summaryrefslogtreecommitdiff
path: root/units
diff options
context:
space:
mode:
Diffstat (limited to 'units')
-rw-r--r--units/.gitignore3
-rw-r--r--units/basic.target8
-rw-r--r--units/console-getty.service.m4.in1
-rw-r--r--units/emergency.service.in2
-rw-r--r--units/rescue.service.in2
-rw-r--r--units/systemd-binfmt.service.in1
-rw-r--r--units/systemd-fsck-root.service.in1
-rw-r--r--units/systemd-fsck@.service.in1
-rw-r--r--units/systemd-hwdb-update.service.in1
-rw-r--r--units/systemd-importd.service.in6
-rw-r--r--units/systemd-journald-audit.socket1
-rw-r--r--units/systemd-machine-id-commit.service.in1
-rw-r--r--units/systemd-machined.service.in11
-rw-r--r--units/systemd-modules-load.service.in1
-rw-r--r--units/systemd-networkd.service.m4.in (renamed from units/systemd-networkd.service.in)7
-rw-r--r--units/systemd-nspawn@.service.in16
-rw-r--r--units/systemd-random-seed.service.in1
-rw-r--r--units/systemd-resolved.service.m4.in (renamed from units/systemd-resolved.service.in)4
-rw-r--r--units/systemd-rfkill@.service.in1
-rw-r--r--units/systemd-shutdownd.socket18
-rw-r--r--units/systemd-sysctl.service.in1
-rw-r--r--units/systemd-sysusers.service.in1
-rw-r--r--units/systemd-timesyncd.service.in2
-rw-r--r--units/systemd-udev-trigger.service.in2
-rw-r--r--units/systemd-udevd.service.in4
-rw-r--r--units/systemd-user-sessions.service.in2
-rw-r--r--units/var-lib-machines.mount (renamed from units/systemd-shutdownd.service.in)13
27 files changed, 65 insertions, 47 deletions
diff --git a/units/.gitignore b/units/.gitignore
index 6fdb629c3d..d45492d06b 100644
--- a/units/.gitignore
+++ b/units/.gitignore
@@ -48,6 +48,7 @@
/systemd-modules-load.service
/systemd-networkd-wait-online.service
/systemd-networkd.service
+/systemd-networkd.service.m4
/systemd-nspawn@.service
/systemd-poweroff.service
/systemd-quotacheck.service
@@ -55,9 +56,9 @@
/systemd-reboot.service
/systemd-remount-fs.service
/systemd-resolved.service
+/systemd-resolved.service.m4
/systemd-hibernate-resume@.service
/systemd-rfkill@.service
-/systemd-shutdownd.service
/systemd-suspend.service
/systemd-sysctl.service
/systemd-sysusers.service
diff --git a/units/basic.target b/units/basic.target
index abb63ec560..e0e1e604f8 100644
--- a/units/basic.target
+++ b/units/basic.target
@@ -8,8 +8,10 @@
[Unit]
Description=Basic System
Documentation=man:systemd.special(7)
-
Requires=sysinit.target
-After=sysinit.target
Wants=sockets.target timers.target paths.target slices.target
-After=sockets.target paths.target slices.target
+After=sysinit.target sockets.target paths.target slices.target
+
+# We support /var, /tmp, /var/tmp, being on NFS, but we don't pull in
+# remote-fs.target by default, hence explicitly pull /var in here.
+RequiresMountsFor=/var /tmp /var/tmp
diff --git a/units/console-getty.service.m4.in b/units/console-getty.service.m4.in
index 8ac51a471b..413d94094b 100644
--- a/units/console-getty.service.m4.in
+++ b/units/console-getty.service.m4.in
@@ -9,6 +9,7 @@
Description=Console Getty
Documentation=man:agetty(8)
After=systemd-user-sessions.service plymouth-quit-wait.service
+ConditionPathExists=/dev/console
m4_ifdef(`HAVE_SYSV_COMPAT',
After=rc-local.service
)m4_dnl
diff --git a/units/emergency.service.in b/units/emergency.service.in
index 2695d7b7c9..52b9b1cd03 100644
--- a/units/emergency.service.in
+++ b/units/emergency.service.in
@@ -18,7 +18,7 @@ Environment=HOME=/root
WorkingDirectory=/root
ExecStartPre=-/bin/plymouth quit
ExecStartPre=-/bin/echo -e 'Welcome to emergency mode! After logging in, type "journalctl -xb" to view\\nsystem logs, "systemctl reboot" to reboot, "systemctl default" or ^D to\\ntry again to boot into default mode.'
-ExecStart=-/bin/sh -c "@SULOGIN@; @SYSTEMCTL@ --fail --no-block default"
+ExecStart=-/bin/sh -c "@SULOGIN@; @SYSTEMCTL@ --job-mode=fail --no-block default"
Type=idle
StandardInput=tty-force
StandardOutput=inherit
diff --git a/units/rescue.service.in b/units/rescue.service.in
index de73fee654..432e4f3c84 100644
--- a/units/rescue.service.in
+++ b/units/rescue.service.in
@@ -18,7 +18,7 @@ Environment=HOME=/root
WorkingDirectory=/root
ExecStartPre=-/bin/plymouth quit
ExecStartPre=-/bin/echo -e 'Welcome to emergency mode! After logging in, type "journalctl -xb" to view\\nsystem logs, "systemctl reboot" to reboot, "systemctl default" or ^D to\\nboot into default mode.'
-ExecStart=-/bin/sh -c "@SULOGIN@; @SYSTEMCTL@ --fail --no-block default"
+ExecStart=-/bin/sh -c "@SULOGIN@; @SYSTEMCTL@ --job-mode=fail --no-block default"
Type=idle
StandardInput=tty-force
StandardOutput=inherit
diff --git a/units/systemd-binfmt.service.in b/units/systemd-binfmt.service.in
index 34a5d5237b..d53073ee61 100644
--- a/units/systemd-binfmt.service.in
+++ b/units/systemd-binfmt.service.in
@@ -24,3 +24,4 @@ ConditionDirectoryNotEmpty=|/run/binfmt.d
Type=oneshot
RemainAfterExit=yes
ExecStart=@rootlibexecdir@/systemd-binfmt
+TimeoutSec=90s
diff --git a/units/systemd-fsck-root.service.in b/units/systemd-fsck-root.service.in
index 6d7657853e..3617abf04a 100644
--- a/units/systemd-fsck-root.service.in
+++ b/units/systemd-fsck-root.service.in
@@ -16,5 +16,4 @@ ConditionPathIsReadWrite=!/
Type=oneshot
RemainAfterExit=yes
ExecStart=@rootlibexecdir@/systemd-fsck
-StandardOutput=journal+console
TimeoutSec=0
diff --git a/units/systemd-fsck@.service.in b/units/systemd-fsck@.service.in
index 857e625679..0468392dc4 100644
--- a/units/systemd-fsck@.service.in
+++ b/units/systemd-fsck@.service.in
@@ -17,5 +17,4 @@ Before=shutdown.target
Type=oneshot
RemainAfterExit=yes
ExecStart=@rootlibexecdir@/systemd-fsck %f
-StandardOutput=journal+console
TimeoutSec=0
diff --git a/units/systemd-hwdb-update.service.in b/units/systemd-hwdb-update.service.in
index 791528e2b2..7135cff3d9 100644
--- a/units/systemd-hwdb-update.service.in
+++ b/units/systemd-hwdb-update.service.in
@@ -21,3 +21,4 @@ ConditionDirectoryNotEmpty=|/etc/udev/hwdb.d/
Type=oneshot
RemainAfterExit=yes
ExecStart=@rootbindir@/systemd-hwdb update
+TimeoutSec=90s
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index 26759ea0fb..403f15316d 100644
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -12,9 +12,7 @@ Documentation=man:systemd-importd.service(8)
[Service]
ExecStart=@rootlibexecdir@/systemd-importd
BusName=org.freedesktop.import1
-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE
NoNewPrivileges=yes
WatchdogSec=1min
-PrivateTmp=yes
-ProtectSystem=full
-ProtectHome=yes
+KillMode=mixed
diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket
index 35397aaeb8..541f2cf38d 100644
--- a/units/systemd-journald-audit.socket
+++ b/units/systemd-journald-audit.socket
@@ -11,6 +11,7 @@ Documentation=man:systemd-journald.service(8) man:journald.conf(5)
DefaultDependencies=no
Before=sockets.target
ConditionSecurity=audit
+ConditionCapability=CAP_AUDIT_READ
[Socket]
Service=systemd-journald.service
diff --git a/units/systemd-machine-id-commit.service.in b/units/systemd-machine-id-commit.service.in
index dd765b6608..cccbf7b626 100644
--- a/units/systemd-machine-id-commit.service.in
+++ b/units/systemd-machine-id-commit.service.in
@@ -19,3 +19,4 @@ ConditionPathIsMountPoint=/etc/machine-id
Type=oneshot
RemainAfterExit=yes
ExecStart=@rootlibexecdir@/systemd-machine-id-commit
+TimeoutSec=30s
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 15f34d9db7..19c33959d6 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -15,10 +15,9 @@ After=machine.slice
[Service]
ExecStart=@rootlibexecdir@/systemd-machined
BusName=org.freedesktop.machine1
-CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
WatchdogSec=1min
-PrivateTmp=yes
-PrivateDevices=yes
-PrivateNetwork=yes
-ProtectSystem=full
-ProtectHome=yes
+
+# Note that machined cannot be placed in a mount namespace, since it
+# needs access to the host's mount namespace in order to implement the
+# "machinectl bind" operation.
diff --git a/units/systemd-modules-load.service.in b/units/systemd-modules-load.service.in
index 040a0febe8..9de6d31349 100644
--- a/units/systemd-modules-load.service.in
+++ b/units/systemd-modules-load.service.in
@@ -24,3 +24,4 @@ ConditionKernelCommandLine=|rd.modules-load
Type=oneshot
RemainAfterExit=yes
ExecStart=@rootlibexecdir@/systemd-modules-load
+TimeoutSec=90s
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.m4.in
index 5a91b8e499..7f216f331c 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.m4.in
@@ -17,6 +17,13 @@ Before=network.target multi-user.target shutdown.target
Conflicts=shutdown.target
Wants=network.target
+m4_ifdef(`ENABLE_KDBUS',
+# On kdbus systems we pull in the busname explicitly, because it
+# carries policy that allows the daemon to acquire its name.
+Wants=org.freedesktop.network1.busname
+After=org.freedesktop.network1.busname
+
+)m4_dnl
[Service]
Type=notify
Restart=on-failure
diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
index 3e26b53fd6..074b916d38 100644
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@@ -10,6 +10,7 @@ Description=Container %I
Documentation=man:systemd-nspawn(1)
PartOf=machines.target
Before=machines.target
+After=network.target
[Service]
ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --machine=%I
@@ -17,7 +18,22 @@ KillMode=mixed
Type=notify
RestartForceExitStatus=133
SuccessExitStatus=133
+Slice=machine.slice
Delegate=yes
+# Enforce a strict device policy, similar to the one nspawn configures
+# when it allocates its own scope unit. Make sure to keep these
+# policies in sync if you change them!
+DevicePolicy=strict
+DeviceAllow=/dev/null rwm
+DeviceAllow=/dev/zero rwm
+DeviceAllow=/dev/full rwm
+DeviceAllow=/dev/random rwm
+DeviceAllow=/dev/urandom rwm
+DeviceAllow=/dev/tty rwm
+DeviceAllow=/dev/net/tun rwm
+DeviceAllow=/dev/pts/ptmx rw
+DeviceAllow=char-pts rw
+
[Install]
WantedBy=machines.target
diff --git a/units/systemd-random-seed.service.in b/units/systemd-random-seed.service.in
index b55844b36f..115233268d 100644
--- a/units/systemd-random-seed.service.in
+++ b/units/systemd-random-seed.service.in
@@ -19,3 +19,4 @@ Type=oneshot
RemainAfterExit=yes
ExecStart=@rootlibexecdir@/systemd-random-seed load
ExecStop=@rootlibexecdir@/systemd-random-seed save
+TimeoutSec=30s
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.m4.in
index b643da9a73..98ae564af6 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.m4.in
@@ -8,13 +8,15 @@
[Unit]
Description=Network Name Resolution
Documentation=man:systemd-resolved.service(8)
-After=systemd-networkd.service network.service
+After=systemd-networkd.service network.target
+m4_ifdef(`ENABLE_KDBUS',
# On kdbus systems we pull in the busname explicitly, because it
# carries policy that allows the daemon to acquire its name.
Wants=org.freedesktop.resolve1.busname
After=org.freedesktop.resolve1.busname
+)m4_dnl
[Service]
Type=notify
Restart=always
diff --git a/units/systemd-rfkill@.service.in b/units/systemd-rfkill@.service.in
index b48efe5d99..e53bf5fbba 100644
--- a/units/systemd-rfkill@.service.in
+++ b/units/systemd-rfkill@.service.in
@@ -20,3 +20,4 @@ Type=oneshot
RemainAfterExit=yes
ExecStart=@rootlibexecdir@/systemd-rfkill load %I
ExecStop=@rootlibexecdir@/systemd-rfkill save %I
+TimeoutSec=30s
diff --git a/units/systemd-shutdownd.socket b/units/systemd-shutdownd.socket
deleted file mode 100644
index 9421ce8ada..0000000000
--- a/units/systemd-shutdownd.socket
+++ /dev/null
@@ -1,18 +0,0 @@
-# This file is part of systemd.
-#
-# systemd is free software; you can redistribute it and/or modify it
-# under the terms of the GNU Lesser General Public License as published by
-# the Free Software Foundation; either version 2.1 of the License, or
-# (at your option) any later version.
-
-[Unit]
-Description=Delayed Shutdown Socket
-Documentation=man:systemd-shutdownd.service(8)
-DefaultDependencies=no
-Before=sockets.target
-
-[Socket]
-ListenDatagram=/run/systemd/shutdownd
-SocketMode=0600
-PassCredentials=yes
-PassSecurity=yes
diff --git a/units/systemd-sysctl.service.in b/units/systemd-sysctl.service.in
index fa72085f9e..d784c6426d 100644
--- a/units/systemd-sysctl.service.in
+++ b/units/systemd-sysctl.service.in
@@ -18,3 +18,4 @@ ConditionPathIsReadWrite=/proc/sys/
Type=oneshot
RemainAfterExit=yes
ExecStart=@rootlibexecdir@/systemd-sysctl
+TimeoutSec=90s
diff --git a/units/systemd-sysusers.service.in b/units/systemd-sysusers.service.in
index ffd6d7747b..4d8309ab6b 100644
--- a/units/systemd-sysusers.service.in
+++ b/units/systemd-sysusers.service.in
@@ -18,3 +18,4 @@ ConditionNeedsUpdate=/etc
Type=oneshot
RemainAfterExit=yes
ExecStart=@rootbindir@/systemd-sysusers
+TimeoutSec=90s
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 39edafc8d2..8219c95a08 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -9,7 +9,7 @@
Description=Network Time Synchronization
Documentation=man:systemd-timesyncd.service(8)
ConditionCapability=CAP_SYS_TIME
-ConditionVirtualization=no
+ConditionVirtualization=!container
DefaultDependencies=no
RequiresMountsFor=/var/lib/systemd/clock
After=systemd-remount-fs.service systemd-tmpfiles-setup.service systemd-sysusers.service
diff --git a/units/systemd-udev-trigger.service.in b/units/systemd-udev-trigger.service.in
index 0c33909cee..1e04d11fe3 100644
--- a/units/systemd-udev-trigger.service.in
+++ b/units/systemd-udev-trigger.service.in
@@ -10,7 +10,7 @@ Description=udev Coldplug all Devices
Documentation=man:udev(7) man:systemd-udevd.service(8)
DefaultDependencies=no
Wants=systemd-udevd.service
-After=systemd-udevd-kernel.socket systemd-udevd-control.socket
+After=systemd-udevd-kernel.socket systemd-udevd-control.socket systemd-hwdb-update.service
Before=sysinit.target
ConditionPathIsReadWrite=/sys
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index f6acd6fe4c..e7216d61f2 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -10,7 +10,7 @@ Description=udev Kernel Device Manager
Documentation=man:systemd-udevd.service(8) man:udev(7)
DefaultDependencies=no
Wants=systemd-udevd-control.socket systemd-udevd-kernel.socket
-After=systemd-udevd-control.socket systemd-udevd-kernel.socket systemd-udev-hwdb-update.service systemd-sysusers.service
+After=systemd-udevd-control.socket systemd-udevd-kernel.socket systemd-sysusers.service
Before=sysinit.target
ConditionPathIsReadWrite=/sys
@@ -22,3 +22,5 @@ Restart=always
RestartSec=0
ExecStart=@rootlibexecdir@/systemd-udevd
MountFlags=slave
+KillMode=mixed
+WatchdogSec=1min
diff --git a/units/systemd-user-sessions.service.in b/units/systemd-user-sessions.service.in
index 0869e73991..c09c05d4d5 100644
--- a/units/systemd-user-sessions.service.in
+++ b/units/systemd-user-sessions.service.in
@@ -8,7 +8,7 @@
[Unit]
Description=Permit User Sessions
Documentation=man:systemd-user-sessions.service(8)
-After=remote-fs.target
+After=remote-fs.target nss-user-lookup.target
[Service]
Type=oneshot
diff --git a/units/systemd-shutdownd.service.in b/units/var-lib-machines.mount
index d951742500..7eba68f214 100644
--- a/units/systemd-shutdownd.service.in
+++ b/units/var-lib-machines.mount
@@ -6,10 +6,11 @@
# (at your option) any later version.
[Unit]
-Description=Delayed Shutdown Service
-Documentation=man:systemd-shutdownd.service(8)
-DefaultDependencies=no
+Description=Virtual Machine and Container Storage
+ConditionPathExists=/var/lib/machines.raw
-[Service]
-ExecStart=@rootlibexecdir@/systemd-shutdownd
-NotifyAccess=all
+[Mount]
+What=/var/lib/machines.raw
+Where=/var/lib/machines
+Type=btrfs
+Options=loop