diff options
Diffstat (limited to 'units')
27 files changed, 65 insertions, 47 deletions
diff --git a/units/.gitignore b/units/.gitignore index 6fdb629c3d..d45492d06b 100644 --- a/units/.gitignore +++ b/units/.gitignore @@ -48,6 +48,7 @@ /systemd-modules-load.service /systemd-networkd-wait-online.service /systemd-networkd.service +/systemd-networkd.service.m4 /systemd-nspawn@.service /systemd-poweroff.service /systemd-quotacheck.service @@ -55,9 +56,9 @@ /systemd-reboot.service /systemd-remount-fs.service /systemd-resolved.service +/systemd-resolved.service.m4 /systemd-hibernate-resume@.service /systemd-rfkill@.service -/systemd-shutdownd.service /systemd-suspend.service /systemd-sysctl.service /systemd-sysusers.service diff --git a/units/basic.target b/units/basic.target index abb63ec560..e0e1e604f8 100644 --- a/units/basic.target +++ b/units/basic.target @@ -8,8 +8,10 @@ [Unit] Description=Basic System Documentation=man:systemd.special(7) - Requires=sysinit.target -After=sysinit.target Wants=sockets.target timers.target paths.target slices.target -After=sockets.target paths.target slices.target +After=sysinit.target sockets.target paths.target slices.target + +# We support /var, /tmp, /var/tmp, being on NFS, but we don't pull in +# remote-fs.target by default, hence explicitly pull /var in here. +RequiresMountsFor=/var /tmp /var/tmp diff --git a/units/console-getty.service.m4.in b/units/console-getty.service.m4.in index 8ac51a471b..413d94094b 100644 --- a/units/console-getty.service.m4.in +++ b/units/console-getty.service.m4.in @@ -9,6 +9,7 @@ Description=Console Getty Documentation=man:agetty(8) After=systemd-user-sessions.service plymouth-quit-wait.service +ConditionPathExists=/dev/console m4_ifdef(`HAVE_SYSV_COMPAT', After=rc-local.service )m4_dnl diff --git a/units/emergency.service.in b/units/emergency.service.in index 2695d7b7c9..52b9b1cd03 100644 --- a/units/emergency.service.in +++ b/units/emergency.service.in @@ -18,7 +18,7 @@ Environment=HOME=/root WorkingDirectory=/root ExecStartPre=-/bin/plymouth quit ExecStartPre=-/bin/echo -e 'Welcome to emergency mode! After logging in, type "journalctl -xb" to view\\nsystem logs, "systemctl reboot" to reboot, "systemctl default" or ^D to\\ntry again to boot into default mode.' -ExecStart=-/bin/sh -c "@SULOGIN@; @SYSTEMCTL@ --fail --no-block default" +ExecStart=-/bin/sh -c "@SULOGIN@; @SYSTEMCTL@ --job-mode=fail --no-block default" Type=idle StandardInput=tty-force StandardOutput=inherit diff --git a/units/rescue.service.in b/units/rescue.service.in index de73fee654..432e4f3c84 100644 --- a/units/rescue.service.in +++ b/units/rescue.service.in @@ -18,7 +18,7 @@ Environment=HOME=/root WorkingDirectory=/root ExecStartPre=-/bin/plymouth quit ExecStartPre=-/bin/echo -e 'Welcome to emergency mode! After logging in, type "journalctl -xb" to view\\nsystem logs, "systemctl reboot" to reboot, "systemctl default" or ^D to\\nboot into default mode.' -ExecStart=-/bin/sh -c "@SULOGIN@; @SYSTEMCTL@ --fail --no-block default" +ExecStart=-/bin/sh -c "@SULOGIN@; @SYSTEMCTL@ --job-mode=fail --no-block default" Type=idle StandardInput=tty-force StandardOutput=inherit diff --git a/units/systemd-binfmt.service.in b/units/systemd-binfmt.service.in index 34a5d5237b..d53073ee61 100644 --- a/units/systemd-binfmt.service.in +++ b/units/systemd-binfmt.service.in @@ -24,3 +24,4 @@ ConditionDirectoryNotEmpty=|/run/binfmt.d Type=oneshot RemainAfterExit=yes ExecStart=@rootlibexecdir@/systemd-binfmt +TimeoutSec=90s diff --git a/units/systemd-fsck-root.service.in b/units/systemd-fsck-root.service.in index 6d7657853e..3617abf04a 100644 --- a/units/systemd-fsck-root.service.in +++ b/units/systemd-fsck-root.service.in @@ -16,5 +16,4 @@ ConditionPathIsReadWrite=!/ Type=oneshot RemainAfterExit=yes ExecStart=@rootlibexecdir@/systemd-fsck -StandardOutput=journal+console TimeoutSec=0 diff --git a/units/systemd-fsck@.service.in b/units/systemd-fsck@.service.in index 857e625679..0468392dc4 100644 --- a/units/systemd-fsck@.service.in +++ b/units/systemd-fsck@.service.in @@ -17,5 +17,4 @@ Before=shutdown.target Type=oneshot RemainAfterExit=yes ExecStart=@rootlibexecdir@/systemd-fsck %f -StandardOutput=journal+console TimeoutSec=0 diff --git a/units/systemd-hwdb-update.service.in b/units/systemd-hwdb-update.service.in index 791528e2b2..7135cff3d9 100644 --- a/units/systemd-hwdb-update.service.in +++ b/units/systemd-hwdb-update.service.in @@ -21,3 +21,4 @@ ConditionDirectoryNotEmpty=|/etc/udev/hwdb.d/ Type=oneshot RemainAfterExit=yes ExecStart=@rootbindir@/systemd-hwdb update +TimeoutSec=90s diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in index 26759ea0fb..403f15316d 100644 --- a/units/systemd-importd.service.in +++ b/units/systemd-importd.service.in @@ -12,9 +12,7 @@ Documentation=man:systemd-importd.service(8) [Service] ExecStart=@rootlibexecdir@/systemd-importd BusName=org.freedesktop.import1 -CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP +CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE NoNewPrivileges=yes WatchdogSec=1min -PrivateTmp=yes -ProtectSystem=full -ProtectHome=yes +KillMode=mixed diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket index 35397aaeb8..541f2cf38d 100644 --- a/units/systemd-journald-audit.socket +++ b/units/systemd-journald-audit.socket @@ -11,6 +11,7 @@ Documentation=man:systemd-journald.service(8) man:journald.conf(5) DefaultDependencies=no Before=sockets.target ConditionSecurity=audit +ConditionCapability=CAP_AUDIT_READ [Socket] Service=systemd-journald.service diff --git a/units/systemd-machine-id-commit.service.in b/units/systemd-machine-id-commit.service.in index dd765b6608..cccbf7b626 100644 --- a/units/systemd-machine-id-commit.service.in +++ b/units/systemd-machine-id-commit.service.in @@ -19,3 +19,4 @@ ConditionPathIsMountPoint=/etc/machine-id Type=oneshot RemainAfterExit=yes ExecStart=@rootlibexecdir@/systemd-machine-id-commit +TimeoutSec=30s diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 15f34d9db7..19c33959d6 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -15,10 +15,9 @@ After=machine.slice [Service] ExecStart=@rootlibexecdir@/systemd-machined BusName=org.freedesktop.machine1 -CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH +CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE WatchdogSec=1min -PrivateTmp=yes -PrivateDevices=yes -PrivateNetwork=yes -ProtectSystem=full -ProtectHome=yes + +# Note that machined cannot be placed in a mount namespace, since it +# needs access to the host's mount namespace in order to implement the +# "machinectl bind" operation. diff --git a/units/systemd-modules-load.service.in b/units/systemd-modules-load.service.in index 040a0febe8..9de6d31349 100644 --- a/units/systemd-modules-load.service.in +++ b/units/systemd-modules-load.service.in @@ -24,3 +24,4 @@ ConditionKernelCommandLine=|rd.modules-load Type=oneshot RemainAfterExit=yes ExecStart=@rootlibexecdir@/systemd-modules-load +TimeoutSec=90s diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.m4.in index 5a91b8e499..7f216f331c 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.m4.in @@ -17,6 +17,13 @@ Before=network.target multi-user.target shutdown.target Conflicts=shutdown.target Wants=network.target +m4_ifdef(`ENABLE_KDBUS', +# On kdbus systems we pull in the busname explicitly, because it +# carries policy that allows the daemon to acquire its name. +Wants=org.freedesktop.network1.busname +After=org.freedesktop.network1.busname + +)m4_dnl [Service] Type=notify Restart=on-failure diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in index 3e26b53fd6..074b916d38 100644 --- a/units/systemd-nspawn@.service.in +++ b/units/systemd-nspawn@.service.in @@ -10,6 +10,7 @@ Description=Container %I Documentation=man:systemd-nspawn(1) PartOf=machines.target Before=machines.target +After=network.target [Service] ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --machine=%I @@ -17,7 +18,22 @@ KillMode=mixed Type=notify RestartForceExitStatus=133 SuccessExitStatus=133 +Slice=machine.slice Delegate=yes +# Enforce a strict device policy, similar to the one nspawn configures +# when it allocates its own scope unit. Make sure to keep these +# policies in sync if you change them! +DevicePolicy=strict +DeviceAllow=/dev/null rwm +DeviceAllow=/dev/zero rwm +DeviceAllow=/dev/full rwm +DeviceAllow=/dev/random rwm +DeviceAllow=/dev/urandom rwm +DeviceAllow=/dev/tty rwm +DeviceAllow=/dev/net/tun rwm +DeviceAllow=/dev/pts/ptmx rw +DeviceAllow=char-pts rw + [Install] WantedBy=machines.target diff --git a/units/systemd-random-seed.service.in b/units/systemd-random-seed.service.in index b55844b36f..115233268d 100644 --- a/units/systemd-random-seed.service.in +++ b/units/systemd-random-seed.service.in @@ -19,3 +19,4 @@ Type=oneshot RemainAfterExit=yes ExecStart=@rootlibexecdir@/systemd-random-seed load ExecStop=@rootlibexecdir@/systemd-random-seed save +TimeoutSec=30s diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.m4.in index b643da9a73..98ae564af6 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.m4.in @@ -8,13 +8,15 @@ [Unit] Description=Network Name Resolution Documentation=man:systemd-resolved.service(8) -After=systemd-networkd.service network.service +After=systemd-networkd.service network.target +m4_ifdef(`ENABLE_KDBUS', # On kdbus systems we pull in the busname explicitly, because it # carries policy that allows the daemon to acquire its name. Wants=org.freedesktop.resolve1.busname After=org.freedesktop.resolve1.busname +)m4_dnl [Service] Type=notify Restart=always diff --git a/units/systemd-rfkill@.service.in b/units/systemd-rfkill@.service.in index b48efe5d99..e53bf5fbba 100644 --- a/units/systemd-rfkill@.service.in +++ b/units/systemd-rfkill@.service.in @@ -20,3 +20,4 @@ Type=oneshot RemainAfterExit=yes ExecStart=@rootlibexecdir@/systemd-rfkill load %I ExecStop=@rootlibexecdir@/systemd-rfkill save %I +TimeoutSec=30s diff --git a/units/systemd-shutdownd.socket b/units/systemd-shutdownd.socket deleted file mode 100644 index 9421ce8ada..0000000000 --- a/units/systemd-shutdownd.socket +++ /dev/null @@ -1,18 +0,0 @@ -# This file is part of systemd. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation; either version 2.1 of the License, or -# (at your option) any later version. - -[Unit] -Description=Delayed Shutdown Socket -Documentation=man:systemd-shutdownd.service(8) -DefaultDependencies=no -Before=sockets.target - -[Socket] -ListenDatagram=/run/systemd/shutdownd -SocketMode=0600 -PassCredentials=yes -PassSecurity=yes diff --git a/units/systemd-sysctl.service.in b/units/systemd-sysctl.service.in index fa72085f9e..d784c6426d 100644 --- a/units/systemd-sysctl.service.in +++ b/units/systemd-sysctl.service.in @@ -18,3 +18,4 @@ ConditionPathIsReadWrite=/proc/sys/ Type=oneshot RemainAfterExit=yes ExecStart=@rootlibexecdir@/systemd-sysctl +TimeoutSec=90s diff --git a/units/systemd-sysusers.service.in b/units/systemd-sysusers.service.in index ffd6d7747b..4d8309ab6b 100644 --- a/units/systemd-sysusers.service.in +++ b/units/systemd-sysusers.service.in @@ -18,3 +18,4 @@ ConditionNeedsUpdate=/etc Type=oneshot RemainAfterExit=yes ExecStart=@rootbindir@/systemd-sysusers +TimeoutSec=90s diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 39edafc8d2..8219c95a08 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -9,7 +9,7 @@ Description=Network Time Synchronization Documentation=man:systemd-timesyncd.service(8) ConditionCapability=CAP_SYS_TIME -ConditionVirtualization=no +ConditionVirtualization=!container DefaultDependencies=no RequiresMountsFor=/var/lib/systemd/clock After=systemd-remount-fs.service systemd-tmpfiles-setup.service systemd-sysusers.service diff --git a/units/systemd-udev-trigger.service.in b/units/systemd-udev-trigger.service.in index 0c33909cee..1e04d11fe3 100644 --- a/units/systemd-udev-trigger.service.in +++ b/units/systemd-udev-trigger.service.in @@ -10,7 +10,7 @@ Description=udev Coldplug all Devices Documentation=man:udev(7) man:systemd-udevd.service(8) DefaultDependencies=no Wants=systemd-udevd.service -After=systemd-udevd-kernel.socket systemd-udevd-control.socket +After=systemd-udevd-kernel.socket systemd-udevd-control.socket systemd-hwdb-update.service Before=sysinit.target ConditionPathIsReadWrite=/sys diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index f6acd6fe4c..e7216d61f2 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -10,7 +10,7 @@ Description=udev Kernel Device Manager Documentation=man:systemd-udevd.service(8) man:udev(7) DefaultDependencies=no Wants=systemd-udevd-control.socket systemd-udevd-kernel.socket -After=systemd-udevd-control.socket systemd-udevd-kernel.socket systemd-udev-hwdb-update.service systemd-sysusers.service +After=systemd-udevd-control.socket systemd-udevd-kernel.socket systemd-sysusers.service Before=sysinit.target ConditionPathIsReadWrite=/sys @@ -22,3 +22,5 @@ Restart=always RestartSec=0 ExecStart=@rootlibexecdir@/systemd-udevd MountFlags=slave +KillMode=mixed +WatchdogSec=1min diff --git a/units/systemd-user-sessions.service.in b/units/systemd-user-sessions.service.in index 0869e73991..c09c05d4d5 100644 --- a/units/systemd-user-sessions.service.in +++ b/units/systemd-user-sessions.service.in @@ -8,7 +8,7 @@ [Unit] Description=Permit User Sessions Documentation=man:systemd-user-sessions.service(8) -After=remote-fs.target +After=remote-fs.target nss-user-lookup.target [Service] Type=oneshot diff --git a/units/systemd-shutdownd.service.in b/units/var-lib-machines.mount index d951742500..7eba68f214 100644 --- a/units/systemd-shutdownd.service.in +++ b/units/var-lib-machines.mount @@ -6,10 +6,11 @@ # (at your option) any later version. [Unit] -Description=Delayed Shutdown Service -Documentation=man:systemd-shutdownd.service(8) -DefaultDependencies=no +Description=Virtual Machine and Container Storage +ConditionPathExists=/var/lib/machines.raw -[Service] -ExecStart=@rootlibexecdir@/systemd-shutdownd -NotifyAccess=all +[Mount] +What=/var/lib/machines.raw +Where=/var/lib/machines +Type=btrfs +Options=loop |