summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--man/machinectl.xml19
-rw-r--r--man/systemd.exec.xml9
-rw-r--r--src/core/show-status.c5
-rw-r--r--src/journal/journald-console.c5
4 files changed, 24 insertions, 14 deletions
diff --git a/man/machinectl.xml b/man/machinectl.xml
index eaa247714b..0d57c01765 100644
--- a/man/machinectl.xml
+++ b/man/machinectl.xml
@@ -343,18 +343,13 @@
<varlistentry>
<term><command>show</command> [<replaceable>NAME</replaceable>...]</term>
- <listitem><para>Show properties of one or more registered
- virtual machines or containers or the manager itself. If no
- argument is specified, properties of the manager will be
- shown. If a NAME is specified, properties of this virtual
- machine or container are shown. By default, empty properties
- are suppressed. Use <option>--all</option> to show those too.
- To select specific properties to show, use
- <option>--property=</option>. This command is intended to be
- used whenever computer-parsable output is required, and does
- not print the cgroup tree or journal entries. Use
- <command>status</command> if you are looking for formatted
- human-readable output.</para></listitem>
+ <listitem><para>Show properties of one or more registered virtual machines or containers or the manager
+ itself. If no argument is specified, properties of the manager will be shown. If a NAME is specified,
+ properties of this virtual machine or container are shown. By default, empty properties are suppressed. Use
+ <option>--all</option> to show those too. To select specific properties to show, use
+ <option>--property=</option>. This command is intended to be used whenever computer-parsable output is
+ required, and does not print the control group tree or journal entries. Use <command>status</command> if you
+ are looking for formatted human-readable output.</para></listitem>
</varlistentry>
<varlistentry>
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 7453aa7bee..dbe4594730 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -141,8 +141,13 @@
<term><varname>Group=</varname></term>
<listitem><para>Set the UNIX user or group that the processes are executed as, respectively. Takes a single
- user or group name, or numeric ID as argument. If no group is set, the default group of the user is used. This
- setting does not affect commands whose command line is prefixed with <literal>+</literal>.</para></listitem>
+ user or group name, or numeric ID as argument. For system services (services run by the system service manager,
+ i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of
+ <command>systemd --user</command>), the default is <literal>root</literal>, but <varname>User=</varname> may be
+ used to specify a different user. For user services of any other user, switching user identity is not
+ permitted, hence the only valid setting is the same user the user's service manager is running as. If no group
+ is set, the default group of the user is used. This setting does not affect commands whose command line is
+ prefixed with <literal>+</literal>.</para></listitem>
</varlistentry>
<varlistentry>
diff --git a/src/core/show-status.c b/src/core/show-status.c
index 59ebdc7219..65f9cb888a 100644
--- a/src/core/show-status.c
+++ b/src/core/show-status.c
@@ -61,6 +61,11 @@ int status_vprintf(const char *status, bool ellipse, bool ephemeral, const char
if (vasprintf(&s, format, ap) < 0)
return log_oom();
+ /* Before you ask: yes, on purpose we open/close the console for each status line we write individually. This
+ * is a good strategy to avoid PID 1 getting killed by the kernel's SAK concept (it doesn't fix this entirely,
+ * but minimizes the time window the kernel might end up killing PID 1 due to SAK). It also makes things easier
+ * for us so that we don't have to recover from hangups and suchlike triggered on the console. */
+
fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
if (fd < 0)
return fd;
diff --git a/src/journal/journald-console.c b/src/journal/journald-console.c
index fcc9f25814..3a9fba42a3 100644
--- a/src/journal/journald-console.c
+++ b/src/journal/journald-console.c
@@ -102,6 +102,11 @@ void server_forward_console(
tty = s->tty_path ? s->tty_path : "/dev/console";
+ /* Before you ask: yes, on purpose we open/close the console for each log line we write individually. This is a
+ * good strategy to avoid journald getting killed by the kernel's SAK concept (it doesn't fix this entirely,
+ * but minimizes the time window the kernel might end up killing journald due to SAK). It also makes things
+ * easier for us so that we don't have to recover from hangups and suchlike triggered on the console. */
+
fd = open_terminal(tty, O_WRONLY|O_NOCTTY|O_CLOEXEC);
if (fd < 0) {
log_debug_errno(fd, "Failed to open %s for logging: %m", tty);