summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-11-15Merge pull request #4658 from endocode/djalal/sandbox-various-fixes-v1Djalal Harouni
core: improve the logic that implies no new privileges and documentation fixes
2016-11-15tests: add UNIFIED_CGROUP_HIERARCHY=[default|hybrid] (#4675)Evgeny Vereshchagin
This will simplify testing a bit. Mainly for https://github.com/systemd/systemd/pull/4670
2016-11-15bus-util: print RestrictNamespaces= as a stringDjalal Harouni
Allow all callers that want to print RestrictNamespaces= returned from D-Bus as a string instead of a u64 value.
2016-11-15test: add tests for RestrictNamespaces=Djalal Harouni
2016-11-15core:gperf: pass the exec_context struct directly to parse restrict namespacesDjalal Harouni
The RestrictNamespaces= takes yes, no or a list of namespaces types, therefor config_parse_restrict_namespaces() is a bit complex and it operates on the ExecContext, fix this by passing the offset of ExecContext directly otherwise restricting namespaces won't work.
2016-11-15doc: move ProtectKernelModules= documentation near ProtectKernelTunalbes=Djalal Harouni
2016-11-15core: property is RestrictNamespaces with sDjalal Harouni
2016-11-15doc: note when no new privileges is impliedDjalal Harouni
2016-11-15core: improve the logic that implies no new privilegesDjalal Harouni
The no_new_privileged_set variable is not used any more since commit 9b232d3241fcfbf60af that fixed another thing. So remove it. Also no need to check if we are under user manager, remove that part too.
2016-11-14Merge pull request #4665 from teg/networkd-split-1David Herrmann
networkd: split sources into subdirectories
2016-11-14nspawn: restart the whole systemd-nspawn@.service unit on container reboot ↵Zbigniew Jędrzejewski-Szmek
(#4613) Since 133 is now used in a few places, add a #define for it. Also make the status message a bit informative. Another issue introduced in b006762. The logic was borked, we were supposed to return 0 to break the loop, and 133 to restart the container, not the other way around. But this doesn't seem to work, reboot fails with: Nov 08 00:41:32 laptop systemd-nspawn[26564]: Failed to register machine: Machine 'fedora-rawhide' already exists So actually the version before this patch worked better, since 133 > 0 and we'd at least loop internally.
2016-11-14link: fix offload features initialization (#4639)Maks Naumov
2016-11-14networkd: clean up main header file a bitTom Gundersen
Rename networkd.h to networkd-manager.h, to more accurately describe what it contains.
2016-11-13networkd: netdev - move to separate subdirectoryTom Gundersen
This could (and should) be made into a separate daemon, at least move the sourcefiles out for now.
2016-11-13networkd-wait-online: move to separate subdirectoryTom Gundersen
Also clean up the header files a bit.
2016-11-13networkd: network - apply() does not need to take the manager objectTom Gundersen
2016-11-12Merge pull request #4659 from keszybz/ctrl-alt-del-twiceMichael Biebl
build-sys: do not install ctrl-alt-del.target symlink twice
2016-11-12build-sys: do not install ctrl-alt-del.target symlink twiceZbigniew Jędrzejewski-Szmek
It was a harmless but pointless duplication. Fixes #4655. Note: in general we try to install as little as possible in /etc/systemd/{system,user}. We only install .wants links there for units which are "user configurable", i.e. which have an [Install] section. Most our units and aliases are not user configurable, do not have an [Install] section, and must be symlinked statically during installation. A few units do have an [Install] section, and are enabled through symlinks in /etc/ during installation using GENERAL_ALIASES. It *would* be possible to not create those symlinks, and instead require 'systemctl preset' to be invoked after installation, but GENERAL_ALIASES works well enough.
2016-11-11man: add Itanium root GUID to table (#4656)Lucas Werkmeister
This GUID was added in #2263, but the manpage was not updated.
2016-11-11systemctl: resolve symlinks when finding unit paths (#4545)Felipe Sateler
Otherwise we think the alias is the real unit, and may edit/cat the wrong unit. Before this patch: $ systemctl edit autovt@ # creates dropin in /etc/systemd/system/autovt@.service.d $ systemctl cat autovt@ | grep @.service # /lib/systemd/system/autovt@.service # that serial gettys are covered by serial-getty@.service, not this # /etc/systemd/system/autovt@.service.d/override.conf $ systemctl cat getty@ | grep @.service # /lib/systemd/system/getty@.service # that serial gettys are covered by serial-getty@.service, not this After this patch $ systemctl edit autovt@ # creates dropin in /etc/systemd/system/getty@.service.d $ systemctl cat autovt@ | grep @.service # /usr/lib/systemd/system/getty@.service # that serial gettys are covered by serial-getty@.service, not this # /etc/systemd/system/getty@.service.d/override.conf systemctl cat getty@ | grep @.service # /usr/lib/systemd/system/getty@.service # that serial gettys are covered by serial-getty@.service, not this # /etc/systemd/system/getty@.service.d/override.conf
2016-11-12Merge pull request #4652 from mbiebl/configure-bzip2Djalal Harouni
various small cleanups in our configure help output
2016-11-11units: disable /sys/fs/fuse/connections in private user namespaces (#4592)Zbigniew Jędrzejewski-Szmek
The mount fails, even though CAP_SYS_ADMIN is granted. Only file systems with FU_USERNS_MOUNT in .fs_flags may be mounted in userns, and the patch to add that fusectl was rejected [1]. It would be nice if we could check if the kernel has FU_USERNS_MOUNT for a given fs type, since this could change over time, but this information doesn't seem to be exported. So let's just skip this mount in userns to avoid an error during boot. [1] https://patchwork.kernel.org/patch/2828269/
2016-11-11tree-wide: make invocations of extract_first_word more uniform (#4627)Zbigniew Jędrzejewski-Szmek
extract_first_words deals fine with the string being NULL, so drop the upfront check for that.
2016-11-11timesyncd: clear ADJ_MAXERROR to keep STA_UNSYNC cleared after jump adjust ↵akochetkov
(#4626) NTP use jump adjust if system has incorrect time read from RTC during boot. It is desireble to update RTC time as soon as NTP set correct system time. Sometimes kernel failed to update RTC due to STA_UNSYNC get set before RTC update finised. In that case RTC time wouldn't be updated within long time. The commit makes RTC updates stable. When NTP do jump time adjust using ADJ_SETOFFSET it clears STA_UNSYNC flag. If don't clear ADJ_MAXERROR, STA_UNSYNC will be set again by kernel within 1 second (by second_overflow() function). STA_UNSYNC flag prevent RTC updates in kernel. Sometimes the kernel is able to update RTC withing 1 second, but sometimes it falied.
2016-11-11build-sys: use lowercase consistently in AS_HELP_STRINGMichael Biebl
We were using a mix of upper and lowercase. Since autoconf's own help output uses lowercase, use that as well.
2016-11-11basic/virt: fix userns check on CONFIG_USER_NS=n kernel (#4651)Zbigniew Jędrzejewski-Szmek
ENOENT should be treated as "false", but because of the broken errno check it was treated as an error. So ConditionVirtualization=user-namespaces probably returned the correct answer, but only by accident. Fixes #4608.
2016-11-11build-sys: replace obsolete AC_HELP_STRING with AS_HELP_STRINGMichael Biebl
The AC_HELP_STRING autoconf macro is obsolete. Use AS_HELP_STRING instead.
2016-11-11build-sys: fix help text of bzip2 configure checkMichael Biebl
The bzip2 support is enabled by default unless requested otherwise via --disable-bzip2. Make the help text reflect that. Fixes: #4636
2016-11-11fstab-generator: add x-systemd.mount-timeout (#4603)Christian Hesse
This adds a new systemd fstab option x-systemd.mount-timeout. The option adds a timeout value that specifies how long systemd waits for the mount command to finish. It allows to mount huge btrfs volumes without issues. This is equivalent to adding option TimeoutSec= to [Mount] section in a mount unit file. fixes #4055
2016-11-11test-nss: allow the module and names/addresses to be specified (#4258)Zbigniew Jędrzejewski-Szmek
Useful for testing a single module. If nothing is specified, behaviour is the same as before. $ ./test-nss myhostname 192.168.0.14 localhost ======== myhostname ======== _nss_myhostname_gethostbyname4_r("localhost") → status=NSS_STATUS_SUCCESS pat=buffer+0x38 errno=0/--- h_errno=0/Resolver Error 0 (no error) ttl=0 "localhost" AF_INET 127.0.0.1 %lo "localhost" AF_INET6 ::1 %lo _nss_myhostname_gethostbyname3_r("localhost", AF_INET) → status=NSS_STATUS_SUCCESS errno=0/--- h_errno=0/Resolver Error 0 (no error) ttl=0 "localhost" AF_INET 127.0.0.1 canonical: "localhost" _nss_myhostname_gethostbyname3_r("localhost", AF_INET6) → status=NSS_STATUS_SUCCESS errno=0/--- h_errno=0/Resolver Error 0 (no error) ttl=0 "localhost" AF_INET6 ::1 canonical: "localhost" _nss_myhostname_gethostbyname3_r("localhost", *) → status=NSS_STATUS_SUCCESS errno=0/--- h_errno=0/Resolver Error 0 (no error) ttl=0 "localhost" AF_INET 127.0.0.1 canonical: "localhost" _nss_myhostname_gethostbyname3_r("localhost", AF_UNIX) → status=NSS_STATUS_UNAVAIL errno=97/EAFNOSUPPORT h_errno=4/No address associated with name ttl=2147483647 _nss_myhostname_gethostbyname2_r("localhost", AF_INET) → status=NSS_STATUS_SUCCESS errno=0/--- h_errno=0/Resolver Error 0 (no error) "localhost" AF_INET 127.0.0.1 _nss_myhostname_gethostbyname2_r("localhost", AF_INET6) → status=NSS_STATUS_SUCCESS errno=0/--- h_errno=0/Resolver Error 0 (no error) "localhost" AF_INET6 ::1 _nss_myhostname_gethostbyname2_r("localhost", *) → status=NSS_STATUS_SUCCESS errno=0/--- h_errno=0/Resolver Error 0 (no error) "localhost" AF_INET 127.0.0.1 _nss_myhostname_gethostbyname2_r("localhost", AF_UNIX) → status=NSS_STATUS_UNAVAIL errno=97/EAFNOSUPPORT h_errno=4/No address associated with name _nss_myhostname_gethostbyname_r("localhost") → status=NSS_STATUS_SUCCESS errno=0/--- h_errno=0/Resolver Error 0 (no error) "localhost" AF_INET 127.0.0.1 _nss_myhostname_gethostbyaddr2_r("192.168.0.14") → status=NSS_STATUS_SUCCESS errno=0/--- h_errno=0/Resolver Error 0 (no error) ttl=0 "laptop" AF_INET 192.168.0.14 AF_INET 192.168.122.1 AF_INET 169.254.209.76 _nss_myhostname_gethostbyaddr_r("192.168.0.14") → status=NSS_STATUS_SUCCESS errno=0/--- h_errno=0/Resolver Error 0 (no error) "laptop" AF_INET 192.168.0.14 AF_INET 192.168.122.1 AF_INET 169.254.209.76
2016-11-11man: update machine-id(5) with a note about privacy (#4645)Zbigniew Jędrzejewski-Szmek
2016-11-11Merge pull request #4647 from evverx/arch-testsuiteDjalal Harouni
tests: fix kernel/initrd searching (Arch)
2016-11-11tests: fix kernel/initrd searching (Arch)Evgeny Vereshchagin
We can run sudo make run instead of the sudo make run KERNEL_BIN=/boot/vmlinuz-linux INITRD=/boot/initramfs-linux.img See https://github.com/systemd/systemd/issues/4607
2016-11-10networkd: support setting dhcp client listen port (#4631)Susant Sahani
Allow setting custom port for the DHCP client to listen on in networkd. [DHCP] ListenPort=6677
2016-11-10Merge pull request #4635 from eworm-de/resolvedZbigniew Jędrzejewski-Szmek
resolved: unlink /run/systemd/resolve/resolv.conf upon exit
2016-11-10man: mention start rate limiting in Restart= doc (#4637)Lucas Werkmeister
2016-11-10Merge pull request #4104 from ssahani/ethtool_xlink_settingsZbigniew Jędrzejewski-Szmek
Link: port to new ethtool ETHTOOL_xLINKSETTINGS
2016-11-10Merge pull request #4618 from grawity/signal-directionZbigniew Jędrzejewski-Szmek
busctl introspect: accept direction="out" for signals.
2016-11-10core:namespace: count and free failed paths inside chase_all_symlinks() (#4619)Djalal Harouni
This certainly fixes a bug that was introduced by PR https://github.com/systemd/systemd/pull/4594 that intended to fix https://github.com/systemd/systemd/issues/4567. The fix was not complete. This patch makes sure that we count and free all paths that fail inside chase_all_symlinks(). Fixes https://github.com/systemd/systemd/issues/4567
2016-11-10resolved: unlink private resolv.conf on exitChristian Hesse
This fixes the logic with systemd-nspawn which checks for private resov.conf to decide whether or not to mount it into the container.
2016-11-10resolved: use macro for private resolve.confChristian Hesse
Use the macro from header file to have a single definition of the path.
2016-11-10Link: port to new ethtool ETHTOOL_xLINKSETTINGSSusant Sahani
Link: port to new ethtool ETHTOOL_xLINKSETTINGS This patch defines a new ETHTOOL_GLINKSETTINGS/SLINKSETTINGS API, handled by the new get_link_ksettings/set_link_ksettings . This is a WIP version based on this [kernel patch](https://patchwork.kernel.org/patch/8411401/). commit 0527f1c http://github.com/torvalds/linux/commit/3f1ac7a700d039c61d8d8b99f28d605d489a60cfommit 35afb33
2016-11-09core: don't use the unified hierarchy for the systemd cgroup yet (#4628)Martin Pitt
Too many things don't get along with the unified hierarchy yet: * https://github.com/opencontainers/runc/issues/1175 * https://github.com/docker/docker/issues/28109 * https://github.com/lxc/lxc/issues/1280 So revert the default to the legacy hierarchy for now. Developers of the above software can opt into the unified hierarchy with "systemd.legacy_systemd_cgroup_controller=0".
2016-11-09man/sd_watchdog_enabled: correct minor typos (#4632)Jonathan Boulle
2016-11-09busctl introspect: use free_and_replace()Mantas Mikulėnas
2016-11-09busctl introspect: accept direction="out" for signalsMantas Mikulėnas
According to the D-Bus spec (v0.29), | The direction element on <arg> may be omitted, in which case it | defaults to "in" for method calls and "out" for signals. Signals only | allow "out" so while direction may be specified, it's pointless. Therefore we still should accept a 'direction' attribute, even if it's useless in reality. Closes: #4616
2016-11-08nspawn: fix condition for mounting resolv.conf (#4622)Christian Hesse
The file /usr/lib/systemd/resolv.conf can be stale, it does not tell us whether or not systemd-resolved is running or not. So check for /run/systemd/resolve/resolv.conf as well, which is created at runtime and hence is a better indication.
2016-11-08core: on DynamicUser= make sure that protecting sensitive paths is enforced ↵Djalal Harouni
(#4596) This adds a variable that is always set to false to make sure that protect paths inside sandbox are always enforced and not ignored. The only case when it is set to true is on DynamicUser=no and RootDirectory=/chroot is set. This allows users to use more our sandbox features inside RootDirectory= The only exception is ProtectSystem=full|strict and when DynamicUser=yes is implied. Currently RootDirectory= is not fully compatible with these due to two reasons: * /chroot/usr|etc has to be present on ProtectSystem=full * /chroot// has to be a mount point on ProtectSystem=strict.
2016-11-08Merge pull request #4536 from poettering/seccomp-namespacesZbigniew Jędrzejewski-Szmek
core: add new RestrictNamespaces= unit file setting Merging, not rebasing, because this touches many files and there were tree-wide cleanups in the mean time.
2016-11-08Merge pull request #4612 from keszybz/format-stringsZbigniew Jędrzejewski-Szmek
Format string tweaks (and a small fix on 32bit)