Merge pull request systemd#33241 from DaanDeMeyer/noble

ci: Switch to Ubuntu 24.04

.github/workflows/build_test.sh

@@ -84,6 +84,14 @@ if [[ "$COMPILER" == clang ]]; then
     CXX="clang++-$COMPILER_VERSION"
     AR="llvm-ar-$COMPILER_VERSION"
 
+    if systemd-analyze compare-versions "$COMPILER_VERSION" ge 17; then
+        CFLAGS="-fno-sanitize=function"
+        CXXFLAGS="-fno-sanitize=function"
+    else
+        CFLAGS=""
+        CXXFLAGS=""
+    fi
+
     # Prefer the distro version if available
     if ! apt-get -y install --dry-run "llvm-$COMPILER_VERSION" >/dev/null; then
         # Latest LLVM stack deb packages provided by https://apt.llvm.org/
@@ -99,6 +107,8 @@ elif [[ "$COMPILER" == gcc ]]; then
     CC="gcc-$COMPILER_VERSION"
     CXX="g++-$COMPILER_VERSION"
     AR="gcc-ar-$COMPILER_VERSION"
+    CFLAGS=""
+    CXXFLAGS=""
 
     if ! apt-get -y install --dry-run "gcc-$COMPILER_VERSION" >/dev/null; then
         # Latest gcc stack deb packages provided by
@@ -112,18 +122,19 @@ else
 fi
 
 # This is added by default, and it is often broken, but we don't need anything from it
-sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
-# PPA with some newer build dependencies (like zstd)
-sudo add-apt-repository -y --no-update ppa:upstream-systemd-ci/systemd-ci
-sudo add-apt-repository -y --no-update --enable-source
+sudo rm -f /etc/apt/sources.list.d/microsoft-prod.{list,sources}
+# add-apt-repository --enable-source does not work on deb822 style sources.
+for f in /etc/apt/sources.list.d/*.sources; do
+    sudo sed -i "s/Types: deb/Types: deb deb-src/g" "$f"
+done
 sudo apt-get -y update
 sudo apt-get -y build-dep systemd
 sudo apt-get -y install "${PACKAGES[@]}"
 # Install more or less recent meson and ninja with pip, since the distro versions don't
 # always support all the features we need (like --optimization=). Since the build-dep
 # command above installs the distro versions, let's install the pip ones just
 # locally and add the local bin directory to the $PATH.
-pip3 install --user -r .github/workflows/requirements.txt --require-hashes
+pip3 install --user -r .github/workflows/requirements.txt --require-hashes --break-system-packages
 export PATH="$HOME/.local/bin:$PATH"
 
 $CC --version
@@ -141,8 +152,8 @@ for args in "${ARGS[@]}"; do
     info "Checking build with $args"
     # shellcheck disable=SC2086
     if ! AR="$AR" \
-         CC="$CC" CC_LD="$LINKER" CFLAGS="-Werror" \
-         CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="-Werror" \
+         CC="$CC" CC_LD="$LINKER" CFLAGS="$CFLAGS" \
+         CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="$CXXFLAGS" \
          meson setup \
                -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror \
                -Dnobody-group=nogroup -Dcryptolib="${CRYPTOLIB:?}" -Ddebug=false \

.github/workflows/build_test.yml

@@ -17,7 +17,7 @@ permissions:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     concurrency:
       group: ${{ github.workflow }}-${{ toJSON(matrix.env) }}-${{ github.ref }}
       cancel-in-progress: true

.github/workflows/cflite_pr.yml

@@ -13,7 +13,7 @@ permissions: read-all
 
 jobs:
   PR:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: github.repository != 'systemd/systemd' || github.event.pull_request.user.login == 'dependabot[bot]'
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}

.github/workflows/cifuzz.yml

@@ -22,7 +22,8 @@ on:
       - main
 jobs:
   Fuzzing:
-    runs-on: ubuntu-latest
+    # FIXME: Figure out why 32-bit applications fail to run in docker on Ubuntu 24.04.
+    runs-on: ubuntu-22.04
     if: github.repository == 'systemd/systemd'
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ matrix.architecture }}-${{ github.ref }}

.github/workflows/codeql.yml

@@ -27,7 +27,7 @@ jobs:
   analyze:
     name: Analyze
     if: github.repository != 'systemd/systemd-security'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
       cancel-in-progress: true

.github/workflows/coverity.yml

@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: github.repository == 'systemd/systemd'
     env:
       # Set in repo settings -> secrets -> actions

.github/workflows/development_freeze.yml

@@ -17,7 +17,7 @@ jobs:
       github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'success' &&
       github.repository == 'systemd/systemd'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     permissions:
       pull-requests: write

.github/workflows/differential-shellcheck.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   lint:
     if: github.event.repository.name != 'systemd-security'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     permissions:
       security-events: write

.github/workflows/gather-pr-metadata.yml

@@ -12,7 +12,7 @@ permissions:
 jobs:
   gather-metadata:
     if: github.repository == 'systemd/systemd'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
       - name: Repository checkout

.github/workflows/issue_labeler.yml

@@ -10,7 +10,7 @@ permissions:
 
 jobs:
   label-component:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     permissions:
       issues: write

.github/workflows/labeler.yml

@@ -24,7 +24,7 @@ permissions:
 jobs:
   triage:
     if: github.repository == 'systemd/systemd'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       pull-requests: write
 

.github/workflows/linter.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   build:
     name: Lint Code Base
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 0
 
       - name: Lint Code Base
-        uses: super-linter/super-linter/slim@4e51915f4a812abf59fed160bb14595c0a38a9e7
+        uses: super-linter/super-linter/slim@88ea3923a7e1f89dd485d079f6eb5f5e8f937589
         env:
           DEFAULT_BRANCH: main
           MULTI_STATUS: false

.github/workflows/make_release.yml

@@ -11,7 +11,7 @@ permissions:
 jobs:
   release:
     if: github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     permissions:
       contents: write

.github/workflows/mkosi.yml

@@ -46,7 +46,7 @@ permissions:
 
 jobs:
   ci:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.distro }}-${{ matrix.release }}-${{ github.ref }}
       cancel-in-progress: true
@@ -92,7 +92,7 @@ jobs:
 
     steps:
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
-    - uses: systemd/mkosi@38668e8099653cd8499fc8842af894d31ebc0f07
+    - uses: systemd/mkosi@1cc81fb92ef0bb1ef7d51ac1e76327614d41ed74
 
     # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
     # immediately, we remove the files in the background. However, we first move them to a different location
@@ -140,8 +140,6 @@ jobs:
                 LLVM=${{ matrix.llvm }}
 
         [Host]
-        ToolsTree=default
-        ToolsTreeDistribution=fedora
         QemuMem=4G
         # We build with debuginfo so there's no point in mounting the sources into the machine.
         RuntimeBuildSources=no
@@ -153,23 +151,20 @@ jobs:
     - name: Show image summary
       run: mkosi summary
 
-    - name: Install build dependencies
+    - name: Install dependencies
       run: |
-        sudo apt-get install \
-            meson \
+        mkosi dependencies |
+        xargs -d '\n' sudo apt-get install \
             gperf \
-            libfdisk-dev \
-            libtss2-dev \
             libblkid-dev \
-            libmicrohttpd-dev \
             libcap-dev \
-            libcurl4-openssl-dev \
             libcryptsetup-dev \
-            erofs-utils \
-            dosfstools \
-            python3-pefile \
-            sbsigntool \
-            mtools
+            libcurl4-openssl-dev \
+            libfdisk-dev \
+            libmicrohttpd-dev \
+            libmount-dev \
+            libtss2-dev \
+            meson
 
     - name: Configure meson
       run: |
@@ -182,7 +177,7 @@ jobs:
             -Dtpm2=enabled \
             -Dlibcryptsetup=enabled \
             -Dlibcurl=enabled \
-            -Drepart=disabled \
+            -Drepart=enabled \
             -Dfirstboot=true \
             -Dsysusers=true \
             -Dtmpfiles=true \

.github/workflows/scorecards.yml

@@ -23,7 +23,7 @@ jobs:
   analysis:
     name: Scorecards analysis
     if: github.repository == 'systemd/systemd'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write # Used to receive a badge.
 

.github/workflows/unit_tests.sh

@@ -53,14 +53,15 @@ for phase in "${PHASES[@]}"; do
         SETUP)
             info "Setup phase"
             # This is added by default, and it is often broken, but we don't need anything from it
-            rm -f /etc/apt/sources.list.d/microsoft-prod.list
-            # PPA with some newer build dependencies
-            add-apt-repository -y --no-update ppa:upstream-systemd-ci/systemd-ci
-            add-apt-repository -y --no-update --enable-source
+            rm -f /etc/apt/sources.list.d/microsoft-prod.{list,sources}
+            # add-apt-repository --enable-source does not work on deb822 style sources.
+            for f in /etc/apt/sources.list.d/*.sources; do
+                sed -i "s/Types: deb/Types: deb deb-src/g" "$f"
+            done
             apt-get -y update
             apt-get -y build-dep systemd
             apt-get -y install "${ADDITIONAL_DEPS[@]}"
-            pip3 install -r .github/workflows/requirements.txt --require-hashes
+            pip3 install -r .github/workflows/requirements.txt --require-hashes --break-system-packages
 
             # Make sure the build dir is accessible even when drop privileges, otherwise the unprivileged
             # part of test-execute gets skipped, since it can't run systemd-executor
@@ -71,6 +72,8 @@ for phase in "${PHASES[@]}"; do
             if [[ "$phase" =~ ^RUN_CLANG ]]; then
                 export CC=clang
                 export CXX=clang++
+                export CFLAGS="-fno-sanitize=function"
+                export CXXFLAGS="-fno-sanitize=function"
                 if [[ "$phase" == RUN_CLANG ]]; then
                     # The docs build is slow and is not affected by compiler/flags, so do it just once
                     MESON_ARGS+=(-Dman=enabled)
@@ -95,6 +98,8 @@ for phase in "${PHASES[@]}"; do
             if [[ "$phase" =~ ^RUN_CLANG_ASAN_UBSAN ]]; then
                 export CC=clang
                 export CXX=clang++
+                export CFLAGS="-fno-sanitize=function"
+                export CXXFLAGS="-fno-sanitize=function"
                 # Build fuzzer regression tests only with clang (for now),
                 # see: https://github.com/systemd/systemd/pull/15886#issuecomment-632689604
                 # -Db_lundef=false: See https://github.com/mesonbuild/meson/issues/764

.github/workflows/unit_tests.yml

@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ matrix.cryptolib }}-${{ github.ref }}
       cancel-in-progress: true

mkosi.conf

@@ -10,9 +10,6 @@ MinimumVersion=23~devel
 @CacheDirectory=build/mkosi.cache
 
 [Content]
-# The kernel versions in CentOS Stream 9 and Ubuntu 22.04 don't support orphan_file, but later
-# versions of mkfs.ext4 enabled it by default, so we disable it explicitly.
-Environment=SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file"
 @SELinuxRelabel=no
 BuildSourcesEphemeral=yes
 

mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf

@@ -5,6 +5,9 @@ Distribution=centos
 
 [Content]
 Environment=
+        # The kernel versions in CentOS Stream 9 doesn't support orphan_file, but later versions of
+        # mkfs.ext4 enabled it by default, so we disable it explicitly.
+        Environment=SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file"
         GIT_URL=https://git.centos.org/rpms/systemd.git
         GIT_BRANCH=c9s-sig-hyperscale
         GIT_COMMIT=8cf2aed0181920611421384f7374720db269d6c7

mkosi.images/system/mkosi.postinst.chroot

@@ -3,6 +3,8 @@
 set -e
 set -o nounset
 
+useradd --uid 4711 --create-home --user-group testuser
+
 if command -v authselect >/dev/null; then
     # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
     # let's use the new name if it exists.
@@ -38,15 +40,10 @@ cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
 # Remove to make TEST-73-LOCALE pass on Ubuntu.
 rm -f /etc/default/keyboard
 
-# mkfs.ext4 on CentOS doesn't know the orphan_file feature so clear the mkfs options when we're building for
-# CentOS.
-if [[ "$DISTRIBUTION" == "centos" ]]; then
-    SYSTEMD_REPART_MKFS_OPTIONS_EXT4=""
-fi
-
-export SYSTEMD_REPART_MKFS_OPTIONS_EXT4
-
-systemd-repart \
+# This is executed inside the chroot so no need to disable any features as the default features will match
+# the kernel's supported features.
+SYSTEMD_REPART_MKFS_OPTIONS_EXT4="" \
+    systemd-repart \
     --empty=create \
     --dry-run=no \
     --size=auto \