8260dfc
@@ -20,6 +20,8 @@
enable dbus.socket
enable dbus-broker.service
enable sshd.service
+ # https://src.fedoraproject.org/rpms/openssh/pull-request/40
+ enable ssh-host-keys-migration.service
# Locally-running services
enable atd.*
This service aids in the permissions migration for https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
See https://src.fedoraproject.org/rpms/openssh/pull-request/40
Part of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=2172956
Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci https://fedora.softwarefactory-project.io/zuul/buildset/af9d57b1d65e4c278a2c9029139f1be1
https://src.fedoraproject.org/rpms/openssh/pull-request/40 was built and submitted:
A few questions/answers from the systemd preset BZ template:
I don't think so. It's just a service that runs.
No.
Yes. It is a oneshot unit. Furthermore it disables future runs by using a ConditionPathExists=!/var/lib/.ssh-host-keys-migration and a ExecStart=touch /var/lib/.ssh-host-keys-migration.
oneshot
ConditionPathExists=!/var/lib/.ssh-host-keys-migration
ExecStart=touch /var/lib/.ssh-host-keys-migration
ssh-host-keys-migration.service
It's easiest to reason about if we just let the unit run everywhere. On non OSTree systems the RPM itself disables the unit by writing out the /var/lib/.ssh-host-keys-migration file when the migration occurs in the scriptlet.
/var/lib/.ssh-host-keys-migration
LGTM.
Pull-Request has been merged by zbyszek
I also cherry-picked the commit for the f38 branch.
Thanks! Could you possibly do a build and submit a bodhi update?
well actually. maybe attach it to this existing bodhi update: https://bodhi.fedoraproject.org/updates/FEDORA-2023-e2b6da44e4 since we would FE that in under one update most likely;
This does not work for anyone excepted Fedora CoreOS that does preset-all on updates.
To phrase it properly: This only works for Fedora CoreOS because we manually re-preset-all services for each commit and that gets applied on updates.
For everybody else, presets are only applied on first boot so they don't get applied.
I had started working on this for Silverblue/KInoite in https://pagure.io/workstation-ostree-config/pull-request/246 but never completed it.
Classic DNF systems are "saved" by the fact that we do the change in %post: https://src.fedoraproject.org/rpms/openssh/pull-request/40#_1__41
I think we should go back to a static enablement at the place the change is done (like I had done in https://src.fedoraproject.org/rpms/openssh/pull-request/39#_1__27) so that we keep things in a single place.
This service aids in the permissions migration for
https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
See https://src.fedoraproject.org/rpms/openssh/pull-request/40
Part of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=2172956