig6" >"/tmp/pcrsign.sig7" cmp "/tmp/pcrsign.sig5" "/tmp/pcrsign.sig7" rm -f "$IMAGE" Found error in /usr/lib/systemd/tests/testdata/units/TEST-70-TPM2.cryptsetup.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-70-TPM2.cryptsetup.sh } trap at_exit EXIT # Prepare a fresh disk image IMAGE="$(mktemp /tmp/systemd-cryptsetup-XXX.IMAGE)" truncate -s 20M "$IMAGE" echo -n passphrase >/tmp/passphrase # Change file mode to avoid "/tmp/passphrase has 0644 mode that is too permissive" messages chmod 0600 /tmp/passphrase cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/passphrase # Unlocking via keyfile systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto "$IMAGE" # Enroll unlock with default PCR policy PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto "$IMAGE" systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1 systemd-cryptsetup detach test-volume -- systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1 systemd-cryptsetup detach test-volume # Now the interesting part, enrolling using a hash value that doesn't match the current PCR value systemd-cryptenroll --wipe-slot=tpm2 "$IMAGE" tpm2_pcrread -Q -o /tmp/pcr.dat sha256:12 CURRENT_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12) EXPECTED_PCR_VALUE=$(cat /tmp/pcr.dat /tmp/pcr.dat | openssl dgst -sha256 -r | cut -d ' ' -f 1) PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="12:sha256=$EXPECTED_PCR_VALUE" "$IMAGE" (! systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1) tpm2_pcrextend "12:sha256=$CURRENT_PCR_VALUE" systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1 systemd-cryptsetup detach test-volume # enroll TPM using device key instead of direct access, then verify unlock using TPM tpm2_pcrread -Q -o /tmp/pcr.dat sha256:12 CURRENT_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12) tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub systemd-analyze srk > /tmp/srk2.pub cmp /tmp/srk.pub /tmp/srk2.pub if [ -f /run/systemd/tpm2-srk-public-key.tpm2b_public ] ; then cmp /tmp/srk.pub /run/systemd/tpm2-srk-public-key.tpm2b_public fi # --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS if openssl_supports_kdf SSKDF; then PASSWORD=passphrase systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs="12:sha256=$CURRENT_PCR_VALUE" "$IMAGE" systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1 systemd-cryptsetup detach test-volume fi rm -f /tmp/pcr.dat /tmp/srk.pub fi # Use default (0) seal key handle systemd-cryptenroll --wipe-slot=tpm2 "$IMAGE" PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handle=0 "$IMAGE" -- (! PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handle=0x02000001 "$IMAGE") # HMAC/loaded session (! PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handle=0x03000001 "$IMAGE") # Policy/saved session (! PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handle=0x40000001 "$IMAGE") # Permanent # Use non-SRK persistent seal key handle (by creating/persisting new key) PRIMARY=/tmp/primary.ctx tpm2_createprimary -c "$PRIMARY" PERSISTENT_LINE=$(tpm2_evictcontrol -c "$PRIMARY" | grep persistent-handle) PERSISTENT_HANDLE="0x${PERSISTENT_LINE##*0x}" tpm2_flushcontext -t -- systemd-cryptsetup detach test-volume # --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS if openssl_supports_kdf SSKDF; then # Make sure that --tpm2-device-key= also works with systemd-repart tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub mkdir /tmp/dditest cat > /tmp/dditest/50-root.conf </tmp/cryptenroll.out systemd-cryptenroll "$@" |& tee /tmp/cryptenroll.out grep -qE "Wiped slot [[:digit:]]+" /tmp/cryptenroll.out )} # There is an external issue with libcryptsetup on ppc64 that hits 95% of Ubuntu ppc64 test runs, so skip it if [[ "$(uname -m)" == "ppc64le" ]]; then echo "Skipping systemd-cryptenroll tests on ppc64le, see https://github.com/systemd/systemd/issues/27716" exit 0 fi export SYSTEMD_LOG_LEVEL=debug IMAGE="$(mktemp /tmp/systemd-cryptenroll-XXX.image)" truncate -s 20M "$IMAGE" echo -n password >/tmp/password # Change file mode to avoid "/tmp/password has 0644 mode that is too permissive" messages chmod 0600 /tmp/password cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/password # Enroll additional tokens, keys, and passwords to exercise the list and wipe stuff systemd-cryptenroll --unlock-key-file=/tmp/password --tpm2-device=auto "$IMAGE" NEWPASSWORD="" systemd-cryptenroll --unlock-key-file=/tmp/password --password "$IMAGE" NEWPASSWORD=foo systemd-cryptenroll --unlock-key-file=/tmp/password --password "$IMAGE" for _ in {0..9}; do systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$IMAGE" done PASSWORD="" NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true "$IMAGE" # Do some basic checks before we start wiping stuff systemd-cryptenroll "$IMAGE" systemd-cryptenroll "$IMAGE" | grep password -- (! systemd-cryptenroll "$IMAGE" | grep recovery) # We shouldn't be able to wipe all keyslots without enrolling a new key first (! systemd-cryptenroll "$IMAGE" --wipe=all) PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$IMAGE" --password --wipe=all # Check if the newly (and only) enrolled password works (! systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$IMAGE") (! PASSWORD="" systemd-cryptenroll --recovery-key "$IMAGE") PASSWORD=foo systemd-cryptenroll --recovery-key "$IMAGE" systemd-cryptenroll --fido2-with-client-pin=false "$IMAGE" systemd-cryptenroll --fido2-with-user-presence=false "$IMAGE" -- # Change PIN on TPM2 enrollment PIN=1234 NEWPIN=4321 systemd-cryptenroll --unlock-tpm2-device=auto --tpm2-device=auto --tpm2-with-pin=yes "$IMAGE" PIN=4321 systemd-cryptenroll --unlock-tpm2-device=auto --recovery-key "$IMAGE" (! systemd-cryptenroll --fido2-with-client-pin=false) (! systemd-cryptenroll --fido2-with-user-presence=f "$IMAGE" /tmp/foo) (! systemd-cryptenroll --fido2-with-client-pin=1234 "$IMAGE") (! systemd-cryptenroll --fido2-with-user-presence=1234 "$IMAGE") (! systemd-cryptenroll --fido2-with-user-verification=1234 "$IMAGE") (! systemd-cryptenroll --tpm2-with-pin=1234 "$IMAGE") (! systemd-cryptenroll --recovery-key --password "$IMAGE") (! systemd-cryptenroll --password --recovery-key "$IMAGE") (! systemd-cryptenroll --password --fido2-device=auto "$IMAGE") (! systemd-cryptenroll --password --pkcs11-token-uri=auto "$IMAGE") (! systemd-cryptenroll --password --tpm2-device=auto "$IMAGE") (! systemd-cryptenroll --unlock-fido2-device=auto --unlock-fido2-device=auto "$IMAGE") (! systemd-cryptenroll --unlock-fido2-device=auto --unlock-key-file=/tmp/unlock "$IMAGE") (! systemd-cryptenroll --fido2-credential-algorithm=es512 "$IMAGE") (! systemd-cryptenroll --tpm2-public-key-pcrs=key "$IMAGE") (! systemd-cryptenroll --tpm2-pcrs=key "$IMAGE") (! systemd-cryptenroll --tpm2-pcrs=44+8 "$IMAGE") (! systemd-cryptenroll --tpm2-pcrs=hello "$IMAGE") Found error in /usr/lib/systemd/tests/testdata/units/TEST-70-TPM2.creds.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-70-TPM2.creds.sh set -o pipefail export SYSTEMD_LOG_LEVEL=debug # Ensure that sandboxing doesn't stop creds from being accessible echo "test" > /tmp/testdata systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2 # LoadCredentialEncrypted systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata # SetCredentialEncrypted systemd-run -p PrivateDevices=yes -p SetCredentialEncrypted=testdata.encrypted:"$(cat /tmp/testdata.encrypted)" --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata rm -f /tmp/testdata Found error in /usr/lib/systemd/tests/testdata/units/TEST-68-PROPAGATE-EXIT-STATUS.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-68-PROPAGATE-EXIT-STATUS.sh ExecStart=sh -c "exit 0" EOF # Script to check that when an OnSuccess= dependency fires, the correct # MONITOR* env variables are passed. cat >/tmp/check_on_success.sh <<"EOF" #!/bin/sh set -ex env | sort if [ "$MONITOR_SERVICE_RESULT" != "success" ]; then -- exit 1 fi exit 0 EOF chmod +x /tmp/check_on_success.sh cat >/run/systemd/system/testservice-success-exit-handler-68.service </run/systemd/system/testservice-success-exit-handler-68-template@.service </tmp/check_on_failure.sh <<"EOF" #!/bin/sh set -ex env | sort if [ "$MONITOR_SERVICE_RESULT" != "exit-code" ]; then -- exit 1 fi exit 0 EOF chmod +x /tmp/check_on_failure.sh cat >/run/systemd/system/testservice-failure-exit-handler-68.service </run/systemd/system/testservice-failure-exit-handler-68-template@.service </tmp/out1 chroot /tmp/root systemd-analyze cat-config systemd/system-preset >/tmp/out2 diff /tmp/out{1,2} fi # verify mkdir -p /tmp/img/usr/lib/systemd/system/ mkdir -p /tmp/img/opt/ touch /tmp/img/opt/script0.sh chmod +x /tmp/img/opt/script0.sh cat </tmp/img/usr/lib/systemd/system/testfile.service [Service] ExecStart = /opt/script0.sh EOF set +e # Default behaviour is to recurse through all dependencies when unit is loaded (! systemd-analyze verify --root=/tmp/img/ testfile.service) # As above, recurses through all dependencies when unit is loaded (! systemd-analyze verify --recursive-errors=yes --root=/tmp/img/ testfile.service) # Recurses through unit file and its direct dependencies when unit is loaded (! systemd-analyze verify --recursive-errors=one --root=/tmp/img/ testfile.service) set -e # zero exit status since dependencies are ignored when unit is loaded systemd-analyze verify --recursive-errors=no --root=/tmp/img/ testfile.service rm /tmp/img/usr/lib/systemd/system/testfile.service cat </tmp/testfile.service [Unit] foo = bar [Service] ExecStart = echo hello EOF cat </tmp/testfile2.service [Unit] Requires = testfile.service [Service] ExecStart = echo hello EOF # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded systemd-analyze verify --recursive-errors=no /tmp/testfile2.service set +e # Non-zero exit status since all associated dependencies are recursively loaded when the unit file is loaded (! systemd-analyze verify --recursive-errors=yes /tmp/testfile2.service) set -e rm /tmp/testfile.service rm /tmp/testfile2.service cat </tmp/sample.service [Unit] Description = A Sample Service [Service] ExecStart = echo hello Slice=support.slice EOF # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded systemd-analyze verify --recursive-errors=no /tmp/sample.service cat </tmp/testfile.service [Service] ExecStart = echo hello DeviceAllow=/dev/sda EOF # Prevent regression from #13380 and #20859 where we can't verify hidden files cp /tmp/testfile.service /tmp/.testfile.service systemd-analyze verify /tmp/.testfile.service rm /tmp/.testfile.service # Alias a unit file's name on disk (see #20061) cp /tmp/testfile.service /tmp/testsrvc (! systemd-analyze verify /tmp/testsrvc) systemd-analyze verify /tmp/testsrvc:alias.service # Zero exit status since the value used for comparison determine exposure to security threats is by default 100 systemd-analyze security --offline=true /tmp/testfile.service #The overall exposure level assigned to the unit is greater than the set threshold (! systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service) # Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185 systemd-analyze security --offline=true /tmp/testfile.service | grep -q -F "/dev/sda" # Make sure that running generators under systemd-analyze verify works. # Note: sd-analyze spawns generators in a sandbox which makes gcov unhapy, so temporarily override # $GCOV_PREFIX to make it skip generating any coverage reports GCOV_PREFIX=/tmp systemd-analyze verify --generators /tmp/testfile.service rm /tmp/testfile.service cat </tmp/img/usr/lib/systemd/system/testfile.service [Service] ExecStart = echo hello PrivateNetwork = yes PrivateDevices = yes PrivateUsers = yes EOF # The new overall exposure level assigned to the unit is less than the set thresholds # Verifies that the --offline= option works with --root= systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile.service cat </tmp/foo@.service [Service] ExecStart=ls EOF cat </tmp/hoge@test.service [Service] ExecStart=ls EOF # issue #30357 -- systemd-analyze verify tmp/hoge@test.service (! systemd-analyze verify tmp/hoge@nonexist.service) (! systemd-analyze verify tmp/hoge@.service) popd pushd /usr systemd-analyze verify ../tmp/foo@bar.service systemd-analyze verify ../tmp/foo@.service systemd-analyze verify ../tmp/hoge@test.service (! systemd-analyze verify ../tmp/hoge@nonexist.service) (! systemd-analyze verify ../tmp/hoge@.service) popd systemd-analyze verify /tmp/foo@bar.service systemd-analyze verify /tmp/foo@.service systemd-analyze verify /tmp/hoge@test.service (! systemd-analyze verify /tmp/hoge@nonexist.service) (! systemd-analyze verify /tmp/hoge@.service) # test that all commands are verified. cat </tmp/multi-exec-start.service [Service] Type=oneshot ExecStart=true ExecStart=ls EOF systemd-analyze verify /tmp/multi-exec-start.service echo 'ExecStart=command-should-not-exist' >>/tmp/multi-exec-start.service (! systemd-analyze verify /tmp/multi-exec-start.service) # Prevent regression from #20233 where systemd-analyze will return nonzero exit codes on warnings # Unit file with warning "Unknown key name 'foo' in section 'Unit', ignoring" cat </tmp/testwarnings.service [Unit] Foo=Bar [Service] ExecStart=echo hello EOF # yes/no/one should all return nonzero exit status for warnings in unit file (! systemd-analyze verify --recursive-errors=yes /tmp/testwarnings.service) (! systemd-analyze verify --recursive-errors=no /tmp/testwarnings.service) (! systemd-analyze verify --recursive-errors=one /tmp/testwarnings.service) # zero exit status since no errors and only warnings systemd-analyze verify /tmp/testwarnings.service rm /tmp/testwarnings.service # Added an additional "INVALID_ID" id to the .json to verify that nothing breaks when input is malformed # The PrivateNetwork id description and weight was changed to verify that 'security' is actually reading in # values from the .json file when required. The default weight for "PrivateNetwork" is 2500, and the new weight # assigned to that id in the .json file is 6000. This increased weight means that when the "PrivateNetwork" key is # set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure # level for the unit file should decrease to account for that increased weight. cat </tmp/testfile.json {"UserOrDynamicUser": {"description_bad": "Service runs as root user", "weight": 0, "range": 10 }, -- } EOF # Reads in custom security requirements from the parsed .json file and uses these for comparison systemd-analyze security --threshold=90 --offline=true \ --security-policy=/tmp/testfile.json \ --root=/tmp/img/ testfile.service # The strict profile adds a lot of sanboxing options systemd-analyze security --threshold=25 --offline=true \ --security-policy=/tmp/testfile.json \ --profile=strict \ --root=/tmp/img/ testfile.service # The trusted profile doesn't add any sanboxing options (! systemd-analyze security --threshold=25 --offline=true \ --security-policy=/tmp/testfile.json \ --profile=/usr/lib/systemd/portable/profile/trusted/service.conf \ --root=/tmp/img/ testfile.service) (! systemd-analyze security --threshold=50 --offline=true \ --security-policy=/tmp/testfile.json \ --root=/tmp/img/ testfile.service) rm /tmp/img/usr/lib/systemd/system/testfile.service if systemd-analyze --version | grep -q -F "+ELFUTILS"; then systemd-analyze inspect-elf --json=short /lib/systemd/systemd | grep -q -F '"elfType":"executable"' fi Found error in /usr/lib/systemd/tests/testdata/units/TEST-63-PATH.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-63-PATH.sh systemctl log-level debug # Test that a path unit continuously triggering a service that fails condition checks eventually fails with # the trigger-limit-hit error. rm -f /tmp/nonexistent systemctl start test63.path touch /tmp/test63 # Make sure systemd has sufficient time to hit the trigger limit for test63.path. # shellcheck disable=SC2016 timeout 30 bash -c 'until test "$(systemctl show test63.path -P ActiveState)" = failed; do sleep .2; done' test "$(systemctl show test63.service -P ActiveState)" = inactive test "$(systemctl show test63.service -P Result)" = success test "$(systemctl show test63.path -P Result)" = trigger-limit-hit # Test that starting the service manually doesn't affect the path unit. rm -f /tmp/test63 systemctl reset-failed systemctl start test63.path systemctl start test63.service test "$(systemctl show test63.service -P ActiveState)" = inactive test "$(systemctl show test63.service -P Result)" = success test "$(systemctl show test63.path -P ActiveState)" = active test "$(systemctl show test63.path -P Result)" = success # Test that glob matching works too, with $TRIGGER_PATH systemctl start test63-glob.path touch /tmp/test63-glob-foo timeout 60 bash -c 'until systemctl -q is-active test63-glob.service; do sleep .2; done' test "$(systemctl show test63-glob.service -P ActiveState)" = active test "$(systemctl show test63-glob.service -P Result)" = success test "$(busctl --json=short get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/test63_2dglob_2eservice org.freedesktop.systemd1.Unit ActivationDetails)" = '{"type":"a(ss)","data":[["trigger_unit","test63-glob.path"],["trigger_path","/tmp/test63-glob-foo"]]}' systemctl stop test63-glob.path test63-glob.service test "$(busctl --json=short get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/test63_2dglob_2eservice org.freedesktop.systemd1.Unit ActivationDetails)" = '{"type":"a(ss)","data":[]}' # tests for issue https://github.com/systemd/systemd/issues/24577#issuecomment-1522628906 rm -f /tmp/hoge systemctl start test63-issue-24577.path systemctl status -n 0 test63-issue-24577.path systemctl status -n 0 test63-issue-24577.service || : systemctl list-jobs output=$(systemctl list-jobs --no-legend) assert_not_in "test63-issue-24577.service" "$output" assert_not_in "test63-issue-24577-dep.service" "$output" touch /tmp/hoge systemctl status -n 0 test63-issue-24577.path systemctl status -n 0 test63-issue-24577.service || : systemctl list-jobs output=$(systemctl list-jobs --no-legend) assert_in "test63-issue-24577.service" "$output" -- systemctl list-jobs output=$(systemctl list-jobs --no-legend) assert_in "test63-issue-24577.service" "$output" assert_in "test63-issue-24577-dep.service" "$output" rm -f /tmp/hoge systemctl stop test63-issue-24577.service systemctl status -n 0 test63-issue-24577.path systemctl status -n 0 test63-issue-24577.service || : systemctl list-jobs output=$(systemctl list-jobs --no-legend) -- assert_in "test63-issue-24577-dep.service" "$output" # Test for race condition fixed by https://github.com/systemd/systemd/pull/30768 # Here's the schedule of events that we to happen during this test: # (This test) (The service) # .path unit monitors /tmp/copyme for changes # Take lock on /tmp/noexeit ↓ # Write to /tmp/copyme ↓ # Wait for deactivating Started # ↓ Copies /tmp/copyme to /tmp/copied # ↓ Tells manager it's shutting down # Ensure service did the copy Tries to lock /tmp/noexit and blocks # Write to /tmp/copyme ↓ # # Now at this point the test can diverge. If we regress, this second write is # missed and we'll see: # ... (second write) ... (blocked) # Drop lock on /tmp/noexit ↓ # Wait for service to do copy Unblocks and exits # ↓ (dead) # ↓ # (timeout) # Test fails # # Otherwise, we'll see: # ... (second write) ... (blocked) # Drop lock on /tmp/noexit ↓ and .path unit queues a new start job # Wait for service to do copy Unblocks and exits # ↓ Starts again b/c of queued job # ↓ Copies again # Test Passes systemctl start test63-pr-30768.path exec {lock}<>/tmp/noexit flock -e $lock echo test1 > /tmp/copyme # shellcheck disable=SC2016 timeout 30 bash -c 'until test "$(systemctl show test63-pr-30768.service -P ActiveState)" = deactivating; do sleep .2; done' diff /tmp/copyme /tmp/copied echo test2 > /tmp/copyme exec {lock}<&- timeout 30 bash -c 'until diff /tmp/copyme /tmp/copied >/dev/null; do sleep .2; done' systemctl log-level info touch /testok Found error in /usr/lib/systemd/tests/testdata/units/TEST-55-OOMD.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-55-OOMD.sh systemctl daemon-reload } testcase_duration_analyze() { # Verify memory pressure duration is valid if >= 1 second cat </tmp/TEST-55-OOMD-valid-duration.service [Service] ExecStart=echo hello ManagedOOMMemoryPressureDurationSec=1s EOF # Verify memory pressure duration is invalid if < 1 second cat </tmp/TEST-55-OOMD-invalid-duration.service [Service] ExecStart=echo hello ManagedOOMMemoryPressureDurationSec=0 EOF systemd-analyze --recursive-errors=no verify /tmp/TEST-55-OOMD-valid-duration.service (! systemd-analyze --recursive-errors=no verify /tmp/TEST-55-OOMD-invalid-duration.service) rm -f /tmp/TEST-55-OOMD-valid-duration.service rm -f /tmp/TEST-55-OOMD-invalid-duration.service } testcase_duration_override() { # Verify memory pressure duration can be overridden to non-zero values mkdir -p /run/systemd/system/TEST-55-OOMD-testmunch.service.d/ Found error in /usr/lib/systemd/tests/testdata/units/TEST-54-CREDS.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-54-CREDS.sh # Sanity checks # # Create a dummy "full" disk (similar to /dev/full) to check out-of-space # scenarios mkdir /tmp/full mount -t tmpfs -o size=1,nr_inodes=1 tmpfs /tmp/full # verb: setup # Run this first, otherwise any encrypted credentials wouldn't be decryptable # as we regenerate the host key rm -fv /var/lib/systemd/credential.secret -- echo foo >"$CRED_DIR/insecure" echo foo | systemd-creds --name="encrypted" encrypt - "$ENC_CRED_DIR/encrypted" echo foo | systemd-creds encrypt - "$ENC_CRED_DIR/encrypted-unnamed" chmod -R 0400 "$CRED_DIR" "$ENC_CRED_DIR" chmod -R 0444 "$CRED_DIR/insecure" mkdir /tmp/empty/ systemd-creds --system systemd-creds --no-pager --help systemd-creds --version systemd-creds has-tpm2 || : -- systemd-creds list --system ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds list --no-legend ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds list --json=pretty | jq ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds list --json=short | jq ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds list --json=off ENCRYPTED_CREDENTIALS_DIRECTORY="/tmp/empty/" CREDENTIALS_DIRECTORY="/tmp/empty/" systemd-creds list # verb: cat for cred in secure-or-weak insecure encrypted encrypted-unnamed; do ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds cat "$cred" done -- run_with_cred_compare "mycred:68656c6c6f0a776f726c64" "hello\nworld" --transcode=unhex cat mycred run_with_cred_compare 'mycred:{ "foo" : "bar", "baz" : [ 3, 4 ] }' '{"foo":"bar","baz":[3,4]}\n' --json=short cat mycred systemd-run -p SetCredential='mycred:{ "foo" : "bar", "baz" : [ 3, 4 ] }' --wait --pipe -- systemd-creds --json=pretty cat mycred | jq # verb: encrypt/decrypt echo "According to all known laws of aviation..." >/tmp/cred.orig systemd-creds --with-key=host encrypt /tmp/cred.orig /tmp/cred.enc systemd-creds decrypt /tmp/cred.enc /tmp/cred.dec diff /tmp/cred.orig /tmp/cred.dec rm -f /tmp/cred.{enc,dec} # --pretty cred_name="fo'''o''bar" cred_option="$(systemd-creds --pretty --name="$cred_name" encrypt /tmp/cred.orig -)" mkdir -p /run/systemd/system cat >/run/systemd/system/test-54-pretty-cred.service </tmp/ts54-concat (cat /etc/passwd /etc/shadow && echo -n wuff) | cmp /tmp/ts54-concat rm /tmp/ts54-concat # Test that SetCredential= acts as fallback for LoadCredential= echo piff >/tmp/ts54-fallback [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "piff" ] rm /tmp/ts54-fallback [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "poff" ] if systemd-detect-virt -q -c ; then expected_credential=mynspawncredential expected_value=strangevalue elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then -- # Verify that creating a user via sysusers via the kernel cmdline worked grep -q ^credtestuser: /etc/passwd # Verify that writing a file via tmpfiles worked [ "$(cat /tmp/sourcedfromcredential)" = "tmpfilessecret" ] [ "$(cat /etc/motd.d/50-provision.conf)" = "hello" ] [ "$(cat /etc/issue.d/50-provision.conf)" = "welcome" ] # Verify that adding a unit and drop-in via credentials worked systemctl start my-service test -f /tmp/unit-cred test -f /tmp/unit-dropin test -f /tmp/unit-named-dropin else echo "qemu_fw_cfg support missing in kernel. Sniff!" expected_credential="" expected_value="" fi -- --unit=test-54-immutable-rm.service \ --wait \ rm '${CREDENTIALS_DIRECTORY}/passwd') # Check directory-based loading mkdir -p /tmp/ts54-creds/sub echo -n a >/tmp/ts54-creds/foo echo -n b >/tmp/ts54-creds/bar echo -n c >/tmp/ts54-creds/baz echo -n d >/tmp/ts54-creds/sub/qux systemd-run -p LoadCredential=cred:/tmp/ts54-creds \ -p DynamicUser=1 \ --unit=test-54-dir.service \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/cred_foo' \ '${CREDENTIALS_DIRECTORY}/cred_bar' \ '${CREDENTIALS_DIRECTORY}/cred_baz' \ '${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat cmp /tmp/ts54-concat <(echo -n abcd) rm /tmp/ts54-concat rm -rf /tmp/ts54-creds # Check that globs work as expected mkdir -p /run/credstore echo -n a >/run/credstore/test.creds.first # Make sure that when multiple credentials of the same name are found, the first one is used (/etc/credstore -- -p DynamicUser=1 \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/test.creds.first' \ '${CREDENTIALS_DIRECTORY}/test.creds.second' \ '${CREDENTIALS_DIRECTORY}/test.creds.third' >/tmp/ts54-concat cmp /tmp/ts54-concat <(echo -n abc) # Check that ImportCredentialEx= works without renaming. systemd-run -p "ImportCredentialEx=test.creds.*" \ --unit=test-54-ImportCredential.service \ -p DynamicUser=1 \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/test.creds.first' \ '${CREDENTIALS_DIRECTORY}/test.creds.second' \ '${CREDENTIALS_DIRECTORY}/test.creds.third' >/tmp/ts54-concat cmp /tmp/ts54-concat <(echo -n abc) # Check that renaming with globs works as expected. systemd-run -p "ImportCredentialEx=test.creds.*:renamed.creds." \ --unit=test-54-ImportCredential.service \ -p DynamicUser=1 \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/renamed.creds.first' \ '${CREDENTIALS_DIRECTORY}/renamed.creds.second' \ '${CREDENTIALS_DIRECTORY}/renamed.creds.third' >/tmp/ts54-concat cmp /tmp/ts54-concat <(echo -n abc) # Check that renaming without globs works as expected. systemd-run -p "ImportCredentialEx=test.creds.first:renamed.creds.first" \ --unit=test-54-ImportCredential.service \ -p DynamicUser=1 \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/renamed.creds.first' >/tmp/ts54-concat cmp /tmp/ts54-concat <(echo -n a) # Test that multiple renames are processed in the correct order. systemd-run -p "ImportCredentialEx=test.creds.first:renamed.creds.first" \ -p "ImportCredentialEx=test.creds.second:renamed.creds.first" \ --unit=test-54-ImportCredential.service \ -p DynamicUser=1 \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/renamed.creds.first' >/tmp/ts54-concat cmp /tmp/ts54-concat <(echo -n a) # Test that a credential can be imported multiple times with different names. systemd-run -p "ImportCredentialEx=test.creds.first" \ -p "ImportCredentialEx=test.creds.first:renamed.creds.first" \ -p "ImportCredentialEx=test.creds.first:renamed.creds.second" \ -- -p DynamicUser=1 \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/test.creds.first' \ '${CREDENTIALS_DIRECTORY}/renamed.creds.first' \ '${CREDENTIALS_DIRECTORY}/renamed.creds.second' >/tmp/ts54-concat cmp /tmp/ts54-concat <(echo -n aaa) # Now test encrypted credentials (only supported when built with OpenSSL though) if systemctl --version | grep -q -- +OPENSSL ; then echo -n $RANDOM >/tmp/test-54-plaintext systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext echo -n $RANDOM >/tmp/test-54-plaintext systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext rm /tmp/test-54-plaintext /tmp/test-54-ciphertext fi # https://github.com/systemd/systemd/issues/27275 systemd-run -p DynamicUser=yes -p 'LoadCredential=os:/etc/os-release' \ -p 'ExecStartPre=true' \ -- --service-type=oneshot --wait --pipe \ true | cmp /etc/os-release # https://github.com/systemd/systemd/pull/24734#issuecomment-1925440546 # Also ExecStartPre= should be able to update creds dd if=/dev/urandom of=/tmp/cred-huge bs=600K count=1 chmod 777 /tmp/cred-huge systemd-run -p ProtectSystem=full \ -p 'LoadCredential=huge:/tmp/cred-huge' \ -p 'ExecStartPre=true' \ -p 'ExecStartPre=bash -c "echo fresh >/tmp/cred-huge"' \ --unit=test-54-huge-cred.service \ --wait --pipe \ systemd-creds cat huge | cmp - <(echo "fresh") rm /tmp/cred-huge echo stable >/tmp/cred-stable systemd-run -p 'LoadCredential=stable:/tmp/cred-stable' \ -p 'ExecStartPost=systemd-creds cat stable' \ --unit=test-54-stable.service \ --service-type=oneshot --wait --pipe \ bash -c "echo bogus >/tmp/cred-stable" | cmp - <(echo "stable") assert_eq "$(cat /tmp/cred-stable)" "bogus" rm /tmp/cred-stable if ! systemd-detect-virt -q -c ; then # Validate that the credential we inserted via the initrd logic arrived test "$(systemd-creds cat --system myinitrdcred)" = "guatemala" -- systemctl -P Wants show getty.target | grep -q container-getty@idontexist.service fi # Decrypt/encrypt via varlink echo '{"data":"Zm9vYmFyCg=="}' > /tmp/vlcredsdata varlinkctl call /run/systemd/io.systemd.Credentials io.systemd.Credentials.Encrypt "$(cat /tmp/vlcredsdata)" | \ varlinkctl call --json=short /run/systemd/io.systemd.Credentials io.systemd.Credentials.Decrypt > /tmp/vlcredsdata2 cmp /tmp/vlcredsdata /tmp/vlcredsdata2 rm /tmp/vlcredsdata /tmp/vlcredsdata2 clean_usertest() { rm -f /tmp/usertest.data /tmp/usertest.data } trap clean_usertest EXIT dd if=/dev/urandom of=/tmp/usertest.data bs=4096 count=1 systemd-creds encrypt --user /tmp/usertest.data /tmp/usertest.cred systemd-creds decrypt --user /tmp/usertest.cred - | cmp /tmp/usertest.data # Decryption must fail if it's not done in user context (! systemd-creds decrypt /tmp/usertest.cred - ) # Decryption must also fail if a different user is used (! systemd-creds decrypt --user --uid=65534 /tmp/usertest.cred - ) # Try the reverse systemd-creds encrypt --user --uid=65534 /tmp/usertest.data /tmp/usertest.cred (! systemd-creds decrypt --user /tmp/usertest.cred - ) systemd-creds decrypt --user --uid=65534 /tmp/usertest.cred - | cmp /tmp/usertest.data systemd-creds encrypt --user /tmp/usertest.data /tmp/usertest.creds --name=mytest # Make sure we actually can decode this in user context systemctl start user@0.service XDG_RUNTIME_DIR=/run/user/0 systemd-run --pipe --user --unit=waldi.service -p LoadCredentialEncrypted=mytest:/tmp/usertest.creds cat /run/user/0/credentials/waldi.service/mytest | cmp /tmp/usertest.data systemd-analyze log-level info touch /testok Found error in /usr/lib/systemd/tests/testdata/units/TEST-50-DISSECT.mountfsd.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-50-DISSECT.mountfsd.sh fi at_exit() { set +e umount -R /tmp/unpriv/mount rmdir /tmp/unpriv rm -f /tmp/test-50-unpriv-privkey.key /tmp/test-50-unpriv-cert.crt /run/verity.d/test-50-unpriv-cert.crt rm -f /var/tmp/unpriv.raw /tmp/unpriv.raw.mtree /tmp/unpriv2.raw.mtree rm -f /tmp/unpriv.out /tmp/unpriv.out2 /tmp/unpriv.out3 } trap at_exit EXIT systemctl start systemd-mountfsd.socket systemd-nsresourced.socket openssl req -config "$OPENSSL_CONFIG" -subj="/CN=waldo" \ -x509 -sha256 -nodes -days 365 -newkey rsa:4096 \ -keyout /tmp/test-50-unpriv-privkey.key -out /tmp/test-50-unpriv-cert.crt systemd-dissect --mkdir --mount "$MINIMAL_IMAGE.raw" /tmp/unpriv/mount SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs \ systemd-repart -P \ -s /tmp/unpriv/mount \ --certificate=/tmp/test-50-unpriv-cert.crt \ --private-key=/tmp/test-50-unpriv-privkey.key \ /var/tmp/unpriv.raw systemd-dissect --rmdir --umount /tmp/unpriv/mount systemd-dissect --image-policy='root=unprotected:=absent+unused' /var/tmp/unpriv.raw systemd-dissect --image-policy='root=unprotected:=absent+unused' --mtree /var/tmp/unpriv.raw >/tmp/unpriv.raw.mtree # Run unpriv, should fail due to lack of privs (! runas testuser systemd-dissect /var/tmp/unpriv.raw) (! runas testuser systemd-dissect --mtree /var/tmp/unpriv.raw) if (SYSTEMD_LOG_TARGET=console varlinkctl call \ /run/systemd/userdb/io.systemd.NamespaceResource \ io.systemd.NamespaceResource.AllocateUserRange \ '{"name":"test-supported","size":65536,"userNamespaceFileDescriptor":0}' 2>&1 || true) | -- echo "User namespace interface not supported, skipping mountfsd/nsresourced tests" exit 0 fi # Install key in keychain cp /tmp/test-50-unpriv-cert.crt /run/verity.d # Now run unpriv again, should be OK now. runas testuser systemd-dissect /var/tmp/unpriv.raw runas testuser systemd-dissect --mtree /var/tmp/unpriv.raw >/tmp/unpriv2.raw.mtree # Check that unpriv and priv run yielded same results cmp /tmp/unpriv.raw.mtree /tmp/unpriv2.raw.mtree # Make sure nspawn works unpriv, too (for now do not nest) if ! systemd-detect-virt -c; then systemd-nspawn --pipe -i /var/tmp/unpriv.raw --read-only echo thisisatest > /tmp/unpriv.out echo thisisatest | cmp /tmp/unpriv.out - # The unpriv user has no rights to lock the image or write to it. Let's # turn off both for this test, so that we don't have to copy the image # around. systemd-run -M testuser@ --user --pipe \ -p Environment=SYSTEMD_NSPAWN_LOCK=0 \ -p Delegate=1 \ -p DelegateSubgroup=supervisor \ -p Environment=SYSTEMD_LOG_LEVEL=debug \ --wait -- \ systemd-nspawn --keep-unit --register=no -i /var/tmp/unpriv.raw --read-only --pipe echo thisisatest >/tmp/unpriv.out2 echo thisisatest | cmp /tmp/unpriv.out2 - fi systemd-run -M testuser@ --user --pipe -p RootImage=/var/tmp/unpriv.raw -p PrivateUsers=1 --wait echo thisisatest >/tmp/unpriv.out3 echo thisisatest | cmp /tmp/unpriv.out3 - Found error in /usr/lib/systemd/tests/testdata/units/TEST-50-DISSECT.dissect.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-50-DISSECT.dissect.sh RemainAfterExit=yes MountAPIVFS=yes PrivateTmp=yes ExecStart=sh -c ' \\ systemd-notify --ready; \\ while [ ! -f /tmp/img/usr/lib/os-release ] || ! grep -q -F MARKER /tmp/img/usr/lib/os-release; do \\ sleep 0.1; \\ done; \\ mount; \\ mount | grep -F "on /tmp/img type squashfs" | grep -q -F "nosuid"; \\ ' EOF systemctl start testservice-50d.service # Mount twice to exercise mount-beneath (on kernel 6.5+, on older kernels it will just overmount) mkdir -p /tmp/wrong/foo mksquashfs /tmp/wrong/foo /tmp/wrong.raw systemctl mount-image --mkdir testservice-50d.service /tmp/wrong.raw /tmp/img test "$(systemctl show -P SubState testservice-50d.service)" = "running" systemctl mount-image --mkdir testservice-50d.service "$MINIMAL_IMAGE.raw" /tmp/img root:nosuid # shellcheck disable=SC2016 timeout 30s bash -xec 'while [[ $(systemctl show -P SubState testservice-50d.service) == running ]]; do sleep .2; done' systemctl is-active testservice-50d.service # ExtensionImages will set up an overlay systemd-run -P \ --property ExtensionImages=/tmp/app0.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /opt/script0.sh | grep -q -F "extension-release.app0" systemd-run -P \ --property ExtensionImages=/tmp/app0.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1" systemd-run -P \ --property ExtensionImages="/tmp/app0.raw /tmp/app1.raw" \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /opt/script0.sh | grep -q -F "extension-release.app0" systemd-run -P \ --property ExtensionImages="/tmp/app0.raw /tmp/app1.raw" \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1" systemd-run -P \ --property ExtensionImages="/tmp/app0.raw /tmp/app1.raw" \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /opt/script1.sh | grep -q -F "extension-release.app2" systemd-run -P \ --property ExtensionImages="/tmp/app0.raw /tmp/app1.raw" \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /usr/lib/systemd/system/other_file | grep -q -F "MARKER=1" systemd-run -P \ --property ExtensionImages=/tmp/app-nodistro.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1" systemd-run -P \ --property ExtensionImages=/etc/service-scoped-test.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123" systemd-run -P \ --property ExtensionImages="/tmp/app0.raw /tmp/conf0.raw" \ veritysetup status "$(cat /tmp/app0.roothash)-verity" | grep -q "$(cat /tmp/app0.roothash)" systemd-run -P \ --property ExtensionImages="/tmp/app0.raw /tmp/conf0.raw" \ veritysetup status "$(cat /tmp/conf0.roothash)-verity" | grep -q "$(cat /tmp/conf0.roothash)" # Check that two identical verity images at different paths do not fail with -ELOOP from OverlayFS mkdir -p /tmp/loop cp /tmp/app0.raw /tmp/loop/app0.raw veritysetup format /tmp/loop/app0.raw /tmp/loop/app0.verity --root-hash-file /tmp/loop/app0.roothash cp /tmp/loop/app0.raw /tmp/loop/app0_copy.raw cp /tmp/loop/app0.verity /tmp/loop/app0_copy.verity cp /tmp/loop/app0.roothash /tmp/loop/app0_copy.roothash systemd-run -P \ --property ExtensionImages=/tmp/loop/app0.raw \ --property ExtensionImages=/tmp/loop/app0_copy.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ "${BIND_LOG_SOCKETS[@]}" \ cat /opt/script0.sh | grep -q -F "extension-release.app0" rm -rf /tmp/loop/ # Check that using a symlink to NAME-VERSION.raw works as long as the symlink has the correct name NAME.raw mkdir -p /tmp/symlink-test/ cp /tmp/app-nodistro.raw /tmp/symlink-test/app-nodistro-v1.raw ln -fs /tmp/symlink-test/app-nodistro-v1.raw /tmp/symlink-test/app-nodistro.raw systemd-run -P \ --property ExtensionImages=/tmp/symlink-test/app-nodistro.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1" # Symlink check again but for confext mkdir -p /etc/symlink-test/ -- --property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123" # And again mixing sysext and confext systemd-run -P \ --property ExtensionImages=/tmp/symlink-test/app-nodistro.raw \ --property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123" systemd-run -P \ --property ExtensionImages=/tmp/symlink-test/app-nodistro.raw \ --property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1" cat >/run/systemd/system/testservice-50e.service </tmp/discover.json grep -q -F '{"name":"a","type":"raw","class":"machine","ro":false,"path":"/run/machines/a.raw"' /tmp/discover.json grep -q -F '{"name":"b","type":"raw","class":"portable","ro":false,"path":"/run/portables/b.raw"' /tmp/discover.json grep -q -F '{"name":"c","type":"raw","class":"sysext","ro":false,"path":"/run/extensions/c.raw"' /tmp/discover.json rm /tmp/discover.json /run/machines/a.raw /run/portables/b.raw /run/extensions/c.raw LOOP="$(systemd-dissect --attach --loop-ref=waldo "$MINIMAL_IMAGE.raw")" # Wait until the symlinks we want to test are established udevadm trigger -w "$LOOP" -- (! /etc/testscript) systemd-confext status systemd-confext unmerge rm -rf /run/confexts/ unsquashfs -no-xattrs -d /tmp/img "$MINIMAL_IMAGE.raw" systemd-run --unit=test-root-ephemeral \ -p RootDirectory=/tmp/img \ -p RootEphemeral=yes \ -p Type=exec \ bash -c "touch /abc && sleep infinity" test -n "$(ls -A /var/lib/systemd/ephemeral-trees)" systemctl stop test-root-ephemeral # shellcheck disable=SC2016 timeout 10 bash -c 'until test -z "$(ls -A /var/lib/systemd/ephemeral-trees)"; do sleep .5; done' test ! -f /tmp/img/abc systemd-dissect --mtree /tmp/img >/dev/null systemd-dissect --list /tmp/img >/dev/null read -r SHA256SUM1 _ < <(systemd-dissect --copy-from /tmp/img etc/os-release | sha256sum) test "$SHA256SUM1" != "" echo abc > abc systemd-dissect --copy-to /tmp/img abc /abc test -f /tmp/img/abc # Test for dissect tool support with systemd-sysext mkdir -p /run/extensions/ testkit/usr/lib/extension-release.d/ echo "ID=_any" >testkit/usr/lib/extension-release.d/extension-release.testkit echo "ARCHITECTURE=_any" >>testkit/usr/lib/extension-release.d/extension-release.testkit -- systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" cat /run/host/os-release | cmp "$OS_RELEASE" # Test that systemd-sysext reloads the daemon. mkdir -p /var/lib/extensions/ ln -s /tmp/app-reload.raw /var/lib/extensions/app-reload.raw systemd-sysext merge --no-reload # the service should not be running (! systemctl --quiet is-active foo.service) systemd-sysext unmerge --no-reload systemd-sysext merge Found error in /usr/lib/systemd/tests/testdata/units/TEST-50-DISSECT.DDI.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-50-DISSECT.DDI.sh # SPDX-License-Identifier: LGPL-2.1-or-later set -eux set -o pipefail # Check that the /sbin/mount.ddi helper works dir="/tmp/mounthelper.$RANDOM" mount -t ddi "$MINIMAL_IMAGE.gpt" "$dir" -o ro,X-mount.mkdir,discard umount -R "$dir" # Test systemd-repart --make-ddi=: if [[ -z "${OPENSSL_CONFIG:?}" ]] || ! command -v mksquashfs &>/dev/null; then -- exit 0 fi openssl req -config "$OPENSSL_CONFIG" -subj="/CN=waldo" \ -x509 -sha256 -nodes -days 365 -newkey rsa:4096 \ -keyout /tmp/test-50-privkey.key -out /tmp/test-50-cert.crt mkdir -p /tmp/test-50-confext/etc/extension-release.d/ echo "foobar50" >/tmp/test-50-confext/etc/waldo { grep -e '^\(ID\|VERSION_ID\)=' /etc/os-release echo IMAGE_ID=waldo echo IMAGE_VERSION=7 } >/tmp/test-50-confext/etc/extension-release.d/extension-release.waldo mkdir -p /run/confexts SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs \ systemd-repart -C \ -s /tmp/test-50-confext \ --certificate=/tmp/test-50-cert.crt \ --private-key=/tmp/test-50-privkey.key \ /run/confexts/waldo.confext.raw rm -rf /tmp/test-50-confext mkdir -p /run/verity.d cp /tmp/test-50-cert.crt /run/verity.d/ systemd-dissect --mtree /run/confexts/waldo.confext.raw systemd-confext refresh test "$(/tmp/blob1/test1 echo data1 blob2 >/tmp/blob2/test1 echo data2 blob1 >/tmp/blob1/test2 echo data2 blob2 >/tmp/blob2/test2 echo invalid filename >/tmp/blob1/файл echo data3 >/tmp/external-test3 echo avatardata >/tmp/external-avatar ln -s /tmp/external-avatar /tmp/external-avatar-lnk dd if=/dev/urandom of=/tmp/external-barely-fits bs=1M count=64 dd if=/dev/urandom of=/tmp/external-toobig bs=1M count=65 # create w/ prepopulated blob dir NEWPASSWORD=EMJuc3zQaMibJo homectl create blob-user \ --disk-size=min --luks-discard=yes \ --luks-pbkdf-type=pbkdf2 --luks-pbkdf-time-cost=1ms \ --rate-limit-interval=1s --rate-limit-burst=1000 \ --uid=12345 \ --blob=/tmp/blob1 inspect blob-user PASSWORD=EMJuc3zQaMibJo homectl activate blob-user inspect blob-user test -d /var/cache/systemd/home/blob-user stat -c "%u %#a" /var/cache/systemd/home/blob-user | grep "^0 0755" test -d /home/blob-user/.identity-blob stat -c "%u %#a" /home/blob-user/.identity-blob | grep "^12345 0700" checkblob test1 /tmp/blob1/test1 (! checkblob test1 /tmp/blob2/test1 ) checkblob test2 /tmp/blob1/test2 (! checkblob test2 /tmp/blob2/test2 ) (! checkblob фаил /tmp/blob1/фаил ) (! checkblob test3 /tmp/external-test3 ) (! checkblob avatar /tmp/external-avatar ) # append files to existing blob, both well-known and other PASSWORD=EMJuc3zQaMibJo homectl update blob-user \ -b test3=/tmp/external-test3 --avatar=/tmp/external-avatar inspect blob-user checkblob test1 /tmp/blob1/test1 (! checkblob test1 /tmp/blob2/test1 ) checkblob test2 /tmp/blob1/test2 (! checkblob test2 /tmp/blob2/test2 ) (! checkblob фаил /tmp/blob1/фаил ) checkblob test3 /tmp/external-test3 checkblob avatar /tmp/external-avatar # delete files from existing blob, both well-known and other PASSWORD=EMJuc3zQaMibJo homectl update blob-user \ -b test3= --avatar= inspect blob-user checkblob test1 /tmp/blob1/test1 (! checkblob test1 /tmp/blob2/test1 ) checkblob test2 /tmp/blob1/test2 (! checkblob test2 /tmp/blob2/test2 ) (! checkblob фаил /tmp/blob1/фаил ) (! checkblob test3 /tmp/external-test3 ) (! checkblob avatar /tmp/external-avatar ) # swap entire blob directory PASSWORD=EMJuc3zQaMibJo homectl update blob-user \ -b /tmp/blob2 inspect blob-user (! checkblob test1 /tmp/blob1/test1 ) checkblob test1 /tmp/blob2/test1 (! checkblob test2 /tmp/blob1/test2 ) checkblob test2 /tmp/blob2/test2 (! checkblob фаил /tmp/blob1/фаил ) (! checkblob test3 /tmp/external-test3 ) (! checkblob avatar /tmp/external-avatar ) # create and delete files while swapping blob directory. Also symlinks. PASSWORD=EMJuc3zQaMibJo homectl update blob-user \ -b /tmp/blob1 -b test2= -b test3=/tmp/external-test3 --avatar=/tmp/external-avatar-lnk inspect blob-user checkblob test1 /tmp/blob1/test1 (! checkblob test1 /tmp/blob2/test1 ) (! checkblob test2 /tmp/blob1/test2 ) (! checkblob test2 /tmp/blob2/test2 ) (! checkblob фаил /tmp/blob1/фаил ) checkblob test3 /tmp/external-test3 checkblob avatar /tmp/external-avatar # target of the link # clear the blob directory PASSWORD=EMJuc3zQaMibJo homectl update blob-user \ -b /tmp/blob2 -b test3=/tmp/external-test3 --blob= inspect blob-user (! checkblob test1 /tmp/blob1/test1 ) (! checkblob test1 /tmp/blob2/test1 ) (! checkblob test2 /tmp/blob1/test2 ) (! checkblob test2 /tmp/blob2/test2 ) (! checkblob фаил /tmp/blob1/фаил ) (! checkblob test3 /tmp/external-test3 ) (! checkblob avatar /tmp/external-avatar ) # file that's exactly 64M still fits # FIXME: Figure out why this fails on ext4. if [[ "$FSTYPE" != "ext2/ext3" ]]; then PASSWORD=EMJuc3zQaMibJo homectl update blob-user \ -b barely-fits=/tmp/external-barely-fits (! checkblob test1 /tmp/blob1/test1 ) (! checkblob test1 /tmp/blob2/test1 ) (! checkblob test2 /tmp/blob1/test2 ) (! checkblob test2 /tmp/blob2/test2 ) (! checkblob фаил /tmp/blob1/фаил ) (! checkblob test3 /tmp/external-test3 ) (! checkblob avatar /tmp/external-avatar ) checkblob barely-fits /tmp/external-barely-fits fi # error out if the file is too big (! PASSWORD=EMJuc3zQaMibJo homectl update blob-user -b huge=/tmp/external-toobig ) # error out if filenames are invalid (! PASSWORD=EMJuc3zQaMibJo homectl update blob-user -b .hidden=/tmp/external-test3 ) (! PASSWORD=EMJuc3zQaMibJo homectl update blob-user -b "with spaces=/tmp/external-test3" ) (! PASSWORD=EMJuc3zQaMibJo homectl update blob-user -b with=equals=/tmp/external-test3 ) (! PASSWORD=EMJuc3zQaMibJo homectl update blob-user -b файл=/tmp/external-test3 ) (! PASSWORD=EMJuc3zQaMibJo homectl update blob-user -b special@chars=/tmp/external-test3 ) # Make sure offline updates to blobs get propagated in homectl deactivate blob-user inspect blob-user homectl update blob-user --offline -b barely-fits= -b propagated=/tmp/external-test3 inspect blob-user PASSWORD=EMJuc3zQaMibJo homectl activate blob-user inspect blob-user (! checkblob barely-fits /tmp/external-barely-fits ) checkblob propagated /tmp/external-test3 homectl deactivate blob-user wait_for_state blob-user inactive homectl remove blob-user -- varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"uid":2000000,"service":"io.systemd.Multiplexer"}' (! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"","service":"io.systemd.Multiplexer"}') (! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"🐱","service":"io.systemd.Multiplexer"}') (! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"i-do-not-exist","service":"io.systemd.Multiplexer"}') userdbctl ssh-authorized-keys dropinuser | tee /tmp/authorized-keys grep "ssh-ed25519" /tmp/authorized-keys grep "ecdsa-sha2-nistp256" /tmp/authorized-keys echo "my-top-secret-key 🐱" >/tmp/my-top-secret-key userdbctl ssh-authorized-keys dropinuser --chain /bin/cat /tmp/my-top-secret-key | tee /tmp/authorized-keys grep "ssh-ed25519" /tmp/authorized-keys grep "ecdsa-sha2-nistp256" /tmp/authorized-keys grep "my-top-secret-key 🐱" /tmp/authorized-keys (! userdbctl ssh-authorized-keys 🐱) (! userdbctl ssh-authorized-keys dropin-user --chain) (! userdbctl ssh-authorized-keys dropin-user --chain '') (! SYSTEMD_LOG_LEVEL=debug userdbctl ssh-authorized-keys dropin-user --chain /bin/false) -- if command -v ssh &>/dev/null && command -v sshd &>/dev/null && ! [[ -v ASAN_OPTIONS ]]; then at_exit() { set +e systemctl is-active -q mysshserver.socket && systemctl stop mysshserver.socket rm -f /tmp/homed.id_ecdsa /run/systemd/system/mysshserver{@.service,.socket} systemctl daemon-reload homectl remove homedsshtest for dir in /etc /usr/lib; do if [[ -f "$dir/pam.d/sshd.bak" ]]; then mv "$dir/pam.d/sshd.bak" "$dir/pam.d/sshd" -- } trap at_exit EXIT # Test that SSH logins work with delayed unlocking ssh-keygen -N '' -C '' -t ecdsa -f /tmp/homed.id_ecdsa NEWPASSWORD=hunter4711 homectl create \ --disk-size=min \ --luks-discard=yes \ --luks-pbkdf-type=pbkdf2 \ --luks-pbkdf-time-cost=1ms \ --rate-limit-interval=1s \ --rate-limit-burst=1000 \ --enforce-password-policy=no \ --ssh-authorized-keys=@/tmp/homed.id_ecdsa.pub \ --stop-delay=0 \ homedsshtest homectl inspect homedsshtest mkdir -p /etc/ssh -- systemctl daemon-reload systemctl start mysshserver.socket userdbctl user -j homedsshtest ssh -t -t -4 -p 4711 -i /tmp/homed.id_ecdsa \ -o "SetEnv PASSWORD=hunter4711" -o "StrictHostKeyChecking no" \ homedsshtest@localhost echo zzz | tr -d '\r' | tee /tmp/homedsshtest.out grep -E "^zzz$" /tmp/homedsshtest.out rm /tmp/homedsshtest.out ssh -t -t -4 -p 4711 -i /tmp/homed.id_ecdsa \ -o "SetEnv PASSWORD=hunter4711" -o "StrictHostKeyChecking no" \ homedsshtest@localhost env wait_for_state homedsshtest inactive fi Found error in /usr/lib/systemd/tests/testdata/units/TEST-44-LOG-NAMESPACE.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-44-LOG-NAMESPACE.sh journalctl --namespace=foobar --sync journalctl --namespace=foobaz --sync ls -l /var/log/journal/ journalctl --list-namespaces journalctl -o cat --namespace=foobar >/tmp/hello-world journalctl -o cat >/tmp/no-hello-world journalctl --list-namespaces | grep foobar journalctl --list-namespaces | grep foobaz journalctl --list-namespaces -o json | jq . [[ "$(journalctl --root=/tmp --list-namespaces --quiet)" == "" ]] grep "^hello world$" /tmp/hello-world (! grep "^hello world$" /tmp/no-hello-world) systemd-analyze log-level info touch /testok Found error in /usr/lib/systemd/tests/testdata/units/TEST-29-PORTABLE.directory.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-29-PORTABLE.directory.sh # If we're running under sanitizers, we need to use a less restrictive # profile, otherwise LSan syscall would get blocked by seccomp ARGS+=(--profile=trusted) fi unsquashfs -dest /tmp/minimal_0 /usr/share/minimal_0.raw unsquashfs -dest /tmp/minimal_1 /usr/share/minimal_1.raw portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/minimal_0 minimal-app0 systemctl is-active minimal-app0.service systemctl is-active minimal-app0-foo.service systemctl is-active minimal-app0-bar.service && exit 1 portablectl "${ARGS[@]}" reattach --now --enable --runtime /tmp/minimal_1 minimal-app0 systemctl is-active minimal-app0.service systemctl is-active minimal-app0-bar.service systemctl is-active minimal-app0-foo.service && exit 1 portablectl list | grep -q -F "minimal_1" busctl tree org.freedesktop.portable1 --no-pager | grep -q -F '/org/freedesktop/portable1/image/minimal_5f1' portablectl detach --now --enable --runtime /tmp/minimal_1 minimal-app0 portablectl list | grep -q -F "No images." busctl tree org.freedesktop.portable1 --no-pager | grep -q -F '/org/freedesktop/portable1/image/minimal_5f1' && exit 1 mkdir /tmp/rootdir /tmp/app0 /tmp/app1 /tmp/overlay /tmp/os-release-fix /tmp/os-release-fix/etc mount /tmp/app0.raw /tmp/app0 mount /tmp/app1.raw /tmp/app1 mount /usr/share/minimal_0.raw /tmp/rootdir # Fix up os-release to drop the valid PORTABLE_SERVICES field (because we are # bypassing the sysext logic in portabled here it will otherwise not see the # extensions additional valid prefix) grep -v "^PORTABLE_PREFIXES=" /tmp/rootdir/etc/os-release >/tmp/os-release-fix/etc/os-release mount -t overlay overlay -o lowerdir=/tmp/os-release-fix:/tmp/app1:/tmp/rootdir /tmp/overlay grep . /tmp/overlay/usr/lib/extension-release.d/* grep . /tmp/overlay/etc/os-release portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/overlay app1 systemctl is-active app1.service portablectl detach --now --runtime overlay app1 -- [Unit] Description=App 1 EOF systemctl daemon-reload portablectl "${ARGS[@]}" attach --force --copy=symlink --now --runtime /tmp/overlay app1 systemctl is-active app1.service portablectl detach --now --runtime overlay app1 umount /tmp/overlay portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime --extension /tmp/app0 --extension /tmp/app1 /tmp/rootdir app0 app1 systemctl is-active app0.service systemctl is-active app1.service portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/rootdir/usr/lib/os-release portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/app0/usr/lib/extension-release.d/extension-release.app0 portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/app1/usr/lib/extension-release.d/extension-release.app2 portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/app1/usr/lib/systemd/system/app1.service portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/app0/usr/lib/systemd/system/app0.service grep -q -F "LogExtraFields=PORTABLE=app0" /run/systemd/system.attached/app0.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_ROOT=rootdir" /run/systemd/system.attached/app0.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app0" /run/systemd/system.attached/app0.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app" /run/systemd/system.attached/app0.service.d/20-portable.conf -- grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app0" /run/systemd/system.attached/app1.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app" /run/systemd/system.attached/app1.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app1" /run/systemd/system.attached/app1.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app_1" /run/systemd/system.attached/app1.service.d/20-portable.conf portablectl detach --clean --now --runtime --extension /tmp/app0 --extension /tmp/app1 /tmp/rootdir app0 app1 # Ensure --clean remove state and other directories belonging to the portable image being detached test ! -d /var/lib/app0 test ! -d /run/app0 # Ensure that mixed mode copies the images and units (client-owned) but symlinks the profile (OS owned) portablectl "${ARGS[@]}" attach --copy=mixed --runtime --extension /tmp/app0 --extension /tmp/app1 /tmp/rootdir app0 app1 test -d /run/portables/app0 test -d /run/portables/app1 test -d /run/portables/rootdir test -f /run/systemd/system.attached/app0.service test -f /run/systemd/system.attached/app1.service test -L /run/systemd/system.attached/app0.service.d/10-profile.conf test -L /run/systemd/system.attached/app1.service.d/10-profile.conf portablectl detach --runtime --extension /tmp/app0 --extension /tmp/app1 /tmp/rootdir app0 app1 # Attempt to disable the app unit during detaching. Requires --copy=symlink to reproduce. # Provides coverage for https://github.com/systemd/systemd/issues/23481 portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/rootdir minimal-app0 portablectl detach --now --runtime --enable /tmp/rootdir minimal-app0 # attach and detach again to check if all drop-in configs are removed even if the main unit files are removed portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/rootdir minimal-app0 portablectl detach --now --runtime --enable /tmp/rootdir minimal-app0 # The wrong file should be ignored, given the right one has the xattr set trap 'rm -rf /var/cache/wrongext' EXIT mkdir -p /var/cache/wrongext/usr/lib/extension-release.d /var/cache/wrongext/usr/lib/systemd/system/ echo "[Service]" > /var/cache/wrongext/usr/lib/systemd/system/app0.service touch /var/cache/wrongext/usr/lib/extension-release.d/extension-release.wrongext_somethingwrong.txt cp /tmp/rootdir/usr/lib/os-release /var/cache/wrongext/usr/lib/extension-release.d/extension-release.app0 setfattr -n user.extension-release.strict -v "false" /var/cache/wrongext/usr/lib/extension-release.d/extension-release.app0 portablectl "${ARGS[@]}" attach --runtime --extension /var/cache/wrongext /tmp/rootdir app0 status="$(portablectl is-attached --extension wrongext rootdir)" [[ "${status}" == "attached-runtime" ]] portablectl detach --runtime --extension /var/cache/wrongext /tmp/rootdir app0 umount /tmp/rootdir umount /tmp/app0 umount /tmp/app1 Found error in /usr/lib/systemd/tests/testdata/units/TEST-24-CRYPTSETUP.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-24-CRYPTSETUP.sh at_exit() { set +e mountpoint -q /proc/cmdline && umount /proc/cmdline rm -f /etc/crypttab [[ -e /tmp/crypttab.bak ]] && cp -fv /tmp/crypttab.bak /etc/crypttab [[ -n "${STORE_LOOP:-}" ]] && losetup -d "$STORE_LOOP" [[ -n "${WORKDIR:-}" ]] && rm -rf "$WORKDIR" systemctl daemon-reload } -- cp "$IMAGE_DETACHED_HEADER" "$TMPFS_DETACHED_HEADER/header" udevadm settle --timeout=60 # Prepare our test crypttab [[ -e /etc/crypttab ]] && cp -fv /etc/crypttab /tmp/crypttab.bak cat >/etc/crypttab </tmp/cmdline.tmp mount --bind /tmp/cmdline.tmp /proc/cmdline # Run the systemd-cryptsetup-generator once explicitly, to collect coverage, # as during daemon-reload we run generators in a sandbox mkdir -p /tmp/systemd-cryptsetup-generator.out /usr/lib/systemd/system-generators/systemd-cryptsetup-generator /tmp/systemd-cryptsetup-generator.out/ systemctl daemon-reload systemctl list-unit-files "systemd-cryptsetup@*" cryptsetup_start_and_check empty_key test -e "$IMAGE_EMPTY_KEYFILE_ERASE" Found error in /usr/lib/systemd/tests/testdata/units/TEST-23-UNIT-FILE.ExtraFileDescriptors.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-23-UNIT-FILE.ExtraFileDescriptors.sh . "$(dirname "$0")"/util.sh at_exit() { set +e rm -rf /tmp/test-extra-fd/ } trap at_exit EXIT mkdir /tmp/test-extra-fd echo "Hello" > /tmp/test-extra-fd/1.txt echo "Extra" > /tmp/test-extra-fd/2.txt systemd-analyze log-level debug # Open files and assign FD to variables exec {TEST_FD1}/tmp/forking1.sh </tmp/forking2.sh </tmp/notify1.sh </tmp/TEST-23-UNIT-FILE.counter if [ "$counter" -eq 5 ] ; then systemctl kill --kill-whom=main -sUSR1 TEST-23-UNIT-FILE.service fi Found error in /usr/lib/systemd/tests/testdata/units/TEST-22-TMPFILES.03.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-22-TMPFILES.03.sh # # Basic tests for types creating/writing files set -eux set -o pipefail rm -fr /tmp/{f,F,w} mkdir /tmp/{f,F,w} touch /tmp/file-owned-by-root # # 'f' # systemd-tmpfiles --dry-run --create - </tmp/F/truncated echo "This should be truncated" >/tmp/F/truncated-with-content systemd-tmpfiles --create - </tmp/F/rw-fs/foo (! systemd-tmpfiles --create -) </tmp/F/rw-fs/foo (! systemd-tmpfiles --create -) < fails. (! systemd-tmpfiles --create -) < /tmp/C/3/f1 systemd-tmpfiles --create - </tmp/test19-exit-cgroup.sh < sleep sleep infinity & -- (sleep 1; \$1) & # process tree: systemd -> bash -> sleep sleep infinity EOF chmod +x /tmp/test19-exit-cgroup.sh # service should be stopped cleanly systemd-run --wait \ --unit=one \ --property="Type=notify" \ --property="ExitType=cgroup" \ /tmp/test19-exit-cgroup.sh 'systemctl stop one' # same thing with a truthy exec condition systemd-run --wait \ --unit=two \ --property="Type=notify" \ --property="ExitType=cgroup" \ --property="ExecCondition=true" \ /tmp/test19-exit-cgroup.sh 'systemctl stop two' # false exec condition: systemd-run should exit immediately with status code: 1 (! systemd-run --wait \ --unit=three \ --property="Type=notify" \ --property="ExitType=cgroup" \ --property="ExecCondition=false" \ /tmp/test19-exit-cgroup.sh) # service should exit uncleanly (main process exits with SIGKILL) (! systemd-run --wait \ --unit=four \ --property="Type=notify" \ --property="ExitType=cgroup" \ /tmp/test19-exit-cgroup.sh 'systemctl kill --signal 9 four') # Multiple level process tree, parent process exits quickly cat >/tmp/test19-exit-cgroup-parentless.sh < sleep sleep infinity & -- systemd-notify --ready # Run the stop/kill command after this bash process exits (sleep 1; \$1) & EOF chmod +x /tmp/test19-exit-cgroup-parentless.sh # service should be stopped cleanly systemd-run --wait \ --unit=five \ --property="Type=notify" \ --property="ExitType=cgroup" \ /tmp/test19-exit-cgroup-parentless.sh 'systemctl stop five' # service should still exit cleanly despite SIGKILL (the main process already exited cleanly) systemd-run --wait \ --unit=six \ --property="Type=notify" \ --property="ExitType=cgroup" \ /tmp/test19-exit-cgroup-parentless.sh 'systemctl kill --signal 9 six' systemd-analyze log-level info Found error in /usr/lib/systemd/tests/testdata/units/TEST-17-UDEV.SYSTEMD_WANTS-escape.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-17-UDEV.SYSTEMD_WANTS-escape.sh IFNAME=test-netif-foo at_exit() { set +e rm -f /tmp/output-i /tmp/output-I rm -rf /run/udev/rules.d/ udevadm control --reload rm -f /run/systemd/system/test@.service -- mkdir -p /run/systemd/system/ cat >/run/systemd/system/test@.service </tmp/output-i; echo "I=/%I" >/tmp/output-I' RemainAfterExit=yes EOF systemctl daemon-reload -- udevadm wait --timeout 30 --settle "/sys/class/net/${IFNAME}" assert_eq "$(udevadm info --query=property --property SYSTEMD_WANTS --value "/sys/class/net/${IFNAME}")" "test@${ESCAPED}.service" # The value shown by systemctl is doubly escaped and quoted. assert_eq "$(systemctl show -p Wants --value "${ESCAPED}.device")" "\"test@${SHELL_ESCAPED}.service\"" timeout 30 bash -c 'until [[ -s /tmp/output-i ]] && [[ -s /tmp/output-I ]]; do sleep .5; done' assert_eq "$(cat /tmp/output-i)" "i=${ESCAPED}" assert_eq "$(cat /tmp/output-I)" "I=${SYSPATH}" exit 0 Found error in /usr/lib/systemd/tests/testdata/units/TEST-15-DROPIN.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-15-DROPIN.sh testcase_symlink_dropin_directory() { # For issue #21920. echo "Testing symlink drop-in directory..." create_services test15-a rmdir /{etc,run,usr/lib}/systemd/system/test15-a.service.d mkdir -p /tmp/TEST-15-DROPIN-test15-a-dropin-directory ln -s /tmp/TEST-15-DROPIN-test15-a-dropin-directory /etc/systemd/system/test15-a.service.d cat >/tmp/TEST-15-DROPIN-test15-a-dropin-directory/override.conf </tmp/cred.path systemd-nspawn --directory="$root" \ --load-credential=cred.path:/tmp/cred.path \ --set-credential="cred.set:hello world" \ bash -xec '[[ "$(/tmp/bind systemd-nspawn --register=no \ --directory="$root" \ --bind=/tmp/bind \ bash -c 'test -e /tmp/bind' rm -fr "$root" /tmp/bind } testcase_norbind() { # https://github.com/systemd/systemd/issues/13170 local root root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.norbind-path.XXX)" mkdir -p /tmp/binddir/subdir echo -n "outer" >/tmp/binddir/subdir/file mount -t tmpfs tmpfs /tmp/binddir/subdir echo -n "inner" >/tmp/binddir/subdir/file create_dummy_container "$root" systemd-nspawn --register=no \ --directory="$root" \ --bind=/tmp/binddir:/mnt:norbind \ bash -c 'CONTENT=$(cat /mnt/subdir/file); if [[ $CONTENT != "outer" ]]; then echo "*** unexpected content: $CONTENT"; exit 1; fi' umount /tmp/binddir/subdir rm -fr "$root" /tmp/binddir/ } rootidmap_cleanup() { local dir="${1:?}" -- local root cmd permissions local owner=1000 root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.rootidmap-path.XXX)" # Create ext4 image, as ext4 supports idmapped-mounts. mkdir -p /tmp/rootidmap/bind dd if=/dev/zero of=/tmp/rootidmap/ext4.img bs=4k count=2048 mkfs.ext4 /tmp/rootidmap/ext4.img mount /tmp/rootidmap/ext4.img /tmp/rootidmap/bind trap "rootidmap_cleanup /tmp/rootidmap/" RETURN touch /tmp/rootidmap/bind/file chown -R "$owner:$owner" /tmp/rootidmap/bind create_dummy_container "$root" cmd='PERMISSIONS=$(stat -c "%u:%g" /mnt/file); if [[ $PERMISSIONS != "0:0" ]]; then echo "*** wrong permissions: $PERMISSIONS"; return 1; fi; touch /mnt/other_file' if ! SYSTEMD_LOG_TARGET=console \ systemd-nspawn --register=no \ --directory="$root" \ --bind=/tmp/rootidmap/bind:/mnt:rootidmap \ bash -c "$cmd" |& tee nspawn.out; then if grep -q "Failed to map ids for bind mount.*: Function not implemented" nspawn.out; then echo "idmapped mounts are not supported, skipping the test..." return 0 fi return 1 fi permissions=$(stat -c "%u:%g" /tmp/rootidmap/bind/other_file) if [[ $permissions != "$owner:$owner" ]]; then echo "*** wrong permissions: $permissions" [[ "$IS_USERNS_SUPPORTED" == "yes" ]] && return 1 fi } -- local root cmd permissions local owner=1000 root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.owneridmap-path.XXX)" # Create ext4 image, as ext4 supports idmapped-mounts. mkdir -p /tmp/owneridmap/bind dd if=/dev/zero of=/tmp/owneridmap/ext4.img bs=4k count=2048 mkfs.ext4 /tmp/owneridmap/ext4.img mount /tmp/owneridmap/ext4.img /tmp/owneridmap/bind trap "owneridmap_cleanup /tmp/owneridmap/" RETURN touch /tmp/owneridmap/bind/file chown -R "$owner:$owner" /tmp/owneridmap/bind # Allow users to read and execute / in order to execute binaries chmod o+rx "$root" create_dummy_container "$root" -- if ! SYSTEMD_LOG_TARGET=console \ systemd-nspawn --register=no \ --directory="$root" \ -U \ --user=testuser \ --bind=/tmp/owneridmap/bind:/home/testuser:owneridmap \ ${COVERAGE_BUILD_DIR:+--bind="$COVERAGE_BUILD_DIR"} \ /usr/bin/bash -c "$cmd" |& tee nspawn.out; then if grep -q "Failed to map ids for bind mount.*: Function not implemented" nspawn.out; then echo "idmapped mounts are not supported, skipping the test..." return 0 fi return 1 fi permissions=$(stat -c "%u:%g" /tmp/owneridmap/bind/other_file) if [[ $permissions != "$owner:$owner" ]]; then echo "*** wrong permissions: $permissions" [[ "$IS_USERNS_SUPPORTED" == "yes" ]] && return 1 fi } -- create_dummy_container "$root" entrypoint="$root/entrypoint.sh" cat >"$entrypoint" <<\EOF #!/usr/bin/bash -ex . /tmp/os-release [[ -n "${ID:-}" && "$ID" != "$container_host_id" ]] && exit 1 [[ -n "${VERSION_ID:-}" && "$VERSION_ID" != "$container_host_version_id" ]] && exit 1 [[ -n "${BUILD_ID:-}" && "$BUILD_ID" != "$container_host_build_id" ]] && exit 1 [[ -n "${VARIANT_ID:-}" && "$VARIANT_ID" != "$container_host_variant_id" ]] && exit 1 -- echo MARKER=1 >>/etc/os-release fi systemd-nspawn --register=no \ --directory="$root" \ --bind="$os_release_source:/tmp/os-release" \ "${entrypoint##"$root"}" if grep -q MARKER /etc/os-release; then ln -svrf /usr/lib/os-release /etc/os-release fi -- rm -fr "$root" } testcase_machinectl_bind() { local service_path service_name root container_name ec local cmd='for i in $(seq 1 20); do if test -f /tmp/marker; then exit 0; fi; sleep .5; done; exit 1;' root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.machinectl-bind.XXX)" create_dummy_container "$root" container_name="$(basename "$root")" -- ExecStart=systemd-nspawn --directory="$root" --notify-ready=no /usr/bin/bash -xec "$cmd" EOF systemctl daemon-reload systemctl start "$service_name" touch /tmp/marker machinectl bind --mkdir "$container_name" /tmp/marker timeout 10 bash -c "while [[ '\$(systemctl show -P SubState $service_name)' == running ]]; do sleep .2; done" ec="$(systemctl show -P ExecMainStatus "$service_name")" systemctl stop "$service_name" -- mkdir -p /run/systemd/nspawn/ rm -f "/etc/systemd/nspawn/$container_name.nspawn" cat >"/run/systemd/nspawn/$container_name.nspawn" <"/var/lib/machines/$NSPAWN_FRAGMENT" </tmp/fragment.nspawn </tmp/expected varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List "{\"pid\":$pid}" | diff /tmp/expected - varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List "{\"name\":\"long-running\", \"pid\":$pid}" | diff /tmp/expected - (! varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List "{\"name\":\"non-existent\", \"pid\":$pid}") (! varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List '{"name":""}') (! varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List '{"name":"ah@??.hmm"}') # test io.systemd.Machine.Kill -- varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "tty"}' varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "login"}' varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "shell"}' rm -f /tmp/none-existent-file varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "shell", "user": "root", "path": "/bin/sh", "args": ["/bin/sh", "-c", "echo $FOO > /tmp/none-existent-file"], "environment": ["FOO=BAR"]}' timeout 30 bash -c "until test -e /tmp/none-existent-file; do sleep .5; done" grep -q "BAR" /tmp/none-existent-file # test io.systemd.MachineImage.List varlinkctl --more call /run/systemd/machine/io.systemd.MachineImage io.systemd.MachineImage.List '{}' | grep 'long-running' varlinkctl --more call /run/systemd/machine/io.systemd.MachineImage io.systemd.MachineImage.List '{}' | grep '.host' varlinkctl call /run/systemd/machine/io.systemd.MachineImage io.systemd.MachineImage.List '{"name":"long-running"}' Found error in /usr/lib/systemd/tests/testdata/units/TEST-07-PID1.private-pids.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-07-PID1.private-pids.sh # Unmount any file systems if [[ "$HAS_EXISTING_SCSI_MOUNT" == "no" ]]; then umount /proc/scsi fi umount /tmp/TEST-07-PID1-private-pids-proc rm -rf /tmp/TEST-07-PID1-private-pids-proc # Remove any test files rm -rf /tmp/TEST-07-PID1-private-pids-services rm -rf /tmp/TEST-07-PID1-private-pids-root # Stop any test services systemctl kill --signal=KILL TEST-07-PID1-private-pid.service # Remove any failed transient units systemctl reset-failed } -- assert_eq "$(systemctl show -P ExecMainStatus TEST-07-PID1-private-pid.service)" "9" systemctl reset-failed } testcase_analyze() { mkdir -p /tmp/TEST-07-PID1-private-pids-services # Verify other services are compatible with PrivatePIDs=yes cat </tmp/TEST-07-PID1-private-pids-services/oneshot-valid.service [Service] ExecStart=echo hello PrivatePIDs=yes Type=oneshot EOF # Verify Type=forking services are not compatible with PrivatePIDs=yes cat </tmp/TEST-07-PID1-private-pids-services/forking-invalid.service [Service] ExecStart=echo hello PrivatePIDs=yes Type=forking EOF systemd-analyze --recursive-errors=no verify /tmp/TEST-07-PID1-private-pids-services/oneshot-valid.service (! systemd-analyze --recursive-errors=no verify /tmp/TEST-07-PID1-private-pids-services/forking-invalid.service) rm -rf /tmp/TEST-07-PID1-private-pids-services } testcase_multiple_features() { unsquashfs -no-xattrs -d /tmp/TEST-07-PID1-private-pids-root /usr/share/minimal_0.raw systemd-run \ -p PrivatePIDs=yes \ -p RootDirectory=/tmp/TEST-07-PID1-private-pids-root \ -p ProcSubset=pid \ -p BindReadOnlyPaths=/usr/share \ -p NoNewPrivileges=yes \ -p ProtectSystem=strict \ -p User=testuser\ -- -p Environment=ABC=QED \ --wait \ --pipe \ grep MARKER=1 /etc/os-release rm -rf /tmp/TEST-07-PID1-private-pids-root } testcase_unpriv() { if [ ! -f /usr/lib/systemd/user/dbus.socket ] && [ ! -f /etc/systemd/user/dbus.socket ]; then echo "Per-user instances are not supported, skipping unprivileged PrivatePIDs=yes test" -- # be at least 1 unmasked procfs mount in ANY directory. Otherwise, if /proc/ is masked (e.g. /proc/scsi is # over-mounted with tmpfs), then mounting a new /proc/ will fail. # # Thus, to guarantee PrivatePIDs=yes tests for unprivileged users pass, we mount a new procfs on a temporary # directory with no masking. This will guarantee an unprivileged user can mount a new /proc/ successfully. mkdir -p /tmp/TEST-07-PID1-private-pids-proc mount -t proc proc /tmp/TEST-07-PID1-private-pids-proc # Verify running as unprivileged user can unshare PID namespace and mounts /proc properly. assert_eq "$(runas testuser systemd-run --wait --user --pipe -p PrivatePIDs=yes readlink /proc/self)" "1" assert_eq "$(runas testuser systemd-run --wait --user --pipe -p PrivatePIDs=yes ps aux --no-heading | wc -l)" "1" umount /tmp/TEST-07-PID1-private-pids-proc rm -rf /tmp/TEST-07-PID1-private-pids-proc # Now we will mask /proc/ by mounting tmpfs over /proc/scsi. This will guarantee that mounting /proc/ will fail # for unprivileged users when using PrivatePIDs=yes. Now units should fail as PrivatePIDs=yes has no graceful # fallback. # Found error in /usr/lib/systemd/tests/testdata/units/TEST-07-PID1.main-PID-change.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-07-PID1.main-PID-change.sh # Update it back to our own PID, this should also work systemd-notify --uid=1000 MAINPID="$MAINPID" test "$(systemctl show -P MainPID TEST-07-PID1.service)" -eq "$MAINPID" cat >/tmp/test-mainpid.sh <<\EOF #!/usr/bin/env bash set -eux set -o pipefail -- sleep infinity & disown echo $MAINPID >/run/mainpidsh/pid EOF chmod +x /tmp/test-mainpid.sh systemd-run --unit=test-mainpidsh.service \ -p StandardOutput=tty \ -p StandardError=tty \ -p Type=forking \ -p RuntimeDirectory=mainpidsh \ -p PIDFile=/run/mainpidsh/pid \ /tmp/test-mainpid.sh test "$(systemctl show -P MainPID test-mainpidsh.service)" -eq "$(cat /run/mainpidsh/pid)" cat >/tmp/test-mainpid2.sh <<\EOF #!/usr/bin/env bash set -eux set -o pipefail -- disown echo $MAINPID >/run/mainpidsh2/pid chown 1001:1001 /run/mainpidsh2/pid EOF chmod +x /tmp/test-mainpid2.sh systemd-run --unit=test-mainpidsh2.service \ -p StandardOutput=tty \ -p StandardError=tty \ -p Type=forking \ -p RuntimeDirectory=mainpidsh2 \ -p PIDFile=/run/mainpidsh2/pid \ /tmp/test-mainpid2.sh test "$(systemctl show -P MainPID test-mainpidsh2.service)" -eq "$(cat /run/mainpidsh2/pid)" cat >/dev/shm/test-mainpid3.sh </tmp/output [[ $(wc -l /dev/null # -b always behaves like -b0 journalctl -q -b-1 -b0 | head -1 >/tmp/expected journalctl -q -b-1 -b | head -1 >/tmp/output diff /tmp/expected /tmp/output # ... even when another option follows (both of these should fail due to -m) { journalctl -ball -b0 -m 2>&1 || :; } | head -1 >/tmp/expected { journalctl -ball -b -m 2>&1 || :; } | head -1 >/tmp/output diff /tmp/expected /tmp/output # https://github.com/systemd/systemd/issues/13708 ID=$(systemd-id128 new) systemd-cat -t "$ID" bash -c 'echo parent; (echo child) & wait' & PID=$! wait $PID journalctl --sync # We can drop this grep when https://github.com/systemd/systemd/issues/13937 # has a fix. journalctl -b -o export -t "$ID" --output-fields=_PID | grep '^_PID=' >/tmp/output [[ $(wc -l /tmp/expected systemd-cat -t "$ID" /bin/sh -c 'env echo -n "This will";echo;env echo -n "usually fail";echo;env echo -n "and be truncated";echo;' journalctl --sync journalctl -b -o cat -t "$ID" >/tmp/output diff /tmp/expected /tmp/output [[ $(journalctl -b -o cat -t "$ID" --output-fields=_TRANSPORT | grep -Pc "^stdout$") -eq 3 ]] [[ $(journalctl -b -o cat -t "$ID" --output-fields=_LINE_BREAK | grep -Pc "^pid-change$") -eq 3 ]] [[ $(journalctl -b -o cat -t "$ID" --output-fields=_PID | sort -u | grep -c "^.*$") -eq 3 ]] [[ $(journalctl -b -o cat -t "$ID" --output-fields=MESSAGE | grep -Pc "^(This will|usually fail|and be truncated)$") -eq 3 ]] -- systemctl start forever-print-hola sleep 3 systemctl restart systemd-journald sleep 3 systemctl stop forever-print-hola [[ ! -f "/tmp/i-lose-my-logs" ]] # https://github.com/systemd/systemd/issues/4408 rm -f /tmp/i-lose-my-logs systemctl start forever-print-hola sleep 3 systemctl kill --signal=SIGKILL systemd-journald sleep 3 [[ ! -f "/tmp/i-lose-my-logs" ]] systemctl stop forever-print-hola set +o pipefail # https://github.com/systemd/systemd/issues/15528 journalctl --follow --file=/var/log/journal/*/* | head -n1 | grep . # https://github.com/systemd/systemd/issues/24565 journalctl --follow --merge | head -n1 | grep . set -o pipefail # https://github.com/systemd/systemd/issues/26746 rm -f /tmp/issue-26746-log /tmp/issue-26746-cursor ID="$(systemd-id128 new)" journalctl -t "$ID" --follow --cursor-file=/tmp/issue-26746-cursor | tee /tmp/issue-26746-log & systemd-cat -t "$ID" /bin/sh -c 'echo hogehoge' # shellcheck disable=SC2016 timeout 10 bash -c 'until [[ -f /tmp/issue-26746-log && "$(cat /tmp/issue-26746-log)" =~ hogehoge ]]; do sleep .5; done' pkill -TERM journalctl timeout 10 bash -c 'until test -f /tmp/issue-26746-cursor; do sleep .5; done' CURSOR_FROM_FILE="$(cat /tmp/issue-26746-cursor)" CURSOR_FROM_JOURNAL="$(journalctl -t "$ID" --output=export MESSAGE=hogehoge | sed -n -e '/__CURSOR=/ { s/__CURSOR=//; p }')" test "$CURSOR_FROM_FILE" = "$CURSOR_FROM_JOURNAL" # Check that the seqnum field at least superficially works systemd-cat echo "ya" -- while read -r file; do filename="${file##*/}" unzstd "$file" -o "$JOURNAL_DIR/${filename%*.zst}" done < <(find /usr/lib/systemd/tests/testdata/test-journals/no-rtc -name "*.zst") journalctl --directory="$JOURNAL_DIR" --list-boots --output=json >/tmp/lb1 diff -u /tmp/lb1 - <<'EOF' [{"index":-3,"boot_id":"5ea5fc4f82a14186b5332a788ef9435e","first_entry":1666569600994371,"last_entry":1666584266223608},{"index":-2,"boot_id":"bea6864f21ad4c9594c04a99d89948b0","first_entry":1666569601005945,"last_entry":1666584347230411},{"index":-1,"boot_id":"4c708e1fd0744336be16f3931aa861fb","first_entry":1666569601017222,"last_entry":1666584354649355},{"index":0,"boot_id":"35e8501129134edd9df5267c49f744a4","first_entry":1666569601009823,"last_entry":1666584438086856}] EOF rm -rf "$JOURNAL_DIR" /tmp/lb1 # Check that using --after-cursor/--cursor-file= together with journal filters doesn't # skip over entries matched by the filter # See: https://github.com/systemd/systemd/issues/30288 UNIT_NAME="test-cursor-$RANDOM.service" Found error in /usr/lib/systemd/tests/testdata/units/TEST-04-JOURNAL.journal-remote.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/TEST-04-JOURNAL.journal-remote.sh # Generate a self-signed certificate for systemd-journal-remote # # Note: older OpenSSL requires a config file with some extra options, unfortunately # Note2: /run here is used on purpose, since the systemd-journal-remote service uses PrivateTmp=yes mkdir -p /run/systemd/journal-remote-tls cat >/tmp/openssl.conf <"$LOG_FILE" awk '!/^(data: \{.+\}|)$/ { exit 1; }' "$LOG_FILE" # Same thing as journalctl --output=export mkdir /tmp/remote-journal curl -LSfs --header "Accept: application/vnd.fdo.journal" http://localhost:19531/entries >"$LOG_FILE" /usr/lib/systemd/systemd-journal-remote --output=/tmp/remote-journal/system.journal --split-mode=none "$LOG_FILE" journalctl --directory=/tmp/remote-journal -t "$TEST_TAG" --grep "$TEST_MESSAGE" rm -rf /tmp/remote-journal/* # Let's do the same thing again, but let systemd-journal-remote spawn curl itself /usr/lib/systemd/systemd-journal-remote --url=http://localhost:19531/entries \ --output=/tmp/remote-journal/system.journal \ --split-mode=none journalctl --directory=/tmp/remote-journal -t "$TEST_TAG" --grep "$TEST_MESSAGE" rm -rf /tmp/remote-journal # /machine curl -LSfs http://localhost:19531/machine >"$LOG_FILE" jq . "$LOG_FILE" -- fi # Generate a self-signed certificate for systemd-journal-gatewayd # # Note: older OpenSSL requires a config file with some extra options, unfortunately cat >/tmp/openssl.conf < /tmp/syncfifo1 } export SYSTEMD_LOG_LEVEL=debug echo "toplevel PID: $BASHPID" |
|
systemd-tmpfiles-common-257.7-alt1.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/systemd-tmpfiles-common-257.7-alt1.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/home.conf /usr/lib/tmpfiles.d/legacy.conf /usr/lib/tmpfiles.d/tmp.conf /usr/lib/tmpfiles.d/var.conf /usr/lib/tmpfiles.d/x11.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
targetcli-3.0.1-alt1.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
telegraf-1.35.0-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/telegraf-1.35.0-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/telegraf.conf sisyphus_check: check-fhs ERROR: FHS violation |
|
telegraf-1.35.0-alt1.x86_64 |
subdir-in-var-run |
info |
Found a subdir in /var/run or /var/lock. /var/run and /var/lock may be mounted as temporary filesystems, so the init.d scripts must handle this correctly. This will typically amount to creating any required subdirectories dynamically when the init.d script is run, rather than including them in the package and relying on rpm to create them. |
|
traefik-3.4.1-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
trivy-0.61.0-alt1.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
trivy-server-0.61.0-alt1.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
udev-257.7-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/udev-257.7-alt1.x86_64.rpm: Invalid path names: /usr/lib/tmpfiles.d/static-nodes-permissions.conf sisyphus_check: check-fhs ERROR: FHS violation /ALT/Sisyphus/files/x86_64/RPMS/udev-257.7-alt1.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/50-udev-default.rules /usr/lib/udev/rules.d/60-autosuspend.rules /usr/lib/udev/rules.d/60-block.rules /usr/lib/udev/rules.d/60-cdrom_id.rules /usr/lib/udev/rules.d/60-dmi-id.rules /usr/lib/udev/rules.d/60-drm.rules /usr/lib/udev/rules.d/60-evdev.rules /usr/lib/udev/rules.d/60-fido-id.rules /usr/lib/udev/rules.d/60-infiniband.rules /usr/lib/udev/rules.d/60-input-id.rules /usr/lib/udev/rules.d/60-persistent-alsa.rules /usr/lib/udev/rules.d/60-persistent-input.rules /usr/lib/udev/rules.d/60-persistent-storage-mtd.rules /usr/lib/udev/rules.d/60-persistent-storage-tape.rules /usr/lib/udev/rules.d/60-persistent-storage.rules /usr/lib/udev/rules.d/60-persistent-v4l.rules /usr/lib/udev/rules.d/60-sensor.rules /usr/lib/udev/rules.d/60-serial.rules /usr/lib/udev/rules.d/64-btrfs.rules /usr/lib/udev/rules.d/70-camera.rules /usr/lib/udev/rules.d/70-joystick.rules /usr/lib/udev/rules.d/70-memory.rules /usr/lib/udev/rules.d/70-mouse.rules /usr/lib/udev/rules.d/70-power-switch.rules /usr/lib/udev/rules.d/70-touchpad.rules /usr/lib/udev/rules.d/75-net-description.rules /usr/lib/udev/rules.d/75-probe_mtd.rules /usr/lib/udev/rules.d/78-sound-card.rules /usr/lib/udev/rules.d/80-drivers.rules /usr/lib/udev/rules.d/80-net-setup-link.rules /usr/lib/udev/rules.d/81-net-dhcp.rules /usr/lib/udev/rules.d/90-iocost.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
udev-257.7-alt1.x86_64 |
sisyphus_check-check-dirlist |
warn |
sisyphus_check --check-dirlist failed: package contains a directory /etc/udev/rules.d that exclusively belongs to package udev-rules |
|
udev-rules-sgutils-1.48-alt2.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/udev-rules-sgutils-1.48-alt2.noarch.rpm: invalid udev rules path: /usr/lib/udev/rules.d/00-scsi-sg3_config.rules /usr/lib/udev/rules.d/40-usb-blacklist.rules /usr/lib/udev/rules.d/54-before-scsi-sg3_id.rules /usr/lib/udev/rules.d/55-scsi-sg3_id.rules /usr/lib/udev/rules.d/58-scsi-sg3_symlink.rules /usr/lib/udev/rules.d/59-fc-wwpn-id.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
uki-direct-25.4.1-alt1.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
urbackup-client-2.5.25-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
urbackup-server-2.5.33-alt1.x86_64 |
arch-dep-package-has-big-usr-share |
info |
The package has a significant amount of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere. |
|
urbackup-server-2.5.33-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
valkey-8.1.2-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
vdsm-4.50.6-alt3.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/vdsm-4.50.6-alt3.noarch.rpm: Invalid path names: /usr/lib/tmpfiles.d/vdsm.conf sisyphus_check: check-fhs ERROR: FHS violation /ALT/Sisyphus/files/noarch/RPMS/vdsm-4.50.6-alt3.noarch.rpm: invalid udev rules path: /usr/lib/udev/rules.d/12-vdsm-lvm.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
vdsm-4.50.6-alt3.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
vdsm-hook-checkips-4.50.6-alt3.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
vdsm-hook-localdisk-4.50.6-alt3.noarch |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/noarch/RPMS/vdsm-hook-localdisk-4.50.6-alt3.noarch.rpm: invalid udev rules path: /usr/lib/udev/rules.d/12-vdsm-localdisk.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
vhostmd-1.1-alt2.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
victorialogs-1.23.3-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
victoriametrics-1.110.11-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
victoriametrics-cluster-vminsert-1.110.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
victoriametrics-cluster-vmselect-1.110.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
victoriametrics-cluster-vmstorage-1.110.0-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
victoriametrics-utils-1.110.11-alt1.x86_64 |
rpm-obsolete-live-package |
info |
The package obsoletes the package victoriametrics-vmctl-0.4.0-alt1.x86_64, but the package victoriametrics-vmctl-0.4.0-alt1.x86_64 is still alive and in the repository. Ask its maintainer to remove it, or, if it should not be removed, remove the Obsoletes: tag. Do not forget to add explicit conflicts with the other package if nessessary. |
|
victoriametrics-vmagent-1.110.11-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
victoriametrics-vmalert-1.110.11-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
victoriametrics-vmauth-1.110.11-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
victoriametrics-vmctl-0.4.0-alt1.x86_64 |
rpm-package-is-obsoleted |
warn |
The package is obsoleted by the package victoriametrics-utils-1.110.11-alt1.x86_64, but is still alive and in the repository. Consider removing the package, or, if you want the package to be alive, ask the maintainer of victoriametrics-utils-1.110.11-alt1.x86_64 to remove Obsoletes: tag. |
|
virt-manager-5.0.0-alt1.noarch |
freedesktop-categories |
warn |
Menu-related Additional Categories (http://standards.freedesktop.org/menu-spec/latest/apa.html) not found in /usr/share/applications/virt-manager.desktop. Please add it or report a bug against this test if you already have registered one (not including menu unrelated ones as Core or Qt). |
|
vitastor-mon-2.2.2-alt1.noarch |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
vitastor-osd-2.2.2-alt1.x86_64 |
sisyphus_check |
fail |
sisyphus_check failed: /ALT/Sisyphus/files/x86_64/RPMS/vitastor-osd-2.2.2-alt1.x86_64.rpm: license not found in '/usr/share/license' directory: VNPL-1.1 /ALT/Sisyphus/files/x86_64/RPMS/vitastor-osd-2.2.2-alt1.x86_64.rpm: invalid udev rules path: /usr/lib/udev/rules.d/90-vitastor.rules sisyphus_check: check-udev ERROR: udev rules path violation |
|
vitastor-osd-2.2.2-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
vmango-0.12.1-alt1.x86_64 |
systemd-but-no-native-init |
experimental |
The package have native systemd file(s) but no SysV init scripts. |
|
vpnc-0.5.3-alt7.x86_64 |
subdir-in-var-run |
info |
Found a subdir in /var/run or /var/lock. /var/run and /var/lock may be mounted as temporary filesystems, so the init.d scripts must handle this correctly. This will typically amount to creating any required subdirectories dynamically when the init.d script is run, rather than including them in the package and relying on rpm to create them. |
|
vsftpd-3.0.5-alt1.src |
specfile-useradd-n |
warn |
-n in useradd is compat option and can be removed any time. Use -N instead. |