summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-06-27sd-device: device_id - set correctly for 'drivers'Tom Gundersen
The 'drivers' pseudo-subsystem needs special treatment. These pseudo-devices are found under /sys/bus/drivers/, so needs the real subsystem encoded in the device_id in order to be resolved. The reader side already assumed this to be the case.
2016-06-26sd-device: enumerator - do not abort enumeration if a device failsTom Gundersen
Collect the errors and return to the caller, but continue enumerating all devices.
2016-06-26Merge pull request #3572 from poettering/machinectl-shell-fixMartin Pitt
machinectl: interpret options placed between "shell" verb and machine name
2016-06-26catalog: make support URL to show in shipped catalog entries configurable ↵Lennart Poettering
(#3597) Let's allow distros to change the support URL to expose in catalog entries by default. It doesn't make sense to direct end-users to the upstream project for common errors. This adds a --with-support-url= switch to configure, which allows overriding the default at build-time. Fixes: #2516
2016-06-26machinectl: verify image existance on "start" and "enable" (#3579)Lennart Poettering
Let's make sure we catch early when a machine doesn't exist that is attempted to be started or enabled as system service.
2016-06-26networkd: use strv_fnmatch() (#3605)0xAX
2016-06-26man: document what Authenticated: in the systemd-resolve output actually ↵Lennart Poettering
means (#3571) My educated guess is that #3561 was filed due to confusion around the systemd-resolve "Data Authenticated:" output. Let's try to clean up the confusion a bit, and document what it means in the man page.
2016-06-26Merge pull request #3600 from poettering/fstab-generator-fixesMartin Pitt
Fstab generator fixes
2016-06-26basic/strv: use SWAP_TWO() macro (#3602)0xAX
2016-06-25nspawn: fix uid patching logic (#3599)Lennart Poettering
An incorrectly set if/else chain caused aus to apply the access mode of a symlink to the directory it is located in. Yuck. Fixes: #3547
2016-06-24fstab-generator: minor simplificationLennart Poettering
2016-06-24fstab-generator: skip fsck for /usr on non-device file systemsLennart Poettering
We do the same already for the root device, hence follow the scheme for /usr too. (Also add some explanatory comments.)
2016-06-24fstab-generator: don't skip /usr handling if root handling didn't work correctlyLennart Poettering
Let's follow the same logic for all mounts here: log errors, and exit the process uncleanly ultimately, but do not skip further mounts if we encounter a problem with an earlier one. Fixes: #2344
2016-06-24systemctl: fix an error condition from "-1" to something meaningfulLennart Poettering
We really shouldn't make up errors like "-1", but use proper errno definitions.
2016-06-24fstab-generator: fix checking of fstab_node_to_udev_node() resultLennart Poettering
We have to check for OOM here, let's add that. There's really no point in checking for path_is_absolute() on the result however, as there's no particular reason why that should be refused. Also, we don't have similar checks for the other mount devices the generator deals with, hence don't bother with it here either. Let's remove that check. (And it shouldn't return made-up errors like "-1" in this case anyway.)
2016-06-24fstab-generator: document why we copy the root device into the usr device if ↵Lennart Poettering
unset Let's a comment about this, to avoid questions popping up like in #2344.
2016-06-24fstab-generator: let's use path_equal() for comparing pathsLennart Poettering
2016-06-24Merge pull request #3587 from martinpitt/masterEvgeny Vereshchagin
Fix some test issues
2016-06-24test: merge check_nspawn() into run_nspawn()Martin Pitt
This makes nspawn tests symmetric with run_qemu() which also exits with 1 if QEMU is not available.
2016-06-24pid1: restore console color support for containers (#3595)Franck Bui
Commit 3a18b60489504056f9b0b1a139439cbfa60a87e1 introduced a regression that disabled the color mode for container. This patch fixes this.
2016-06-24tests: track and check for timeoutsMartin Pitt
If run_qemu() exits with non-zero, this either meant that QEMU was not available (which should be a SKIP) or that QEMU timed out if $QEMU_TIMEOUT was set (which then should be a FAIL). Limit the exit code of run_qemu() to QEMU availability only, and track timeouts separately through the new $TIMED_OUT variable, which is then checked in check_result_qemu(). Do the same for $NSPAWN_TIMEOUT and run_nspawn() so that nspawn and QEMU work similarly.
2016-06-24tests: make TEST-12-ISSUE-3171 nspawn invocation consistent with other testsMartin Pitt
The result of check_nspawn does not mean much, and this forgot to ask check_nspawn() whether nspawn can be used at all. This brings TEST-12-ISSUE-3171 in line with other nspawn tests.
2016-06-24updateLennart Poettering
2016-06-24tests: don't fail if QEMU is not availableMartin Pitt
Fix TEST-{08,09,10,11} to properly skip the test if QEMU is not available instead of failing, like in the other tests.
2016-06-24tests: force booting the kernel with SELinuxMartin Pitt
selinux=1 is not sufficient when running on a kernel which also has another LSM (such as AppArmor) enabled and defaults to that.
2016-06-24Merge pull request #3594 from poettering/resolved-servfailMartin Pitt
resolved fixes for handling SERVFAIL errors from servers
2016-06-24systemctl: Create new unit files with "edit --force" (#3584)Doug Christman
2016-06-24resolved: add option to disable caching (#3592)Martin Pitt
In some cases, caching DNS results locally is not desirable, a it makes DNS cache poisoning attacks a tad easier and also allows users on the system to determine whether or not a particular domain got visited by another user. Thus provide a new "Cache" resolved.conf option to disable it.
2016-06-24Merge pull request #3549 from poettering/resolved-moreTom Gundersen
resolved: more fixes, among them "systemctl-resolve --status" to see DNS configuration in effect, and a local DNS stub listener on 127.0.0.53
2016-06-23resolved: when processing auxiliary DNSSEC transactions, accept those with ↵Lennart Poettering
SERVFAIL Some upstream DNS servers return SERVFAIL if we ask them for DNSSEC RRs, which some forwarding DNS servers pass on to us as SERVFAIL (other though as NOERROR...). This is should not be considered a problem, as long as the domain in question didn't have DNSSEC enabled. Hence: when making use of auxiliary transactions accept those that return SERVFAIL.
2016-06-23resolved: when caching replies, check rcode earlierLennart Poettering
This way we don't log complaints about packets without SOA in case we are not caching it anyway because the rcode is not SUCCESS or NXDOMAIN...
2016-06-23resolved: rework SERVFAIL handlingLennart Poettering
There might be two reasons why we get a SERVFAIL response from our selected DNS server: because this DNS server itself is bad, or because the DNS server actually serving the zone upstream is bad. So far we immediately downgraded our server feature level when getting SERVFAIL, under the assumption that the first case is the only possible case. However, this meant we'd downgrade immediately even if we encountered the second case described above. With this commit handling of SERVFAIL is reworked. As soon as we get a SERVFAIL on a transaction we retry the transaction with a lower feature level, without changing the feature level tracked for the DNS server itself. If that fails too, we downgrade further, and so on. If during this downgrading the SERVFAIL goes away we assume that the DNS server we are talking to is bad, but the zone is fine and propagate the detected feature level to the information we track about the DNS server. Should the SERVFAIL not go away this way we let the transaction fail and accept the SERVFAIL.
2016-06-23udev: bump TasksMax to inifinity (#3593)Franck Bui
udevd already limits its number of workers/children: the max number is actually twice the number of CPUs the system is using. (The limit can also be raised with udev.children-max= kernel command line option BTW). On some servers, this limit can easily exceed the maximum number of tasks that systemd put on all services, which is 512 by default. Since udevd has already its limitation logic, simply disable the static limitation done by TasksMax.
2016-06-23fstab-generator: ignore root=/dev/nfs (#3591)Harald Hoyer
root=/dev/nfs is a legacy option for the kernel to handle root on NFS. Documentation for this kernel command line option can be found in the kernel source tree: Documentation/filesystems/nfs/nfsroot.txt
2016-06-23Merge pull request #3583 from poettering/restrict-realtimeRonny Chevalier
add new RestrictRealtime= option to services (and other fixes)
2016-06-23Merge pull request #3581 from dobyrch/masterRonny Chevalier
systemctl: Add missing "/" to files created by 'edit --runtime'
2016-06-23build-sys: move fdset.[ch] src/basic → src/shared (#3580)Lennart Poettering
It makes use of the sd_listen_fds() call, and as such should live in src/shared, as the distinction between src/basic and src/shared is that the latter may use libsystemd APIs, the former does not. Note that btrfs-util.[ch] and log.[ch] also include header files from libsystemd, but they only need definitions, they do not invoke any function from it. Hence they may stay in src/basic.
2016-06-23execute: add a new easy-to-use RestrictRealtime= option to unitsLennart Poettering
It takes a boolean value. If true, access to SCHED_RR, SCHED_FIFO and SCHED_DEADLINE is blocked, which my be used to lock up the system.
2016-06-23execute: be a little less drastic when MemoryDenyWriteExecute= hitsLennart Poettering
Let's politely refuse with EPERM rather than kill the whole thing right-away.
2016-06-23execute: set PR_SET_NO_NEW_PRIVS also in case the exec memory protection is usedLennart Poettering
This was forgotten when MemoryDenyWriteExecute= was added: we should set NNP in all cases when we set seccomp filters.
2016-06-23execute: use the return value of setrlimit_closest() properlyLennart Poettering
It's a function defined by us, hence we should look for the error in its return value, not in "errno".
2016-06-23core: when writing transient unit files, make sure all lines end with a newlineLennart Poettering
This is a fix-up for 2a9a6f8ac04a69ca36d645f9305a33645f22a22b which covered non-transient units, but missed the case for transient units.
2016-06-22nspawn: improve man page (#3577)Lennart Poettering
This change documents the existance of the systemd-nspawn@.service template unit file, which was previously not mentioned at all. Since the unit file uses slightly different default than nspawn invoked from the command line, these defaults are now explicitly documented too. A couple of further additions and changes are made, too. Replaces: #3497
2016-06-22man: document that %f in units always unescapes (#3578)Lennart Poettering
2016-06-22systemctl: Add missing "/" to files created by 'edit --runtime'Douglas Christman
2016-06-22machinectl: do not escape the unit name (#3554)Elias Probst
Otherwise starting a machine named `foo-bar-baz` will end up in machinectl attempting to start the service unit `systemd-nspawn@foo\x2dbar\x2dbaz` instead of `systemd-nspawn@foo-bar-baz`.
2016-06-22watchdog: Support changing watchdog_usec during runtime (#3492)Minkyung
Add sd_notify() parameter to change watchdog_usec during runtime. Application can change watchdog_usec value by sd_notify like this. Example. sd_notify(0, "WATCHDOG_USEC=20000000"). To reset watchdog_usec as configured value in service file, restart service. Notice. sd_event is not currently supported. If application uses sd_event_set_watchdog, or sd_watchdog_enabled, do not use "WATCHDOG_USEC" option through sd_notify.
2016-06-22NEWS: start section for 231, with tmpfs.mount option changes (#3576)Martin Pitt
This documents the "add nosuid and nodev options to tmp.mount" change from commit 2f9df7c96a2.
2016-06-22Merge pull request #3526 from fbuihuu/fix-console-log-colorLennart Poettering
Fix console log color
2016-06-22units: add nosuid and nodev options to tmp.mount (#3575)Martin Pitt
This makes privilege escalation attacks harder by putting traps and exploits into /tmp. https://bugs.debian.org/826377