Fix issue: systemctl daemon-reload would sporadically cause udev handler fail (#15253)
#### Why I did it
A workaround to back port the fix for a systemd issue.
The systemd issue: https://github.com/systemd/systemd/issues/24668
The systemd PR to fix the issue: https://github.com/systemd/systemd/pull/24673/files
The formal solution should upgrade systemd to a version that contains the fix. But, systemd is a very basic service, upgrading systemd requires heavy test.
#### How I did it
Copy the correct systemd-udevd.service file in build time
#### Tested branch (Please provide the tested image version)
- [x] 202211
- [ ] <!-- image version 2 -->
```
SONiC Software Version: SONiC.fix-udev.3-b65c7bdec_Internal
SONiC OS Version: 11
Distribution: Debian 11.7
Kernel: 5.10.0-18-2-amd64
Build commit: b65c7bdec
Build date: Mon Jun 19 10:54:50 UTC 2023
Built by: sw-r2d2-bot@r-build-sonic-ci02-241
Platform: x86_64-mlnx_msn4700-r0
HwSKU: ACS-MSN4700
ASIC: mellanox
ASIC Count: 1
Serial Number: MT2022X08597
Model Number: MSN4700-WS2FO
Hardware Revision: A1
Uptime: 08:10:11 up 1 min, 1 user, load average: 1.81, 0.67, 0.24
Date: Sun 25 Jun 2023 08:10:11
Docker images:
REPOSITORY TAG IMAGE ID SIZE
docker-fpm-frr fix-udev.3-b65c7bdec_Internal a7b911e7cb6f 346MB
docker-fpm-frr latest a7b911e7cb6f 346MB
docker-platform-monitor fix-udev.3-b65c7bdec_Internal 94c5178cf80b 731MB
docker-platform-monitor latest 94c5178cf80b 731MB
docker-orchagent fix-udev.3-b65c7bdec_Internal 46b393e0ace8 328MB
docker-orchagent latest 46b393e0ace8 328MB
docker-syncd-mlnx fix-udev.3-b65c7bdec_Internal 1f5c6c23e33a 734MB
docker-syncd-mlnx latest 1f5c6c23e33a 734MB
docker-sflow fix-udev.3-b65c7bdec_Internal 7e45992c8c59 317MB
docker-sflow latest 7e45992c8c59 317MB
docker-teamd fix-udev.3-b65c7bdec_Internal e4d905592cda 316MB
docker-teamd latest e4d905592cda 316MB
docker-nat fix-udev.3-b65c7bdec_Internal 7fe799367580 319MB
docker-nat latest 7fe799367580 319MB
docker-macsec latest d702a5554171 318MB
docker-snmp fix-udev.3-b65c7bdec_Internal 3bce8fcf71cd 338MB
docker-snmp latest 3bce8fcf71cd 338MB
docker-sonic-telemetry fix-udev.3-b65c7bdec_Internal f13949cbc817 597MB
docker-sonic-telemetry latest f13949cbc817 597MB
docker-dhcp-relay latest 153d9072805d 306MB
docker-router-advertiser fix-udev.3-b65c7bdec_Internal aed642b9a6bc 299MB
docker-router-advertiser latest aed642b9a6bc 299MB
docker-sonic-p4rt fix-udev.3-b65c7bdec_Internal a3cae5ca65a7 870MB
docker-sonic-p4rt latest a3cae5ca65a7 870MB
docker-mux fix-udev.3-b65c7bdec_Internal b81f0401b9a8 347MB
docker-mux latest b81f0401b9a8 347MB
docker-eventd fix-udev.3-b65c7bdec_Internal c5917d0e801f 298MB
docker-eventd latest c5917d0e801f 298MB
docker-lldp fix-udev.3-b65c7bdec_Internal fd5dc14a7976 341MB
docker-lldp latest fd5dc14a7976 341MB
docker-database fix-udev.3-b65c7bdec_Internal 438c2715a1dd 299MB
docker-database latest 438c2715a1dd 299MB
docker-sonic-mgmt-framework fix-udev.3-b65c7bdec_Internal 5c50b115fbcd 414MB
docker-sonic-mgmt-framework latest
```
This commit is contained in:
parent
9a5c188b3c
commit
cead17cb55
@ -111,7 +111,7 @@ sudo LANG=C chroot $FILESYSTEM_ROOT mount
|
|||||||
[ -d $TRUSTED_GPG_DIR ] && [ ! -z "$(ls $TRUSTED_GPG_DIR)" ] && sudo cp $TRUSTED_GPG_DIR/* ${FILESYSTEM_ROOT}/etc/apt/trusted.gpg.d/
|
[ -d $TRUSTED_GPG_DIR ] && [ ! -z "$(ls $TRUSTED_GPG_DIR)" ] && sudo cp $TRUSTED_GPG_DIR/* ${FILESYSTEM_ROOT}/etc/apt/trusted.gpg.d/
|
||||||
|
|
||||||
## Pointing apt to public apt mirrors and getting latest packages, needed for latest security updates
|
## Pointing apt to public apt mirrors and getting latest packages, needed for latest security updates
|
||||||
scripts/build_mirror_config.sh files/apt $CONFIGURED_ARCH $IMAGE_DISTRO
|
scripts/build_mirror_config.sh files/apt $CONFIGURED_ARCH $IMAGE_DISTRO
|
||||||
sudo cp files/apt/sources.list.$CONFIGURED_ARCH $FILESYSTEM_ROOT/etc/apt/sources.list
|
sudo cp files/apt/sources.list.$CONFIGURED_ARCH $FILESYSTEM_ROOT/etc/apt/sources.list
|
||||||
sudo cp files/apt/apt.conf.d/{81norecommends,apt-{clean,gzip-indexes,no-languages},no-check-valid-until,apt-multiple-retries} $FILESYSTEM_ROOT/etc/apt/apt.conf.d/
|
sudo cp files/apt/apt.conf.d/{81norecommends,apt-{clean,gzip-indexes,no-languages},no-check-valid-until,apt-multiple-retries} $FILESYSTEM_ROOT/etc/apt/apt.conf.d/
|
||||||
|
|
||||||
@ -294,7 +294,7 @@ then
|
|||||||
## Install Kubernetes master
|
## Install Kubernetes master
|
||||||
echo '[INFO] Install kubernetes master'
|
echo '[INFO] Install kubernetes master'
|
||||||
install_kubernetes ${MASTER_KUBERNETES_VERSION}
|
install_kubernetes ${MASTER_KUBERNETES_VERSION}
|
||||||
|
|
||||||
sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT curl -fsSL \
|
sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT curl -fsSL \
|
||||||
https://packages.microsoft.com/keys/microsoft.asc | \
|
https://packages.microsoft.com/keys/microsoft.asc | \
|
||||||
sudo LANG=C chroot $FILESYSTEM_ROOT apt-key add -
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-key add -
|
||||||
@ -309,7 +309,7 @@ then
|
|||||||
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y remove gnupg
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y remove gnupg
|
||||||
sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT curl -o /tmp/cri-dockerd.deb -fsSL \
|
sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT curl -o /tmp/cri-dockerd.deb -fsSL \
|
||||||
https://github.com/Mirantis/cri-dockerd/releases/download/v${MASTER_CRI_DOCKERD}/cri-dockerd_${MASTER_CRI_DOCKERD}.3-0.debian-${IMAGE_DISTRO}_amd64.deb
|
https://github.com/Mirantis/cri-dockerd/releases/download/v${MASTER_CRI_DOCKERD}/cri-dockerd_${MASTER_CRI_DOCKERD}.3-0.debian-${IMAGE_DISTRO}_amd64.deb
|
||||||
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install -f /tmp/cri-dockerd.deb
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install -f /tmp/cri-dockerd.deb
|
||||||
sudo LANG=C chroot $FILESYSTEM_ROOT rm -f /tmp/cri-dockerd.deb
|
sudo LANG=C chroot $FILESYSTEM_ROOT rm -f /tmp/cri-dockerd.deb
|
||||||
else
|
else
|
||||||
echo '[INFO] Skipping Install kubernetes master'
|
echo '[INFO] Skipping Install kubernetes master'
|
||||||
@ -447,6 +447,14 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
|
|||||||
systemd-sysv \
|
systemd-sysv \
|
||||||
ntp
|
ntp
|
||||||
|
|
||||||
|
# Workaround for issue: The udev rule may fail to be executed because the
|
||||||
|
# daemon-reload command is executed in parallel
|
||||||
|
# Github issue: https://github.com/systemd/systemd/issues/24668
|
||||||
|
# Github PR: https://github.com/systemd/systemd/pull/24673
|
||||||
|
# This workaround should be removed after a upstream already contains the fixes
|
||||||
|
sudo patch $FILESYSTEM_ROOT/lib/systemd/system/systemd-udevd.service \
|
||||||
|
files/image_config/systemd/systemd-udevd/fix-udev-rule-may-fail-if-daemon-reload-command-runs.patch
|
||||||
|
|
||||||
if [[ $TARGET_BOOTLOADER == grub ]]; then
|
if [[ $TARGET_BOOTLOADER == grub ]]; then
|
||||||
if [[ $CONFIGURED_ARCH == amd64 ]]; then
|
if [[ $CONFIGURED_ARCH == amd64 ]]; then
|
||||||
GRUB_PKG=grub-pc-bin
|
GRUB_PKG=grub-pc-bin
|
||||||
@ -641,10 +649,10 @@ sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "mkdir -p /etc/fips"
|
|||||||
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 0 > /etc/fips/fips_enable"
|
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 0 > /etc/fips/fips_enable"
|
||||||
|
|
||||||
# #################
|
# #################
|
||||||
# secure boot
|
# secure boot
|
||||||
# #################
|
# #################
|
||||||
if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ENABLE_SECUREBOOT_SIGNATURE != 'y' ]]; then
|
if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ENABLE_SECUREBOOT_SIGNATURE != 'y' ]]; then
|
||||||
# note: SONIC_ENABLE_SECUREBOOT_SIGNATURE is a feature that signing just kernel,
|
# note: SONIC_ENABLE_SECUREBOOT_SIGNATURE is a feature that signing just kernel,
|
||||||
# SECURE_UPGRADE_MODE is signing all the boot component including kernel.
|
# SECURE_UPGRADE_MODE is signing all the boot component including kernel.
|
||||||
# its required to do not enable both features together to avoid conflicts.
|
# its required to do not enable both features together to avoid conflicts.
|
||||||
echo "Secure Boot support build stage: Starting .."
|
echo "Secure Boot support build stage: Starting .."
|
||||||
@ -653,14 +661,14 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_
|
|||||||
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
|
||||||
shim-unsigned \
|
shim-unsigned \
|
||||||
grub-efi
|
grub-efi
|
||||||
|
|
||||||
if [ ! -f $SECURE_UPGRADE_SIGNING_CERT ]; then
|
if [ ! -f $SECURE_UPGRADE_SIGNING_CERT ]; then
|
||||||
echo "Error: SONiC SECURE_UPGRADE_SIGNING_CERT=$SECURE_UPGRADE_SIGNING_CERT key missing"
|
echo "Error: SONiC SECURE_UPGRADE_SIGNING_CERT=$SECURE_UPGRADE_SIGNING_CERT key missing"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $SECURE_UPGRADE_MODE == 'dev' ]]; then
|
if [[ $SECURE_UPGRADE_MODE == 'dev' ]]; then
|
||||||
# development signing & verification
|
# development signing & verification
|
||||||
|
|
||||||
if [ ! -f $SECURE_UPGRADE_DEV_SIGNING_KEY ]; then
|
if [ ! -f $SECURE_UPGRADE_DEV_SIGNING_KEY ]; then
|
||||||
echo "Error: SONiC SECURE_UPGRADE_DEV_SIGNING_KEY=$SECURE_UPGRADE_DEV_SIGNING_KEY key missing"
|
echo "Error: SONiC SECURE_UPGRADE_DEV_SIGNING_KEY=$SECURE_UPGRADE_DEV_SIGNING_KEY key missing"
|
||||||
|
@ -0,0 +1,24 @@
|
|||||||
|
# -------------------------------------------------------------------
|
||||||
|
# Patch for /lib/systemd/system/systemd-udevd.service
|
||||||
|
# Fix issue: The udev rule may fail to be executed because the
|
||||||
|
# daemon-reload command is executed in parallel
|
||||||
|
# Github issue: https://github.com/systemd/systemd/issues/24668
|
||||||
|
# Github PR: https://github.com/systemd/systemd/pull/24673
|
||||||
|
# -------------------------------------------------------------------
|
||||||
|
@@ -16,8 +16,6 @@
|
||||||
|
ConditionPathIsReadWrite=/sys
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
-DeviceAllow=block-* rwm
|
||||||
|
-DeviceAllow=char-* rwm
|
||||||
|
Type=notify
|
||||||
|
# Note that udev will reset the value internally for its workers
|
||||||
|
OOMScoreAdjust=-1000
|
||||||
|
@@ -29,7 +27,6 @@
|
||||||
|
KillMode=mixed
|
||||||
|
TasksMax=infinity
|
||||||
|
PrivateMounts=yes
|
||||||
|
-ProtectClock=yes
|
||||||
|
ProtectHostname=yes
|
||||||
|
MemoryDenyWriteExecute=yes
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
Loading…
Reference in New Issue
Block a user