The SHA for this action was updated by Dependabot in #25900 to a commit
which later disappeared from the repo. Since then Dependabot kept
(silently) failing to bump the SHA further:
updater | 2024/03/31 21:22:13 ERROR <job_807574419> Error processing stefanbuck/github-issue-parser (Dependabot::SharedHelpers::HelperSubprocessFailed)
updater | 2024/03/31 21:22:13 ERROR <job_807574419> error: no such commit c1a559d78bfb8dd05216dab9ffd2b91082ff5324
See: https://github.com/systemd/systemd/pull/25900#issuecomment-2028912672
Let's bump the SHA manually to v3.1.0 to get Dependabot back on the track.
Co-authored-by: Evgeny Vereshchagin <evvers@ya.ru>
The new version of `devel-freezer` GitHub Action adds support for milestones, labels, and more. Now, when the `rc` tag is published, it won't post a development freeze comment on PRs included in the next milestone.
This commit also sets a delay of the 20s for PR validation to give some time for updating labels and milestones on submitted PRs.
By always cloning the latest branch commit, we can't bisect properly
using mkosi as when bisecting wildly different packaging sources will
be used compared to when the commit was merged. By using submodules, we
track individual commits which means when bisecting the same packaging
sources will be used.
We use git submodules as dependabot has support for automatically making
PRs to update git submodules. This commit also includes the necessary
dependabot configuration to enable this.
We make ubuntu/debian use the same submodule instead of adding the debian
packaging sources twice by introducing a new $PKG_SUBDIR environment variable
and using it instead of $DISTRIBUTION.
The latest GH Action runners started using 32-bit entropy for ASLR,
which makes it incompatible with llvm-14. This was fixed in later llvm
releases, but these aren't available on Ubuntu Jammy (22.04). Let's
reduce the ASLR entropy to 28-bit, which should make llvm happy again,
until the issue is resolved.
See: https://github.com/actions/runner-images/issues/9491
Instead of running meson install and hoping for the best, let's build
distribution packages from the downstream packaging specs. This gets
us the following:
- Vastly simplified mkosi scripts since we don't need a separate initrd
image anymore but can just reuse the default mkosi initrd.
- Almost everything can move to the base image as its not the basis
anymore for the initrd and as such we don't need to care about the
size anymore.
- The systemd packages that get pulled in as dependencies of other
packages get properly uninstalled and replaced with our packages that
we built instead of just installing on top of an existing systemd
installation with no guarantee that everything from that previous
installation was removed.
- Much better testing coverage as what we're testing is much closer
to what will actually be deployed in distributions.
- Immediate feedback if something we change breaks distribution packaging
- We get integration with the distribution for free as we'll automatically
use the proper directories and such instead of having to hack this
into a mkosi build script.
- ...
For some reason root in GH actions is able to _decrease_ its oom score
even after dropping all capabilities (including CAP_SYS_RESOURCE), until
the oom score is changed explicitly after sudo:
$ systemd-detect-virt
microsoft
$ sudo su -
~# capsh --drop=all -- -c 'capsh --print; grep -H . /proc/self/oom*; choom -p $$ -n -101'
Current: =
Bounding set =
Ambient set =
Current IAB: !cap_chown,!cap_dac_override,!cap_dac_read_search,...,!cap_sys_resource,...,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)
/proc/self/oom_adj:8
/proc/self/oom_score:1000
/proc/self/oom_score_adj:500
pid 22180's OOM score adjust value changed from 500 to -101
~# choom -p $$ -n 500
pid 22027's OOM score adjust value changed from 500 to 500
~# capsh --drop=all -- -c 'capsh --print; grep -H . /proc/self/oom*; choom -p $$ -n -101'
Current: =
Bounding set =
Ambient set =
...
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)
/proc/self/oom_adj:8
/proc/self/oom_score:1000
/proc/self/oom_score_adj:500
choom: failed to set score adjust value: Permission denied
I have no idea what's going on, but it breaks
exec-oomscoreadjust-negative.service from test-execute when running
unprivileged.
Otherwise the unprivileged part of test-execute gets silently skipped:
/* test_run_tests_unprivileged */
Successfully forked off '(test-execute-unprivileged)' as PID 20998.
...
pin_callout_binary: build dir binary: /home/runner/work/systemd/systemd/build/systemd-executor
pin_callout_binary: open(/home/runner/work/systemd/systemd/build/systemd-executor)=-13
Failed to pin executor binary: No such file or directory
(test-execute-unprivileged): manager_new, skipping tests: No such file or directory
(test-execute-unprivileged) succeeded.
The runner has a lot of useless things installed, taking ~10GB, and
jobs have started to fail when booting images due to lack of disk
space, so delete some directories to make room.
2024-02-27T20:20:58.0998709Z ##[warning]You are running out of disk space. The runner will stop working when the machine runs out of disk space. Free space left: 0 MB
Co-authored-by: Daan De Meyer <daan.j.demeyer@gmail.com>
Both building and booting a directory image is much faster than
building or booting a disk image so let's default to a directory
image.
In CI, we stick to a disk image to make sure that keeps working as
well.
The only extra dependency this introduces is virtiofsd which is
packaged in all distributions except Debian stable. For users
hacking on systemd on Debian stable, a disk image can be built by
writing the following to mkosi.local.conf:
```
[Output]
Format=disk
```
The mkosi github action doesn't set up the host machine for building
full images anymore. Instead, only sufficient packages are installed
to be able to build tools trees so we configure a fedora tools tree
to build the actual images.
