diff options
Diffstat (limited to 'man')
| -rw-r--r-- | man/machine-id.xml | 15 | ||||
| -rw-r--r-- | man/sd_event_source_set_prepare.xml | 9 | ||||
| -rw-r--r-- | man/sd_id128_get_machine.xml | 65 | ||||
| -rw-r--r-- | man/systemd-nspawn.xml | 17 | ||||
| -rw-r--r-- | man/systemd.exec.xml | 15 | ||||
| -rw-r--r-- | man/systemd.network.xml | 14 | ||||
| -rw-r--r-- | man/systemd.service.xml | 20 | ||||
| -rw-r--r-- | man/systemd.unit.xml | 22 |
8 files changed, 113 insertions, 64 deletions
diff --git a/man/machine-id.xml b/man/machine-id.xml index a722649de4..3c261bffcc 100644 --- a/man/machine-id.xml +++ b/man/machine-id.xml @@ -71,13 +71,14 @@ <para>This machine ID adheres to the same format and logic as the D-Bus machine ID.</para> - <para>This ID uniquely identifies the host. It should be considered "confidential", and must not - be exposed in untrusted environments, in particular on the network. If a stable unique - identifier that is tied to the machine is needed for some application, the machine ID or any - part of it must not be used directly. Instead the machine ID should be hashed with a - cryptographic, keyed hash function, using a fixed, application-specific key. That way the ID - will be properly unique, and derived in a constant way from the machine ID but there will be no - way to retrieve the original machine ID from the application-specific one.</para> + <para>This ID uniquely identifies the host. It should be considered "confidential", and must not be exposed in + untrusted environments, in particular on the network. If a stable unique identifier that is tied to the machine is + needed for some application, the machine ID or any part of it must not be used directly. Instead the machine ID + should be hashed with a cryptographic, keyed hash function, using a fixed, application-specific key. That way the + ID will be properly unique, and derived in a constant way from the machine ID but there will be no way to retrieve + the original machine ID from the application-specific one. The + <citerefentry><refentrytitle>sd_id128_get_machine_app_specific</refentrytitle><manvolnum>3</manvolnum></citerefentry> + API provides an implementation of such an algorithm.</para> <para>The <citerefentry><refentrytitle>systemd-machine-id-setup</refentrytitle><manvolnum>1</manvolnum></citerefentry> diff --git a/man/sd_event_source_set_prepare.xml b/man/sd_event_source_set_prepare.xml index 24861d01d9..ee61d23983 100644 --- a/man/sd_event_source_set_prepare.xml +++ b/man/sd_event_source_set_prepare.xml @@ -76,10 +76,11 @@ specified as <parameter>callback</parameter> will be invoked immediately before the event loop goes to sleep to wait for incoming events. It is invoked with the user data pointer passed - when the event source was created. The callback function may be - used to reconfigure the precise events to wait for. If the - <parameter>callback</parameter> parameter is passed as NULL the - callback function is reset. </para> + when the event source was created. The event source will be disabled + if the callback function returns a negative error code. The callback + function may be used to reconfigure the precise events to wait for. + If the <parameter>callback</parameter> parameter is passed as NULL + the callback function is reset. </para> <para>Event source objects have no preparation callback associated when they are first created with calls such as diff --git a/man/sd_id128_get_machine.xml b/man/sd_id128_get_machine.xml index 9a86c24aed..3938c6d836 100644 --- a/man/sd_id128_get_machine.xml +++ b/man/sd_id128_get_machine.xml @@ -44,6 +44,7 @@ <refnamediv> <refname>sd_id128_get_machine</refname> + <refname>sd_id128_get_machine_app_specific</refname> <refname>sd_id128_get_boot</refname> <refname>sd_id128_get_invocation</refname> <refpurpose>Retrieve 128-bit IDs</refpurpose> @@ -59,6 +60,12 @@ </funcprototype> <funcprototype> + <funcdef>int <function>sd_id128_get_machine_app_specific</function></funcdef> + <paramdef>sd_id128_t <parameter>app_id</parameter></paramdef> + <paramdef>sd_id128_t *<parameter>ret</parameter></paramdef> + </funcprototype> + + <funcprototype> <funcdef>int <function>sd_id128_get_boot</function></funcdef> <paramdef>sd_id128_t *<parameter>ret</parameter></paramdef> </funcprototype> @@ -74,11 +81,22 @@ <refsect1> <title>Description</title> - <para><function>sd_id128_get_machine()</function> returns the - machine ID of the executing host. This reads and parses the - <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> - file. This function caches the machine ID internally to make - retrieving the machine ID a cheap operation.</para> + <para><function>sd_id128_get_machine()</function> returns the machine ID of the executing host. This reads and + parses the <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> + file. This function caches the machine ID internally to make retrieving the machine ID a cheap operation. This ID + may be used wherever a unique identifier for the local system is needed. However, it is recommended to use this ID + as-is only in trusted environments. In untrusted environments it is recommended to derive an application specific + ID from this machine ID, in an irreversable (cryptographically secure) way. To make this easy + <function>sd_id128_get_machine_app_specific()</function> is provided, see below.</para> + + <para><function>sd_id128_get_machine_app_specific()</function> is similar to + <function>sd_id128_get_machine()</function>, but retrieves a machine ID that is specific to the application that is + identified by the indicated application ID. It is recommended to use this function instead of + <function>sd_id128_get_machine()</function> when passing an ID to untrusted environments, in order to make sure + that the original machine ID may not be determined externally. The application-specific ID should be generated via + a tool like <command>journalctl --new-id128</command>, and may be compiled into the application. This function will + return the same application-specific ID for each combination of machine ID and application ID. Internally, this + function calculates HMAC-SHA256 of the application ID, keyed by the machine ID.</para> <para><function>sd_id128_get_boot()</function> returns the boot ID of the executing kernel. This reads and parses the @@ -95,10 +113,10 @@ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details. The ID is cached internally. In future a different mechanism to determine the invocation ID may be added.</para> - <para>Note that <function>sd_id128_get_boot()</function> and <function>sd_id128_get_invocation()</function> always - return UUID v4 compatible IDs. <function>sd_id128_get_machine()</function> will also return a UUID v4-compatible - ID on new installations but might not on older. It is possible to convert the machine ID into a UUID v4-compatible - one. For more information, see + <para>Note that <function>sd_id128_get_machine_app_specific()</function>, <function>sd_id128_get_boot()</function> + and <function>sd_id128_get_invocation()</function> always return UUID v4 compatible IDs. + <function>sd_id128_get_machine()</function> will also return a UUID v4-compatible ID on new installations but might + not on older. It is possible to convert the machine ID into a UUID v4-compatible one. For more information, see <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> <para>For more information about the <literal>sd_id128_t</literal> @@ -117,13 +135,36 @@ <refsect1> <title>Notes</title> - <para>The <function>sd_id128_get_machine()</function>, <function>sd_id128_get_boot()</function> and - <function>sd_id128_get_invocation()</function> interfaces are available as a shared library, which can be compiled - and linked to with the <literal>libsystemd</literal> <citerefentry + <para>The <function>sd_id128_get_machine()</function>, <function>sd_id128_get_machine_app_specific()</function> + <function>sd_id128_get_boot()</function> and <function>sd_id128_get_invocation()</function> interfaces are + available as a shared library, which can be compiled and linked to with the + <literal>libsystemd</literal> <citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry> file.</para> </refsect1> <refsect1> + <title>Examples</title> + + <example> + <title>Application-specific machine ID</title> + + <para>Here's a simple example for an application specific machine ID:</para> + + <programlisting>#include <systemd/sd-id128.h> +#include <stdio.h> + +#define OUR_APPLICATION_ID SD_ID128_MAKE(c2,73,27,73,23,db,45,4e,a6,3b,b9,6e,79,b5,3e,97) + +int main(int argc, char *argv[]) { + sd_id128_t id; + sd_id128_get_machine_app_specific(OUR_APPLICATION_ID, &id); + printf("Our application ID: " SD_ID128_FORMAT_STR "\n", SD_ID128_FORMAT_VAL(id)); + return 0; +}</programlisting> + </example> + </refsect1> + + <refsect1> <title>See Also</title> <para> diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index cd0a90d82f..2bc81ea1aa 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -235,17 +235,34 @@ identified by the partition types defined by the <ulink url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable Partitions Specification</ulink>.</para></listitem> + + <listitem><para>No partition table, and a single file system spanning the whole image.</para></listitem> </itemizedlist> <para>On GPT images, if an EFI System Partition (ESP) is discovered, it is automatically mounted to <filename>/efi</filename> (or <filename>/boot</filename> as fallback) in case a directory by this name exists and is empty.</para> + <para>Partitions encrypted with LUKS are automatically decrypted. Also, on GPT images dm-verity data integrity + hash partitions are set up if the root hash for them is specified using the <option>--root-hash=</option> + option.</para> + <para>Any other partitions, such as foreign partitions or swap partitions are not mounted. May not be specified together with <option>--directory=</option>, <option>--template=</option>.</para></listitem> </varlistentry> <varlistentry> + <term><option>--root-hash=</option></term> + + <listitem><para>Takes a data integrity (dm-verity) root hash specified in hexadecimal. This option enables data + integrity checks using dm-verity, if the used image contains the appropriate integrity data (see above). The + specified hash must match the root hash of integrity data, and is usually at least 256bits (and hence 64 + hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but a file with + the <filename>.roothash</filename> suffix is found next to the image file, bearing otherwise the same name the + root hash is read from it and automatically used.</para></listitem> + </varlistentry> + + <varlistentry> <term><option>-a</option></term> <term><option>--as-pid2</option></term> diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index ab83876eba..f27e4a5c04 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1806,23 +1806,32 @@ <title>Summary of possible service result variable values</title> <tgroup cols='3'> <colspec colname='result' /> - <colspec colname='status' /> <colspec colname='code' /> + <colspec colname='status' /> <thead> <row> <entry><varname>$SERVICE_RESULT</varname></entry> - <entry><varname>$EXIT_STATUS</varname></entry> <entry><varname>$EXIT_CODE</varname></entry> + <entry><varname>$EXIT_STATUS</varname></entry> </row> </thead> <tbody> <row> + <entry morerows="1" valign="top"><literal>protocol</literal></entry> + <entry valign="top">not set</entry> + <entry>not set</entry> + </row> + <row> + <entry><literal>exited</literal></entry> + <entry><literal>0</literal></entry> + </row> + + <row> <entry morerows="1" valign="top"><literal>timeout</literal></entry> <entry valign="top"><literal>killed</literal></entry> <entry><literal>TERM</literal>, <literal>KILL</literal></entry> </row> - <row> <entry valign="top"><literal>exited</literal></entry> <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 3a366a573b..c7083a4fe6 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -123,7 +123,10 @@ <listitem> <para>A whitespace-separated list of shell-style globs matching the persistent path, as exposed by the udev - property <literal>ID_PATH</literal>.</para> + property <literal>ID_PATH</literal>. If the list is + prefixed with a "!", the test is inverted; i.e. it is + true when <literal>ID_PATH</literal> does not match any + item in the list.</para> </listitem> </varlistentry> <varlistentry> @@ -134,7 +137,8 @@ exposed by the udev property <literal>DRIVER</literal> of its parent device, or if that is not set the driver as exposed by <literal>ethtool -i</literal> of the - device itself.</para> + device itself. If the list is prefixed with a "!", the + test is inverted.</para> </listitem> </varlistentry> <varlistentry> @@ -142,7 +146,8 @@ <listitem> <para>A whitespace-separated list of shell-style globs matching the device type, as exposed by the udev property - <literal>DEVTYPE</literal>.</para> + <literal>DEVTYPE</literal>. If the list is prefixed with + a "!", the test is inverted.</para> </listitem> </varlistentry> <varlistentry> @@ -150,7 +155,8 @@ <listitem> <para>A whitespace-separated list of shell-style globs matching the device name, as exposed by the udev property - <literal>INTERFACE</literal>.</para> + <literal>INTERFACE</literal>. If the list is prefixed + with a "!", the test is inverted.</para> </listitem> </varlistentry> <varlistentry> diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 67c68d2f8b..b244a7e970 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -918,18 +918,14 @@ must be passed as separate words). Lone semicolons may be escaped as <literal>\;</literal>.</para> - <para>Each command line is split on whitespace, with the first - item being the command to execute, and the subsequent items being - the arguments. Double quotes ("...") and single quotes ('...') may - be used, in which case everything until the next matching quote - becomes part of the same argument. C-style escapes are also - supported. The table below contains the list of allowed escape - patterns. Only patterns which match the syntax in the table are - allowed; others will result in an error, and must be escaped by - doubling the backslash. Quotes themselves are removed after - parsing and escape sequences substituted. In addition, a trailing - backslash (<literal>\</literal>) may be used to merge lines. - </para> + <para>Each command line is split on whitespace, with the first item being the command to + execute, and the subsequent items being the arguments. Double quotes ("...") and single quotes + ('...') may be used, in which case everything until the next matching quote becomes part of the + same argument. Quotes themselves are removed. C-style escapes are also supported. The table + below contains the list of known escape patterns. Only escape patterns which match the syntax in + the table are allowed; other patterns may be added in the future and unknown patterns will + result in a warning. In particular, any backslashes should be doubled. Finally, a trailing + backslash (<literal>\</literal>) may be used to merge lines.</para> <para>This syntax is intended to be very similar to shell syntax, but only the meta-characters and expansions described in the diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 40c4cfd854..dbb0dc7bd7 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1246,21 +1246,6 @@ <entry>This is either the unescaped instance name (if applicable) with <filename>/</filename> prepended (if applicable), or the unescaped prefix name prepended with <filename>/</filename>.</entry> </row> <row> - <entry><literal>%c</literal></entry> - <entry>Control group path of the unit</entry> - <entry>This path does not include the <filename>/sys/fs/cgroup/systemd/</filename> prefix.</entry> - </row> - <row> - <entry><literal>%r</literal></entry> - <entry>Control group path of the slice the unit is placed in</entry> - <entry>This usually maps to the parent control group path of <literal>%c</literal>.</entry> - </row> - <row> - <entry><literal>%R</literal></entry> - <entry>Root control group path below which slices and units are placed</entry> - <entry>For system instances, this resolves to <filename>/</filename>, except in containers, where this maps to the container's root control group path.</entry> - </row> - <row> <entry><literal>%t</literal></entry> <entry>Runtime directory</entry> <entry>This is either <filename>/run</filename> (for the system manager) or the path <literal>$XDG_RUNTIME_DIR</literal> resolves to (for user managers).</entry> @@ -1314,13 +1299,6 @@ </tgroup> </table> - <para>Please note that specifiers <literal>%U</literal>, - <literal>%h</literal>, <literal>%s</literal> are mostly useless - when systemd is running in system mode. PID 1 cannot query the - user account database for information, so the specifiers only work - as shortcuts for things which are already specified in a different - way in the unit file. They are fully functional when systemd is - running in <option>--user</option> mode.</para> </refsect1> <refsect1> |