diff options
Diffstat (limited to 'units')
25 files changed, 82 insertions, 33 deletions
diff --git a/units/.gitignore b/units/.gitignore index d45492d06b..883f51f73c 100644 --- a/units/.gitignore +++ b/units/.gitignore @@ -30,6 +30,7 @@ /systemd-fsck@.service /systemd-machine-id-commit.service /systemd-halt.service +/systemd-exit.service /systemd-hibernate.service /systemd-hostnamed.service /systemd-hybrid-sleep.service @@ -58,7 +59,7 @@ /systemd-resolved.service /systemd-resolved.service.m4 /systemd-hibernate-resume@.service -/systemd-rfkill@.service +/systemd-rfkill.service /systemd-suspend.service /systemd-sysctl.service /systemd-sysusers.service diff --git a/units/exit.target b/units/exit.target new file mode 100644 index 0000000000..f5f953d112 --- /dev/null +++ b/units/exit.target @@ -0,0 +1,17 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Exit the container +Documentation=man:systemd.special(7) +DefaultDependencies=no +Requires=systemd-exit.service +After=systemd-exit.service +AllowIsolate=yes + +[Install] +Alias=ctrl-alt-del.target diff --git a/units/ldconfig.service b/units/ldconfig.service index f9691e2f2d..994edd9908 100644 --- a/units/ldconfig.service +++ b/units/ldconfig.service @@ -12,7 +12,8 @@ DefaultDependencies=no Conflicts=shutdown.target After=systemd-remount-fs.service Before=sysinit.target shutdown.target systemd-update-done.service -ConditionNeedsUpdate=/etc +ConditionNeedsUpdate=|/etc +ConditionFileNotEmpty=|!/etc/ld.so.cache [Service] Type=oneshot diff --git a/units/systemd-bus-proxyd.service.m4.in b/units/systemd-bus-proxyd.service.m4.in index ffaf0bdc87..e75cdb1a59 100644 --- a/units/systemd-bus-proxyd.service.m4.in +++ b/units/systemd-bus-proxyd.service.m4.in @@ -10,6 +10,7 @@ Description=Legacy D-Bus Protocol Compatibility Daemon [Service] ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/0-system/bus +ExecReload=@bindir@/busctl --address=unix:path=/run/dbus/system_bus_socket call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig NotifyAccess=main CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP m4_ifdef(`HAVE_SMACK', CAP_MAC_ADMIN ) PrivateTmp=yes @@ -17,3 +18,8 @@ PrivateDevices=yes PrivateNetwork=yes ProtectSystem=full ProtectHome=yes + +# The proxy manages connections of all users, so it needs an elevated file +# limit. It does proper per-user accounting (indirectly via kdbus), therefore, +# the effective per-user limits stay the same. +LimitNOFILE=16384 diff --git a/units/user/systemd-consoled.service.in b/units/systemd-exit.service.in index fd7938aa8b..2dbfb36b41 100644 --- a/units/user/systemd-consoled.service.in +++ b/units/systemd-exit.service.in @@ -6,10 +6,12 @@ # (at your option) any later version. [Unit] -Description=Console Manager and Terminal Emulator +Description=Exit the Session +Documentation=man:systemd.special(7) +DefaultDependencies=no +Requires=shutdown.target +After=shutdown.target [Service] -Type=notify -Restart=always -RestartSec=0 -ExecStart=@rootlibexecdir@/systemd-consoled +Type=oneshot +ExecStart=@SYSTEMCTL@ --force exit diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index cc88ecd0db..b7079e4a7c 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -14,7 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/hostnamed ExecStart=@rootlibexecdir@/systemd-hostnamed BusName=org.freedesktop.hostname1 CapabilityBoundingSet=CAP_SYS_ADMIN -WatchdogSec=1min +WatchdogSec=3min PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in index 403f15316d..d3238cf8f5 100644 --- a/units/systemd-importd.service.in +++ b/units/systemd-importd.service.in @@ -14,5 +14,5 @@ ExecStart=@rootlibexecdir@/systemd-importd BusName=org.freedesktop.import1 CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE NoNewPrivileges=yes -WatchdogSec=1min +WatchdogSec=3min KillMode=mixed diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 4a898d62f3..2928a23021 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -18,7 +18,7 @@ Group=systemd-journal-remote PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -WatchdogSec=10min +WatchdogSec=3min [Install] Also=systemd-journal-remote.socket diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index b2e3c769cc..a757673a62 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -15,7 +15,7 @@ ExecStart=@rootlibexecdir@/systemd-journal-upload \ User=systemd-journal-upload PrivateTmp=yes PrivateDevices=yes -WatchdogSec=20min +WatchdogSec=3min # If there are many split up journal files we need a lot of fds to # access them all and combine diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index a3540c65d2..41bfde5be3 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -22,7 +22,7 @@ RestartSec=0 NotifyAccess=all StandardOutput=null CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE -WatchdogSec=1min +WatchdogSec=3min FileDescriptorStoreMax=1024 # Increase the default a bit in order to allow many simultaneous diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index bfa097844f..9b13f901a3 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -14,7 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/localed ExecStart=@rootlibexecdir@/systemd-localed BusName=org.freedesktop.locale1 CapabilityBoundingSet= -WatchdogSec=1min +WatchdogSec=3min PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index f087e99ce2..ff049134ee 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -24,7 +24,7 @@ Restart=always RestartSec=0 BusName=org.freedesktop.login1 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG -WatchdogSec=1min +WatchdogSec=3min # Increase the default a bit in order to allow many simultaneous # logins since we keep one fd open per session. diff --git a/units/systemd-machine-id-commit.service.in b/units/systemd-machine-id-commit.service.in index cccbf7b626..1f3f5da0f3 100644 --- a/units/systemd-machine-id-commit.service.in +++ b/units/systemd-machine-id-commit.service.in @@ -18,5 +18,5 @@ ConditionPathIsMountPoint=/etc/machine-id [Service] Type=oneshot RemainAfterExit=yes -ExecStart=@rootlibexecdir@/systemd-machine-id-commit +ExecStart=@rootbindir@/systemd-machine-id-setup --commit TimeoutSec=30s diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index fb1f383cdc..3710c595ca 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -16,7 +16,7 @@ After=machine.slice ExecStart=@rootlibexecdir@/systemd-machined BusName=org.freedesktop.machine1 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID -WatchdogSec=1min +WatchdogSec=3min # Note that machined cannot be placed in a mount namespace, since it # needs access to the host's mount namespace in order to implement the diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in index 35be713ade..27d4d58962 100644 --- a/units/systemd-networkd.service.m4.in +++ b/units/systemd-networkd.service.m4.in @@ -30,7 +30,7 @@ ExecStart=@rootlibexecdir@/systemd-networkd CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER ProtectSystem=full ProtectHome=yes -WatchdogSec=1min +WatchdogSec=3min [Install] WantedBy=multi-user.target diff --git a/units/systemd-networkd.socket b/units/systemd-networkd.socket index 8cd7bab67a..2c20935d83 100644 --- a/units/systemd-networkd.socket +++ b/units/systemd-networkd.socket @@ -6,7 +6,7 @@ # (at your option) any later version. [Unit] -Description=networkd rtnetlink socket +Description=Network Service Netlink Socket Documentation=man:systemd-networkd.service(8) man:rtnetlink(7) ConditionCapability=CAP_NET_ADMIN DefaultDependencies=no diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in index 074b916d38..03349931d9 100644 --- a/units/systemd-nspawn@.service.in +++ b/units/systemd-nspawn@.service.in @@ -13,7 +13,7 @@ Before=machines.target After=network.target [Service] -ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --machine=%I +ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --settings=override --machine=%I KillMode=mixed Type=notify RestartForceExitStatus=133 @@ -35,5 +35,10 @@ DeviceAllow=/dev/net/tun rwm DeviceAllow=/dev/pts/ptmx rw DeviceAllow=char-pts rw +# nspawn itself needs access to /dev/loop-control and /dev/loop, to +# implement the --image= option. Add these here, too. +DeviceAllow=/dev/loop-control rw +DeviceAllow=block-loop rw + [Install] WantedBy=machines.target diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in index dce5402458..c674b27ced 100644 --- a/units/systemd-resolved.service.m4.in +++ b/units/systemd-resolved.service.m4.in @@ -23,7 +23,7 @@ ExecStart=@rootlibexecdir@/systemd-resolved CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER ProtectSystem=full ProtectHome=yes -WatchdogSec=1min +WatchdogSec=3min [Install] WantedBy=multi-user.target diff --git a/units/systemd-rfkill@.service.in b/units/systemd-rfkill.service.in index e53bf5fbba..780a19b996 100644 --- a/units/systemd-rfkill@.service.in +++ b/units/systemd-rfkill.service.in @@ -6,18 +6,16 @@ # (at your option) any later version. [Unit] -Description=Load/Save RF Kill Switch Status of %I -Documentation=man:systemd-rfkill@.service(8) +Description=Load/Save RF Kill Switch Status +Documentation=man:systemd-rfkill.service(8) DefaultDependencies=no -BindsTo=sys-subsystem-rfkill-devices-%i.device RequiresMountsFor=/var/lib/systemd/rfkill +BindsTo=sys-devices-virtual-misc-rfkill.device Conflicts=shutdown.target -After=systemd-remount-fs.service -Before=sysinit.target shutdown.target +After=sys-devices-virtual-misc-rfkill.device systemd-remount-fs.service +Before=shutdown.target [Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=@rootlibexecdir@/systemd-rfkill load %I -ExecStop=@rootlibexecdir@/systemd-rfkill save %I +Type=notify +ExecStart=@rootlibexecdir@/systemd-rfkill TimeoutSec=30s diff --git a/units/systemd-rfkill.socket b/units/systemd-rfkill.socket new file mode 100644 index 0000000000..20ae2f8adb --- /dev/null +++ b/units/systemd-rfkill.socket @@ -0,0 +1,19 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Load/Save RF Kill Switch Status /dev/rfkill Watch +Documentation=man:systemd-rfkill.socket(8) +DefaultDependencies=no +BindsTo=sys-devices-virtual-misc-rfkill.device +After=sys-devices-virtual-misc-rfkill.device +Conflicts=shutdown.target +Before=shutdown.target + +[Socket] +ListenSpecial=/dev/rfkill +Writable=yes diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index fe5ccb4601..0c9599db20 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -14,7 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/timedated ExecStart=@rootlibexecdir@/systemd-timedated BusName=org.freedesktop.timedate1 CapabilityBoundingSet=CAP_SYS_TIME -WatchdogSec=1min +WatchdogSec=3min PrivateTmp=yes ProtectSystem=yes ProtectHome=yes diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 8219c95a08..a856dad709 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -27,7 +27,7 @@ PrivateTmp=yes PrivateDevices=yes ProtectSystem=full ProtectHome=yes -WatchdogSec=1min +WatchdogSec=3min [Install] WantedBy=sysinit.target diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index e7216d61f2..79f28c87c6 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -23,4 +23,4 @@ RestartSec=0 ExecStart=@rootlibexecdir@/systemd-udevd MountFlags=slave KillMode=mixed -WatchdogSec=1min +WatchdogSec=3min diff --git a/units/user/.gitignore b/units/user/.gitignore index 6111b10ccf..ce9df9e7e1 100644 --- a/units/user/.gitignore +++ b/units/user/.gitignore @@ -1,3 +1,2 @@ /systemd-exit.service /systemd-bus-proxyd.service -/systemd-consoled.service diff --git a/units/user/systemd-bus-proxyd.service.in b/units/user/systemd-bus-proxyd.service.in index e1e399dc32..6f79707b46 100644 --- a/units/user/systemd-bus-proxyd.service.in +++ b/units/user/systemd-bus-proxyd.service.in @@ -10,4 +10,5 @@ Description=Legacy D-Bus Protocol Compatibility Daemon [Service] ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/%U-user/bus +ExecReload=@bindir@/busctl --address=unix:path=/run/user/%U/bus call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig NotifyAccess=main |