Age | Commit message (Collapse) | Author |
|
Let's make missing write access to /proc/sys non-fatal to the sysctl service.
This is a follow-up to 411e869f497c7c7bd0688f1e3500f9043bc56e48 which altered
the condition for running the sysctl service to check for /proc/sys/net being
writable, accepting that /proc/sys might be read-only. In order to ensure the
boot-up stays clean in containers lower the log level for the EROFS errors
generated due to this.
|
|
|
|
Now that have a proper concept of "perpetual" units, let's make the root mount
one too, since it also cannot go away.
|
|
So far "no_gc" was set on -.slice and init.scope, to units that are always
running, cannot be stopped and never exist in an "inactive" state. Since these
units are the only users of this flag, let's remodel it and rename it
"perpetual" and let's derive more funcitonality off it. Specifically, refuse
enqueing stop jobs for these units, and report that they are "unstoppable" in
the CanStop bus property.
|
|
(#4533)
Always initialize the supplementary groups of caller before checking the
unit SupplementaryGroups= option.
Fixes https://github.com/systemd/systemd/issues/4531
|
|
Switch drivers uses phys_port_name attribute to pass front panel port
name to user. Use it to generate netdev names.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
|
"Secondary arch" table for mips is entirely speculative…
|
|
Lustre is also a remote file system that wants the network to be up before it is mounted.
|
|
|
|
This introduces a new option, `tcrypt-veracrypt`, that sets the
corresponding VeraCrypt flag in the flags passed to cryptsetup.
|
|
A pendant for #4481.
|
|
systemd-escape manpage improvements
|
|
The first example wasn't phrased with "To ..." as the other three are,
and the last example was lacking the colon.
|
|
|
|
The option does more than the documentation gave it credit for.
|
|
Not sure since when this is the default behavior, but my local tree is full
of such files. Let's ignore them for clarity.
|
|
seccomp: also block shmat(..., SHM_EXEC) for MemoryDenyWriteExecute
|
|
Document NoNewPrivileges default value
|
|
|
|
Suggested by @keszybz in #4488.
|
|
core: improve mount namespace and working directory setup
|
|
detect-virt: add --private-users switch to check if a userns is active; add Condition=private-users
|
|
|
|
This makes applying groups after applying the working directory, this
may allow some flexibility but at same it is not a big deal since we
don't execute or do anything between applying working directory and
droping groups.
|
|
Improve apply_working_directory() and lets get the current working directory
inside of it.
|
|
|
|
|
|
We updated 'fn' but checked 'v' instead.
From 698c5a17
Spotted with PVS
|
|
Fix some formatting details in the merge.
|
|
The mount fails, even though CAP_SYS_ADMIN is granted.
|
|
Rewrite the function to be slightly simpler. In particular, if a specific
match is found (like ConditionVirtualization=yes), simply return an answer
immediately, instead of relying that "yes" will not be matched by any of
the virtualization names below.
No functional change.
|
|
|
|
This can be useful to silence warnings about units which fail in userns
container.
|
|
Various things don't work when we're running in a user namespace, but it's
pretty hard to reliably detect if that is true.
A function is added which looks at /proc/self/uid_map and returns false
if the default "0 0 UINT32_MAX" is found, and true if it finds anything else.
This misses the case where an 1:1 mapping with the full range was used, but
I don't know how to distinguish this case.
'systemd-detect-virt --private-users' is very similar to
'systemd-detect-virt --chroot', but we check for a user namespace instead.
|
|
|
|
Invalid IP addresses would be passed through as-is:
$ networkctl status wlp3s0:
● 2: wlp3s0
Link File: /usr/lib/systemd/network/99-default.link
Network File: /etc/systemd/network/wlp3s0.network
Type: wlan
State: routable (configured)
Path: pci-0000:03:00.0
Driver: iwlwifi
Vendor: Intel Corporation
Model: Centrino Advanced-N 6205 [Taylor Peak] (Centrino Advanced-N 6205 AGN)
HW Address: XXXXXXXXXX (Intel Corporate)
Address: 192.168.2.103
XXXXXXXXXXX
Gateway: 192.168.2.1 (Arcadyan Technology Corporation)
DNS: 127.0.0.5553
Instead verify that DNS= has a valid list of addresses when parsing configuration.
Fixes #4462.
|
|
To more correctly reflect current behaviour as well as to provide
a few more details.
|
|
shmat(..., SHM_EXEC) can be used to create writable and executable
memory, so let's block it when MemoryDenyWriteExecute is set.
|
|
Check if values filled up by KD_FONT_OP_GET ioctl make sense -
dummy driver for example doesn't implement required functionality
at all.
|
|
... and that that content might be outdated.
|
|
Fixes:
$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Feb 17 2016 /bin/sh -> dash
$ ./autogen.sh c
./autogen.sh: 22: ./autogen.sh: [[: not found
...
checking whether make supports nested variables... (cached) yes
checking build system type... Invalid configuration `c': machine `c' not
recognized
configure: error: /bin/bash build-aux/config.sub c failed
this is a follow-up for a5e739a570081231
|
|
two minor systemctl memleak fixes
|
|
In case of running test-execute on systems with systemd < v232, several
tests like privatedevices or protectkernelmodules fail because
/run/systemd/inaccessible/ doesn't exist. In these cases, we should skip
tests to avoid unnecessary errors.
See also https://github.com/systemd/systemd/pull/4243#issuecomment-253665566
|
|
(Also, let's not use the binary |= operator on "bool" variables).
Fix-up for 93a0884126146361ca078ec627da2cf766205a1c.
|
|
|
|
various nss module/resolved fixes
|
|
Fixes #4329.
|
|
Various seccomp fixes and NEWS update.
|
|
|
|
Properly synthesize -.slice and init.scope
|