diff options
Diffstat (limited to 'man')
| -rw-r--r-- | man/machinectl.xml | 7 | ||||
| -rw-r--r-- | man/os-release.xml | 16 | ||||
| -rw-r--r-- | man/systemd-nspawn.xml | 13 | ||||
| -rw-r--r-- | man/systemd-resolve.xml | 6 | ||||
| -rw-r--r-- | man/systemd-resolved.service.xml | 22 | ||||
| -rw-r--r-- | man/systemd.exec.xml | 27 | ||||
| -rw-r--r-- | man/systemd.network.xml | 130 | ||||
| -rw-r--r-- | man/systemd.nspawn.xml | 9 | ||||
| -rw-r--r-- | man/systemd.service.xml | 7 |
9 files changed, 198 insertions, 39 deletions
diff --git a/man/machinectl.xml b/man/machinectl.xml index 4b7f9a0391..d3891332e4 100644 --- a/man/machinectl.xml +++ b/man/machinectl.xml @@ -373,8 +373,7 @@ <para>To interactively start a container on the command line with full access to the container's console, please invoke <command>systemd-nspawn</command> directly. To stop a running - container use <command>machinectl poweroff</command>, see - below.</para></listitem> + container use <command>machinectl poweroff</command>.</para></listitem> </varlistentry> <varlistentry> @@ -461,8 +460,8 @@ <listitem><para>Power off one or more containers. This will trigger a reboot by sending SIGRTMIN+4 to the container's init process, which causes systemd-compatible init systems to shut - down cleanly. This operation does not work on containers that - do not run a + down cleanly. Use <command>stop</command> as alias for <command>poweroff</command>. + This operation does not work on containers that do not run a <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible init system, such as sysvinit. Use <command>terminate</command> (see below) to immediately diff --git a/man/os-release.xml b/man/os-release.xml index 4557abc4a3..99bbb61004 100644 --- a/man/os-release.xml +++ b/man/os-release.xml @@ -176,6 +176,22 @@ </varlistentry> <varlistentry> + <term><varname>VERSION_CODENAME=</varname></term> + + <listitem><para> + A lower-case string (no spaces or other characters outside of + 0–9, a–z, ".", "_" and "-") identifying the operating system + release code name, excluding any OS name information or + release version, and suitable for processing by scripts or + usage in generated filenames. This field is optional and may + not be implemented on all systems. + Examples: + <literal>VERSION_CODENAME=buster</literal>, + <literal>VERSION_CODENAME=xenial</literal> + </para></listitem> + </varlistentry> + + <varlistentry> <term><varname>VERSION_ID=</varname></term> <listitem><para>A lower-case string (mostly numeric, no spaces diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 0c8c699201..08122795f4 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -980,6 +980,19 @@ effect.</para></listitem> </varlistentry> + <varlistentry> + <term><varname>--notify-ready=</varname></term> + + <listitem><para>Configures support for notifications from the container's init process. + <varname>--notify-ready=</varname> takes a boolean (<option>no</option> and <option>yes</option>). + With option <option>no</option> systemd-nspawn notifies systemd + with a <literal>READY=1</literal> message when the init process is created. + With option <option>yes</option> systemd-nspawn waits for the + <literal>READY=1</literal> message from the init process in the container + before sending its own to systemd. For more details about notifications + see <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).</para></listitem> + </varlistentry> + <xi:include href="standard-options.xml" xpointer="help" /> <xi:include href="standard-options.xml" xpointer="version" /> </variablelist> diff --git a/man/systemd-resolve.xml b/man/systemd-resolve.xml index 4b66f836a2..b917ac20a2 100644 --- a/man/systemd-resolve.xml +++ b/man/systemd-resolve.xml @@ -288,6 +288,12 @@ <listitem><para>Resets the statistics counters shown in <option>--statistics</option> to zero.</para></listitem> </varlistentry> + <varlistentry> + <term><option>--flush-caches</option></term> + + <listitem><para>Flushes all DNS resource record caches the service maintains locally.</para></listitem> + </varlistentry> + <xi:include href="standard-options.xml" xpointer="help" /> <xi:include href="standard-options.xml" xpointer="version" /> </variablelist> diff --git a/man/systemd-resolved.service.xml b/man/systemd-resolved.service.xml index 829729ca09..485f3e9aee 100644 --- a/man/systemd-resolved.service.xml +++ b/man/systemd-resolved.service.xml @@ -146,6 +146,28 @@ </refsect1> <refsect1> + <title>Signals</title> + + <variablelist> + <varlistentry> + <term><constant>SIGUSR1</constant></term> + + <listitem><para>Upon reception of the SIGUSR1 process signal <command>systemd-resolved</command> will dump the + contents of all DNS resource record caches it maintains into the system logs.</para></listitem> + </varlistentry> + + <varlistentry> + <term><constant>SIGUSR2</constant></term> + + <listitem><para>Upon reception of the SIGUSR2 process signal <command>systemd-resolved</command> will flush all + caches it maintains. Note that it should normally not be necessary to request this explicitly – except for + debugging purposes – as <command>systemd-resolved</command> flushes the caches automatically anyway any time + the host's network configuration changes.</para></listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> <title>See Also</title> <para> <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 4a3dd14c39..1c3256a662 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -146,7 +146,7 @@ <listitem><para>Sets the Unix user or group that the processes are executed as, respectively. Takes a single user or group name or ID as argument. If no group is set, the default group - of the user is chosen.</para></listitem> + of the user is chosen. These do not affect commands prefixed with <literal>!</literal>.</para></listitem> </varlistentry> <varlistentry> @@ -161,7 +161,7 @@ this one will have no effect. In any way, this option does not override, but extends the list of supplementary groups configured in the system group database for the - user.</para></listitem> + user. This does not affect commands prefixed with <literal>!</literal>.</para></listitem> </varlistentry> <varlistentry> @@ -795,7 +795,8 @@ process are enforced. This option may appear more than once, in which case the bounding sets are merged. If the empty string is assigned to this option, the bounding set is reset to the empty capability set, and all prior settings have no effect. If set to <literal>~</literal> (without any further argument), the bounding set is - reset to the full set of available capabilities, also undoing any previous settings.</para></listitem> + reset to the full set of available capabilities, also undoing any previous settings. This does not affect + commands prefixed with <literal>!</literal>.</para></listitem> </varlistentry> <varlistentry> @@ -824,7 +825,8 @@ as a non-privileged user but still want to give it some capabilities. Note that in this case option <constant>keep-caps</constant> is automatically added to <varname>SecureBits=</varname> to retain the - capabilities over the user change.</para></listitem> + capabilities over the user change. <varname>AmbientCapabilities=</varname> does not affect + commands prefixed with <literal>!</literal>.</para></listitem> </varlistentry> <varlistentry> @@ -840,8 +842,8 @@ <option>noroot-locked</option>. This option may appear more than once, in which case the secure bits are ORed. If the empty string is assigned to this option, - the bits are reset to 0. See - <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> + the bits are reset to 0. This does not affect commands prefixed with <literal>!</literal>. + See <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details.</para></listitem> </varlistentry> @@ -1097,8 +1099,8 @@ domain transition. However, the policy still needs to authorize the transition. This directive is ignored if SELinux is disabled. If prefixed by <literal>-</literal>, all errors - will be ignored. See - <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> + will be ignored. This does not affect commands prefixed with <literal>!</literal>. + See <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> for details.</para></listitem> </varlistentry> @@ -1110,7 +1112,7 @@ Profiles must already be loaded in the kernel, or the unit will fail. This result in a non operation if AppArmor is not enabled. If prefixed by <literal>-</literal>, all errors will - be ignored. </para></listitem> + be ignored. This does not affect commands prefixed with <literal>!</literal>.</para></listitem> </varlistentry> <varlistentry> @@ -1129,7 +1131,8 @@ <para>The value may be prefixed by <literal>-</literal>, in which case all errors will be ignored. An empty value may be - specified to unset previous assignments.</para> + specified to unset previous assignments. This does not affect + commands prefixed with <literal>!</literal>.</para> </listitem> </varlistentry> @@ -1180,7 +1183,7 @@ listed explicitly. This option may be specified more than once, in which case the filter masks are merged. If the empty string is assigned, the filter is reset, all prior assignments will - have no effect.</para> + have no effect. This does not affect commands prefixed with <literal>!</literal>.</para> <para>If you specify both types of this option (i.e. whitelisting and blacklisting), the first encountered will @@ -1343,7 +1346,7 @@ family should be included in the configured whitelist as it is frequently used for local communication, including for <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry> - logging.</para></listitem> + logging. This does not affect commands prefixed with <literal>!</literal>.</para></listitem> </varlistentry> <varlistentry> diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 821e22aff8..ea98c821fa 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -240,7 +240,7 @@ By enabling DHCPv6 support explicitly, the DHCPv6 client will be started regardless of the presence of routers on the link, or what flags the routers pass. See - <literal>IPv6AcceptRouterAdvertisements=</literal>.</para> + <literal>IPv6AcceptRA=</literal>.</para> <para>Furthermore, note that by default the domain name specified through DHCP is not used for name resolution. @@ -527,24 +527,20 @@ <literal>no</literal>.</para></listitem> </varlistentry> <varlistentry> - <term><varname>IPv6AcceptRouterAdvertisements=</varname></term> - <listitem><para>Force the setting of the <filename>accept_ra</filename> - (router advertisements) setting for the interface. - When unset, the kernel default is used, and router - advertisements are accepted only when local forwarding - is disabled for that interface. - When router advertisements are accepted, they will - trigger the start of the DHCPv6 client if the relevant - flags are passed, or if no routers are found on the link. - Takes a boolean. If true, router advertisements are - accepted, when false, router advertisements are ignored, - independently of the local forwarding state.</para> - - <para>See - <ulink url="https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt">ip-sysctl.txt</ulink> - in the kernel documentation, but note that systemd's - setting of <constant>1</constant> corresponds to - kernel's setting of <constant>2</constant>.</para> + <term><varname>IPv6AcceptRA=</varname></term> + <listitem><para>Enable or disable IPv6 Router Advertisement (RA) reception support for the interface. Takes + a boolean parameter. If true, RAs are accepted; if false, RAs are ignored, independently of the local + forwarding state. When not set, the kernel default is used, and RAs are accepted only when local forwarding + is disabled for that interface. When RAs are accepted, they may trigger the start of the DHCPv6 client if + the relevant flags are set in the RA data, or if no routers are found on the link.</para> + + <para>Further settings for the IPv6 RA support may be configured in the + <literal>[IPv6AcceptRA]</literal> section, see below.</para> + + <para>Also see <ulink + url="https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt">ip-sysctl.txt</ulink> in the kernel + documentation regarding <literal>accept_ra</literal>, but note that systemd's setting of + <constant>1</constant> (i.e. true) corresponds to kernel's setting of <constant>2</constant>.</para> </listitem> </varlistentry> <varlistentry> @@ -799,7 +795,7 @@ false.</para> <para>It is recommended to enable this option only on trusted networks, as setting this affects resolution - of all host names, in particular to single-label names. It is generally safer to use the supplied domain + of all host names, in particular of single-label names. It is generally safer to use the supplied domain only as routing domain, rather than as search domain, in order to not have it affect local resolution of single-label names.</para> @@ -899,6 +895,47 @@ </refsect1> <refsect1> + <title>[IPv6AcceptRA] Section Options</title> + <para>The <literal>[IPv6AcceptRA]</literal> section configures the IPv6 Router Advertisement + (RA) client, if it is enabled with the <varname>IPv6AcceptRA=</varname> setting described + above:</para> + + <variablelist class='network-directives'> + <varlistentry> + <term><varname>UseDNS=</varname></term> + <listitem> + <para>When true (the default), the DNS servers received in the Router Advertisement will be used and take + precedence over any statically configured ones.</para> + + <para>This corresponds to the <option>nameserver</option> option in <citerefentry + project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><varname>UseDomains=</varname></term> + <listitem> + <para>Takes a boolean argument, or the special value <literal>route</literal>. When true, the domain name + received via IPv6 Router Advertisement (RA) will be used as DNS search domain over this link, similar to + the effect of the <option>Domains=</option> setting. If set to <literal>route</literal>, the domain name + received via IPv6 RA will be used for routing DNS queries only, but not for searching, similar to the + effect of the <option>Domains=</option> setting when the argument is prefixed with + <literal>~</literal>. Defaults to false.</para> + + <para>It is recommended to enable this option only on trusted networks, as setting this affects resolution + of all host names, in particular of single-label names. It is generally safer to use the supplied domain + only as routing domain, rather than as search domain, in order to not have it affect local resolution of + single-label names.</para> + + <para>When set to true, this setting corresponds to the <option>domain</option> option in <citerefentry + project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + + <refsect1> <title>[DHCPServer] Section Options</title> <para>The <literal>[DHCPServer]</literal> section contains settings for the DHCP server, if enabled via the @@ -1093,6 +1130,39 @@ </varlistentry> </variablelist> </refsect1> + <refsect1> + <title>[BridgeVLAN] Section Options</title> + <para>The <literal>[BridgeVLAN]</literal> section manages the VLAN ID configuration of a bridge port and accepts + the following keys. Specify several <literal>[BridgeVLAN]</literal> sections to configure several VLAN entries. + The <varname>VLANFiltering=</varname> option has to be enabled, see <literal>[Bridge]</literal> section in + <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> + + <variablelist class='network-directives'> + <varlistentry> + <term><varname>VLAN=</varname></term> + <listitem> + <para>The VLAN ID allowed on the port. This can be either a single ID or a range M-N. VLAN IDs are valid + from 1 to 4094.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>EgressUntagged=</varname></term> + <listitem> + <para>The VLAN ID specified here will be used to untag frames on egress. Configuring + <varname>EgressUntagged=</varname> implicates the use of <varname>VLAN=</varname> above and will enable the + VLAN ID for ingress as well. This can be either a single ID or a range M-N.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>PVID=</varname></term> + <listitem> + <para>The Port VLAN ID specified here is assigned to all untagged frames at ingress. + <varname>PVID=</varname> can be used only once. Configuring <varname>PVID=</varname> implicates the use of + <varname>VLAN=</varname> above and will enable the VLAN ID for ingress as well.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> <refsect1> <title>Example</title> @@ -1139,6 +1209,26 @@ Name=enp2s0 Bridge=bridge0</programlisting> </example> <example> + <title>/etc/systemd/network/25-bridge-slave-interface-vlan.network</title> + + <programlisting>[Match] +Name=enp2s0 + +[Network] +Bridge=bridge0 + +[BridgeVLAN] +VLAN=1-32 +PVID=42 +EgressUntagged=42 + +[BridgeVLAN] +VLAN=100-200 + +[BridgeVLAN] +EgressUntagged=300-400</programlisting> + </example> + <example> <title>/etc/systemd/network/25-ipip.network</title> <programlisting>[Match] diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml index 3683412c14..6df4aeb2a9 100644 --- a/man/systemd.nspawn.xml +++ b/man/systemd.nspawn.xml @@ -259,6 +259,15 @@ <option>--private-users=</option> command line switch, and takes the same options. This option is privileged (see above). </para></listitem> </varlistentry> + + <varlistentry> + <term><varname>NotifyReady=</varname></term> + + <listitem><para>Configures support for notifications from the container's init process. + This is equivalent to use <option>--notify-ready=</option> command line switch, + and takes the same options. See <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> + for details about the specific options supported.</para></listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 6641dfed4f..6e969abc25 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -295,9 +295,10 @@ If the absolute filename is prefixed with <literal>-</literal>, an exit code of the command normally considered a failure (i.e. non-zero exit status or abnormal - exit due to signal) is ignored and considered success. If both - <literal>-</literal> and <literal>@</literal> are used, they - can appear in either order.</para> + exit due to signal) is ignored and considered success. + If the absolute path is prefixed with <literal>!</literal> then + it is executed with full privileges. <literal>-</literal>, <literal>@</literal>, and <literal>!</literal> + may be used together and they can appear in any order.</para> <para>If more than one command is specified, the commands are invoked sequentially in the order they appear in the unit |