| Age | Commit message (Collapse) | Author |
|---|
|
make dist-check-help FTW!
|
|
|
|
This permits CPUQuota to accept greater values as documented.
|
|
nspawn resolv.conf handling improvements, and inherit $TERM all the way through nspawn → console login
|
|
Commit e5bc3f4fdc matches on e.g. a T440s, but not a T440 (i.e. the one
without a suffix).
|
|
This new output mode formats all timestamps using the usual format_timestamp()
call we use pretty much everywhere else. Timestamps formatted this way are some
ways more useful than traditional syslog timestamps as they include weekday,
month and timezone information, while not being much longer. They are also not
locale-dependent. The primary advantage however is that they may be passed
directly to journalctl's --since= and --until= switches as soon as #3869 is
merged.
While we are at it, let's also add "short-unix" to shell completion.
|
|
This patch improves parsing and generation of timestamps and calendar
specifications in two ways:
- The week day is now always printed in the abbreviated English form, instead
of the locale's setting. This makes sure we can always parse the week day
again, even if the locale is changed. Given that we don't follow locale
settings for printing timestamps in any other way either (for example, we
always use 24h syntax in order to make uniform parsing possible), it only
makes sense to also stick to a generic, non-localized form for the timestamp,
too.
- When parsing a timestamp, the local timezone (in its DST or non-DST name)
may be specified, in addition to "UTC". Other timezones are still not
supported however (not because we wouldn't want to, but mostly because libc
offers no nice API for that). In itself this brings no new features, however
it ensures that any locally formatted timestamp's timezone is also parsable
again.
These two changes ensure that the output of format_timestamp() may always be
passed to parse_timestamp() and results in the original input. The related
flavours for usec/UTC also work accordingly. Calendar specifications are
extended in a similar way.
The man page is updated accordingly, in particular this removes the claim that
timestamps systemd prints wouldn't be parsable by systemd. They are now.
The man page previously showed invalid timestamps as examples. This has been
removed, as the man page shouldn't be a unit test, where such negative examples
would be useful. The man page also no longer mentions the names of internal
functions, such as format_timestamp_us() or UNIX error codes such as EINVAL.
|
|
|
|
This setting adds minimal user namespacing support to a service. When set the invoked
processes will run in their own user namespace. Only a trivial mapping will be
set up: the root user/group is mapped to root, and the user/group of the
service will be mapped to itself, everything else is mapped to nobody.
If this setting is used the service runs with no capabilities on the host, but
configurable capabilities within the service.
This setting is particularly useful in conjunction with RootDirectory= as the
need to synchronize /etc/passwd and /etc/group between the host and the service
OS tree is reduced, as only three UID/GIDs need to match: root, nobody and the
user of the service itself. But even outside the RootDirectory= case this
setting is useful to substantially reduce the attack surface of a service.
Example command to test this:
systemd-run -p PrivateUsers=1 -p User=foobar -t /bin/sh
This runs a shell as user "foobar". When typing "ps" only processes owned by
"root", by "foobar", and by "nobody" should be visible.
|
|
state (#3874)
Otherwise for example services that are failing on start and have Restart=on-failure
and bigger RestartSec systemctl status will return 0.
Fixes: #3864
|
|
It's probably better to be safe here.
|
|
interesting data
|
|
This way, invoking nspawn from a shell in the best case inherits the TERM
setting all the way down into the login shell spawned in the container.
Fixes: #3697
|
|
|
|
This removes the --share-system switch: from the documentation, the --help text
as well as the command line parsing. It's an ugly option, given that it kinda
contradicts the whole concept of PID namespaces that nspawn implements. Since
it's barely ever used, let's just deprecate it and remove it from the options.
It might be useful as a debugging option, hence the functionality is kept
around for now, exposed via an undocumented $SYSTEMD_NSPAWN_SHARE_SYSTEM
environment variable.
|
|
This has the benefit that the container can follow the host's DNS server
changes without us having to constantly update the container's resolv.conf
settings.
|
|
Update documentation for systemd-vconsole-setup
|
|
Each series has identical hardware, let's use a glob instead of listing them
one by one.
|
|
Whether a device is a trackball or not is a physical property so we should
store this globally, in one place. The new property must be set in addition to
ID_INPUT_MOUSE, otherwise existing clients won't detect the device.
No actual code changes required, the default match rule is simply checking for
"Trackball" in the name (in a few versions), other entries need to be added
manually.
|
|
Introduce MaxConnectionsPerSource= that is number of concurrent
connections allowed per IP.
RFE: 1939
|
|
Coredump: save information useful for debuging crashes in containers - v2
|
|
|
|
…since 4de282cf9324ab.
|
|
Process container parent is the process used to start processes with a new
user namespace - e.g systemd-nspawn, runc, lxc, etc.
There is not standard way how to find such a process - or I do not know
about it - hence I have decided to find the first process in the parent
process hierarchy with a different mount namespace and different
/proc/self/root's inode.
I have decided for this criteria because in ABRT we take special care
only if the crashed process runs different code than installed on the
host. Other processes with namespaces different than PID 1's namespaces
are just processes running code shipped by the OS vendor and bug
reporting tools can get information about the provider of the code
without the need to deal with changed root and so on.
|
|
IMA wiki says: "If the IMA policy contains LSM labels, then the LSM
policy must be loaded prior to the IMA policy." Right now, in case of
Smack, the IMA policy is loaded before the Smack policy. Move the order
around to allow Smack labels to be used in IMA policy.
|
|
This complements graphical-session.target for services which set up the
environment (e. g. dbus-update-activation-environment) and need to run before
the actual graphical session.
|
|
(#3850)
The password directory watch should get ordered before cryptsetup to make sure
that the password for unlocking the crypt device gets prompted.
|
|
The file contains information one can use to debug processes running
within a container.
|
|
For this moment machinectl prints legend and count of machines/images/etc.
But in a case when we have no images,machines,etc., there is no sense to
show legend:
~$ machinectl
MACHINE CLASS SERVICE
0 machines listed.
Let's print only 'No machines', 'No images', 'No transfers' in this case.
|
|
The CPUID and DMI vendor strings do not seem to be documented.
Values were found experimentally and by inspecting the source code.
|
|
the ACTION_DONE was introduced in the 4288f61921 (dbus: automatically
generate and install introspection files ) commit and was used in
systemd --introspect command.
Later 'introspect' command was removed in the ca2871d9b (bus: remove
static introspection file export) commit and have no users anymore.
So we can remove it.
|
|
Lenovo trackpoint speed fixes
|
|
They were outdated, and this way it's less likely that they'll get out of sync
again. Anyway, it's easier for the reader to have the kernel and config file
options next to one another.
|
|
For error messages, make them more meaningful by printing the tty name.
Follow-up for #3742.
|
|
In this patch "enabled" and "disabled" is used exclusively, but "enable" and
"disable" forms are need for the following patch.
|
|
|
|
Depending on how binutils was configured and the --enable-fast-install
configure option, the test binary might be called either name.
Fixes: https://github.com/systemd/systemd/issues/3838
|
|
config_parse_user_tasks_max() was incorrectly accepting percentage value
between 1 and 99. Update it to accept 0% and 100%. This brings it in line
with TasksMax handling in systemd.
|
|
|
|
Explain in the systemd.resource-control man that systemd user instance can't use resource control on
cgroup-v1.
|
|
add cgroup-v2.txt link in section "Unified and Legacy Control Group
Hierarchies" of systemd.resource-control man.
|
|
Private devices don't exist when running in a container, so skip the related
tests.
|
|
No point running tests against process 1 if systemd is not running as that
process. This is a rework of an unpublished patch by @9muir.
|
|
The condition tests for hostname will fail if hostname looks like an id128.
The test function attempts to convert hostname to an id128, and if that
succeeds compare it to the machine ID (presumably because the 'hostname'
condition test is overloaded to also test machine ID). That will typically
fail, and unfortunately the 'mock' utility generates a random hostname that
happens to have the same format as an id128, thus causing a test failure.
|
|
|
|
vconsole-setup: updates & fixes V2
|
|
This adds a --disable-lto option to ./configure, but does not change the
default behavior.
|
|
Fixes #3813.
|
|
Like many other recent thinkpads the factory default pointingstick
sensitivity on these devices is quite low, making the pointingstick
very slow in moving the cursor.
This extends the existing hwdb rules for tweaking the sensitivity to
also apply to the X260 models.
|
|
Like many other recent thinkpads the factory default pointingstick
sensitivity on these devices is quite low, making the pointingstick
very slow in moving the cursor.
This extends the existing hwdb rules for tweaking the sensitivity to
also apply to the T560 models.
|
