There are two ambiguity in the original description:
1. It will delay all RUN instructions, include builtin.
2. It will delay before running RUN, not each of RUN{program} instructions.
The test occasionally fails as the umount is not yet completed when
cryptsetup close is invoked.
Both cryptsetup and losetup have supported deferred cleanup for some
time now, so use it instead to avoid races.
++ losetup -P --show --find /tmp/test-repart.dMOfYQ8UUF/zzz
+ LOOP=/dev/loop6
+ VOLUME=test-repart-11882
+ touch /tmp/test-repart.dMOfYQ8UUF/empty-password
+ cryptsetup open --type=luks2 --key-file=/tmp/test-repart.dMOfYQ8UUF/empty*** test-repart-11882
+ mkdir /tmp/test-repart.dMOfYQ8UUF/mount
+ mount -t ext4 /dev/mapper/test-repart-11882 /tmp/test-repart.dMOfYQ8UUF/mount
+ diff -r /tmp/test-repart.dMOfYQ8UUF/mount/def /tmp/test-repart.dMOfYQ8UUF/definitions
+ umount /tmp/test-repart.dMOfYQ8UUF/mount
+ cryptsetup close test-repart-11882
Device test-repart-11882 is still in use.
+ rm -rf /tmp/test-repart.dMOfYQ8UUF
There are tokens with dots (and other symbols) in PKCS11 URI:
pkcs11:model=Rutoken%20ECP;manufacturer=Aktiv%20Co.;serial=3xxxxxxb;token=livelace
pkcs11:model=PRO;manufacturer=Aladdin%20R.D.;serial=CC62FB25;token=val%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;id=%33%32%31%30%33%61%36%37%36%65%32%34%35%62%32%31;type=private
- Handle BPFProgram= property in string format
"<bpf_attach_type>:<bpffs_path>", e.g. egress:/sys/fs/bpf/egress-hook.
- Add dbus getter to list foreign bpf programs attached to a cgroup.
- Pin trivial bpf programs to bpf filesystem, compose BPFProgram= option
string and pass it to a unit. Programs store `0` in r0 BPF register for
denying action, e.g. drop a packet.
- Load trivial BPF programs
- Test is skipped if not run under root or if can not lock enough
memory.
- For egress and ingress hooks, test BPFProgram= option along with
with IP{Egress|Ingress}FilterPath=, expected result should not depend on
which rule is executed first.
Expected results for BPF_CGROUP_INET_INGRESS:
5 packets transmitted, 0 received, 100% packet loss, time 89ms
For BPF_CGROUP_INET_SOCK_CREATE:
ping: socket: Operation not permitted
- Introduce support of cgroup-bpf programs managed (i.e. compiled,
loaded to and unloaded from kernel) externally. Systemd is only
responsible for attaching programs to unit cgroup hence the name
'foreign'.
Foreign BPF programs are identified by bpf program ID and attach type.
systemd:
- Gets kernel FD of BPF program;
- Makes a unique identifier of BPF program from BPF attach type and
program ID. Same program IDs mean the same program, i.e the same
chunk of kernel memory. Even if the same program is passed multiple
times, identical (program_id, attach_type) instances are collapsed
into one;
- Attaches programs to unit cgroup.
- Store foreign bpf programs in cgroup context. A program is considered
foreign if it was loaded to a kernel by an entity external to systemd,
so systemd is responsible only for attach and detach paths.
- Support the case of pinned bpf programs: pinning to bpffs so a program
is kept loaded to the kernel even when program fd is closed by a user
application is a common way to extend program's lifetime.
- Aadd linked list node struct with attach type and bpffs path
fields.
Introduce bpf_cgroup_attach_type_table with accustomed attached type
names also used in bpftool.
Add bpf_cgroup_attach_type_{from|to}_string helpers to convert from|to
string representation of pinned bpf program, e.g.
"egress:/sys/fs/bpf/egress-hook" for
/sys/fs/bpf/egress-hook path and BPF_CGROUP_INET_EGRESS attach type.
Add helpers to:
- Create new BPFProgram instance from a path in bpf
filesystem and bpf attach type;
- Pin a program to bpf fs;
- Get BPF program ID by BPF program FD.
Reduced version of [0].
Use BPF_F_ALLOW_MULTI attach flag for bpf-firewall if kernel supports
it.
Aside from addressing security issue in [0] attaching with 'multi'
allows further attaching of cgroup egress, ingress hooks specified by
BPFProgram=.
[0] 4e42210d40
lstat() returns the error in errno, not as return value. Let's propagate
this correctly.
This broke the bolt test suite, as @gicmo discovered.
Follow-up for acfc2a1d15.
Let's define both an enum and a typedef named SpecialGlyph, the way we
usually do it.
Also, introduce an "invalid" special glyph, assigned to -EINVAL, also
like we always do it. (And handle it somewhat sanely in special_glyph()
'! grep -v' does *not* test that there are no matching lines.
Instead, it checks that whether there are any non-matching lines.
And of course, for the test to fail, '! grep' cannot be part of
an expression with &&.
We were grepping for 'hello world', and in the namespace we would
match on 'hello world', and outside, on 'echo "hello world"'. When
the condition check was fixed, the test gave a false positive.
