Date: Monday, December 5, 2016 @ 20:33:43 Author: lcarlier Revision: 198071
upgpkg: lib32-systemd 232-1 upstream update 232 Added: lib32-systemd/trunk/0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch lib32-systemd/trunk/0001-disable-RestrictAddressFamilies-on-i686.patch Modified: lib32-systemd/trunk/PKGBUILD -----------------------------------------------------------------+ 0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch | 62 ++++++++++ 0001-disable-RestrictAddressFamilies-on-i686.patch | 30 ++++ PKGBUILD | 60 ++++++++- 3 files changed, 147 insertions(+), 5 deletions(-) Added: 0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch =================================================================== --- 0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch (rev 0) +++ 0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch 2016-12-05 20:33:43 UTC (rev 198071) @@ -0,0 +1,62 @@ +From 481712d9ee88395042f0640f272c1f87142bc0a8 Mon Sep 17 00:00:00 2001 +From: Dave Reisner <dreis...@archlinux.org> +Date: Wed, 9 Nov 2016 11:14:03 -0500 +Subject: [PATCH] Revert "nspawn: try to bind mount resolved's resolv.conf + snippet into the container" + +This reverts commit 3539724c26a1b2b00c4eb3c004b635a4b8647de6. +--- + src/nspawn/nspawn.c | 27 ++++++++------------------- + 1 file changed, 8 insertions(+), 19 deletions(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index c8b18bc..93df7c6 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -1309,35 +1309,24 @@ static int setup_resolv_conf(const char *dest) { + /* Fix resolv.conf, if possible */ + where = prefix_roota(dest, "/etc/resolv.conf"); + +- if (access("/usr/lib/systemd/resolv.conf", F_OK) >= 0) { +- /* resolved is enabled on the host. In this, case bind mount its static resolv.conf file into the +- * container, so that the container can use the host's resolver. Given that network namespacing is +- * disabled it's only natural of the container also uses the host's resolver. It also has the big +- * advantage that the container will be able to follow the host's DNS server configuration changes +- * transparently. */ +- +- r = mount_verbose(LOG_WARNING, "/usr/lib/systemd/resolv.conf", where, NULL, MS_BIND, NULL); +- if (r >= 0) +- return mount_verbose(LOG_ERR, NULL, where, NULL, +- MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV, NULL); +- } +- +- /* If that didn't work, let's copy the file */ + r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644, 0); + if (r < 0) { +- /* If the file already exists as symlink, let's suppress the warning, under the assumption that +- * resolved or something similar runs inside and the symlink points there. ++ /* If the file already exists as symlink, let's ++ * suppress the warning, under the assumption that ++ * resolved or something similar runs inside and the ++ * symlink points there. + * +- * If the disk image is read-only, there's also no point in complaining. ++ * If the disk image is read-only, there's also no ++ * point in complaining. + */ + log_full_errno(IN_SET(r, -ELOOP, -EROFS) ? LOG_DEBUG : LOG_WARNING, r, +- "Failed to copy /etc/resolv.conf to %s, ignoring: %m", where); ++ "Failed to copy /etc/resolv.conf to %s: %m", where); + return 0; + } + + r = userns_lchown(where, 0, 0); + if (r < 0) +- log_warning_errno(r, "Failed to chown /etc/resolv.conf, ignoring: %m"); ++ log_warning_errno(r, "Failed to chown /etc/resolv.conf: %m"); + + return 0; + } +-- +2.10.2 + Added: 0001-disable-RestrictAddressFamilies-on-i686.patch =================================================================== --- 0001-disable-RestrictAddressFamilies-on-i686.patch (rev 0) +++ 0001-disable-RestrictAddressFamilies-on-i686.patch 2016-12-05 20:33:43 UTC (rev 198071) @@ -0,0 +1,30 @@ +From ff59e06f9423af0532aaeedf931474823f764875 Mon Sep 17 00:00:00 2001 +From: Dave Reisner <dreis...@archlinux.org> +Date: Wed, 9 Nov 2016 08:00:26 -0500 +Subject: [PATCH] disable RestrictAddressFamilies on i686 + +Shit's broke, yo. + +https://github.com/systemd/systemd/issues/4575 +--- + src/core/execute.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/core/execute.c b/src/core/execute.c +index f666f7c..7d09154 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -1254,6 +1254,10 @@ static int apply_address_families(const Unit* u, const ExecContext *c) { + Iterator i; + int r; + ++#if defined(__i386__) ++ return 0; ++#endif ++ + assert(c); + + if (skip_seccomp_unavailable(u, "RestrictAddressFamilies=")) +-- +2.10.2 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2016-12-05 20:12:03 UTC (rev 198070) +++ PKGBUILD 2016-12-05 20:33:43 UTC (rev 198071) @@ -4,28 +4,78 @@ pkgname=lib32-systemd _pkgbasename=systemd -pkgver=231 +pkgver=232 pkgrel=1 pkgdesc="system and service manager (32-bit)" arch=('x86_64') -url="http://www.freedesktop.org/wiki/Software/systemd" +url="https://www.github.com/systemd/systemd" license=('GPL2' 'LGPL2.1') -depends=('lib32-libgcrypt' 'lib32-xz' 'lib32-libcap' 'lib32-acl' 'lib32-libidn' 'lib32-gcc-libs' 'systemd') +depends=('lib32-libgcrypt' 'lib32-xz' 'lib32-libcap' 'lib32-gcc-libs' 'systemd') makedepends=('lib32-gcc-libs' 'gcc-multilib' 'lib32-libidn' 'lib32-glib2' 'intltool' 'gperf' 'lib32-curl' 'lib32-bzip2' 'git') -source=("git://github.com/systemd/systemd.git#tag=v$pkgver") -md5sums=('SKIP') +options=('strip') +source=("git://github.com/systemd/systemd.git#tag=v$pkgver" + '0001-disable-RestrictAddressFamilies-on-i686.patch' + '0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch') +md5sums=('SKIP' + '9536d399938a48fbf38c24e322f4f078' + '2f324d6ddd4fd78b73d453044292b9b1') +validpgpkeys=( + '63CDA1E5D3FC22B998D20DD6327F26951A015CC4' # Lennart Poettering +) _backports=( + '843d5baf6aad6c53fc00ea8d95d83209a4f92de1' # core: don't use the unified hierarchy for the systemd cgroup yet (#4628) + 'abd67ce74858491565cde157c7b08fda43d3279c' # basic/virt: fix userns check on CONFIG_USER_NS=n kernel (#4651) + '4318abe8d26e969ebdb97744a63ab900233a0185' # build-sys: do not install ctrl-alt-del.target symlink twice + 'd112eae7da77899be245ab52aa1747d4675549f1' # device: Avoid calling unit_free(NULL) in device setup logic (#4748) ) +_validate_tag() { + local success fingerprint trusted status tag=v$pkgver + + parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1) + + if (( ! success )); then + error 'failed to validate tag %s\n' "$tag" + return 1 + fi + + if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then + error 'unknown or untrusted public key: %s\n' "$fingerprint" + return 1 + fi + + case $status in + 'expired') + warning 'the signature has expired' + ;; + 'expiredkey') + warning 'the key has expired' + ;; + esac + + return 0 +} + prepare() { cd systemd + _validate_tag || return + if (( ${#_backports[*]} > 0 )); then git cherry-pick -n "${_backports[@]}" fi + # these patches aren't upstream, but they make v232 more useable. + + # https://github.com/systemd/systemd/issues/4575 + patch -Np1 <../0001-disable-RestrictAddressFamilies-on-i686.patch + + # https://github.com/systemd/systemd/issues/4595 + # https://github.com/systemd/systemd/issues/3826 + patch -Np1 <../0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch + ./autogen.sh }