Age | Commit message (Collapse) | Author |
|
core: improve the logic that implies no new privileges and documentation fixes
|
|
This will simplify testing a bit.
Mainly for https://github.com/systemd/systemd/pull/4670
|
|
Allow all callers that want to print RestrictNamespaces= returned from D-Bus
as a string instead of a u64 value.
|
|
|
|
The RestrictNamespaces= takes yes, no or a list of namespaces types,
therefor config_parse_restrict_namespaces() is a bit complex and it
operates on the ExecContext, fix this by passing the offset of
ExecContext directly otherwise restricting namespaces won't work.
|
|
|
|
|
|
|
|
The no_new_privileged_set variable is not used any more since commit
9b232d3241fcfbf60af that fixed another thing. So remove it. Also no
need to check if we are under user manager, remove that part too.
|
|
networkd: split sources into subdirectories
|
|
(#4613)
Since 133 is now used in a few places, add a #define for it.
Also make the status message a bit informative.
Another issue introduced in b006762. The logic was borked, we were supposed
to return 0 to break the loop, and 133 to restart the container, not the other
way around.
But this doesn't seem to work, reboot fails with:
Nov 08 00:41:32 laptop systemd-nspawn[26564]: Failed to register machine: Machine 'fedora-rawhide' already exists
So actually the version before this patch worked better, since 133 > 0 and we'd
at least loop internally.
|
|
|
|
Rename networkd.h to networkd-manager.h, to more accurately describe what it
contains.
|
|
This could (and should) be made into a separate daemon, at least move
the sourcefiles out for now.
|
|
Also clean up the header files a bit.
|
|
|
|
build-sys: do not install ctrl-alt-del.target symlink twice
|
|
It was a harmless but pointless duplication. Fixes #4655.
Note: in general we try to install as little as possible in
/etc/systemd/{system,user}. We only install .wants links there for units which
are "user configurable", i.e. which have an [Install] section. Most our units
and aliases are not user configurable, do not have an [Install] section, and
must be symlinked statically during installation. A few units do have an
[Install] section, and are enabled through symlinks in /etc/ during
installation using GENERAL_ALIASES. It *would* be possible to not create those
symlinks, and instead require 'systemctl preset' to be invoked after
installation, but GENERAL_ALIASES works well enough.
|
|
This GUID was added in #2263, but the manpage was not updated.
|
|
Otherwise we think the alias is the real unit, and may edit/cat the
wrong unit.
Before this patch:
$ systemctl edit autovt@ # creates dropin in /etc/systemd/system/autovt@.service.d
$ systemctl cat autovt@ | grep @.service
# /lib/systemd/system/autovt@.service
# that serial gettys are covered by serial-getty@.service, not this
# /etc/systemd/system/autovt@.service.d/override.conf
$ systemctl cat getty@ | grep @.service
# /lib/systemd/system/getty@.service
# that serial gettys are covered by serial-getty@.service, not this
After this patch
$ systemctl edit autovt@ # creates dropin in /etc/systemd/system/getty@.service.d
$ systemctl cat autovt@ | grep @.service
# /usr/lib/systemd/system/getty@.service
# that serial gettys are covered by serial-getty@.service, not this
# /etc/systemd/system/getty@.service.d/override.conf
systemctl cat getty@ | grep @.service
# /usr/lib/systemd/system/getty@.service
# that serial gettys are covered by serial-getty@.service, not this
# /etc/systemd/system/getty@.service.d/override.conf
|
|
various small cleanups in our configure help output
|
|
The mount fails, even though CAP_SYS_ADMIN is granted.
Only file systems with FU_USERNS_MOUNT in .fs_flags may be mounted in userns,
and the patch to add that fusectl was rejected [1]. It would be nice if we
could check if the kernel has FU_USERNS_MOUNT for a given fs type, since this
could change over time, but this information doesn't seem to be exported.
So let's just skip this mount in userns to avoid an error during boot.
[1] https://patchwork.kernel.org/patch/2828269/
|
|
extract_first_words deals fine with the string being NULL, so drop the upfront
check for that.
|
|
(#4626)
NTP use jump adjust if system has incorrect time read from RTC during boot.
It is desireble to update RTC time as soon as NTP set correct system time.
Sometimes kernel failed to update RTC due to STA_UNSYNC get set before RTC
update finised. In that case RTC time wouldn't be updated within long time.
The commit makes RTC updates stable.
When NTP do jump time adjust using ADJ_SETOFFSET it clears STA_UNSYNC flag.
If don't clear ADJ_MAXERROR, STA_UNSYNC will be set again by kernel within
1 second (by second_overflow() function). STA_UNSYNC flag prevent RTC updates
in kernel. Sometimes the kernel is able to update RTC withing 1 second,
but sometimes it falied.
|
|
We were using a mix of upper and lowercase. Since autoconf's own help
output uses lowercase, use that as well.
|
|
ENOENT should be treated as "false", but because of the broken errno check it
was treated as an error. So ConditionVirtualization=user-namespaces probably
returned the correct answer, but only by accident.
Fixes #4608.
|
|
The AC_HELP_STRING autoconf macro is obsolete. Use AS_HELP_STRING instead.
|
|
The bzip2 support is enabled by default unless requested otherwise via
--disable-bzip2. Make the help text reflect that.
Fixes: #4636
|
|
This adds a new systemd fstab option x-systemd.mount-timeout. The option
adds a timeout value that specifies how long systemd waits for the mount
command to finish. It allows to mount huge btrfs volumes without issues.
This is equivalent to adding option TimeoutSec= to [Mount] section in a
mount unit file.
fixes #4055
|
|
Useful for testing a single module. If nothing is specified, behaviour is the
same as before.
$ ./test-nss myhostname 192.168.0.14 localhost
======== myhostname ========
_nss_myhostname_gethostbyname4_r("localhost") → status=NSS_STATUS_SUCCESS
pat=buffer+0x38 errno=0/--- h_errno=0/Resolver Error 0 (no error) ttl=0
"localhost" AF_INET 127.0.0.1 %lo
"localhost" AF_INET6 ::1 %lo
_nss_myhostname_gethostbyname3_r("localhost", AF_INET) → status=NSS_STATUS_SUCCESS
errno=0/--- h_errno=0/Resolver Error 0 (no error) ttl=0
"localhost"
AF_INET 127.0.0.1
canonical: "localhost"
_nss_myhostname_gethostbyname3_r("localhost", AF_INET6) → status=NSS_STATUS_SUCCESS
errno=0/--- h_errno=0/Resolver Error 0 (no error) ttl=0
"localhost"
AF_INET6 ::1
canonical: "localhost"
_nss_myhostname_gethostbyname3_r("localhost", *) → status=NSS_STATUS_SUCCESS
errno=0/--- h_errno=0/Resolver Error 0 (no error) ttl=0
"localhost"
AF_INET 127.0.0.1
canonical: "localhost"
_nss_myhostname_gethostbyname3_r("localhost", AF_UNIX) → status=NSS_STATUS_UNAVAIL
errno=97/EAFNOSUPPORT h_errno=4/No address associated with name ttl=2147483647
_nss_myhostname_gethostbyname2_r("localhost", AF_INET) → status=NSS_STATUS_SUCCESS
errno=0/--- h_errno=0/Resolver Error 0 (no error)
"localhost"
AF_INET 127.0.0.1
_nss_myhostname_gethostbyname2_r("localhost", AF_INET6) → status=NSS_STATUS_SUCCESS
errno=0/--- h_errno=0/Resolver Error 0 (no error)
"localhost"
AF_INET6 ::1
_nss_myhostname_gethostbyname2_r("localhost", *) → status=NSS_STATUS_SUCCESS
errno=0/--- h_errno=0/Resolver Error 0 (no error)
"localhost"
AF_INET 127.0.0.1
_nss_myhostname_gethostbyname2_r("localhost", AF_UNIX) → status=NSS_STATUS_UNAVAIL
errno=97/EAFNOSUPPORT h_errno=4/No address associated with name
_nss_myhostname_gethostbyname_r("localhost") → status=NSS_STATUS_SUCCESS
errno=0/--- h_errno=0/Resolver Error 0 (no error)
"localhost"
AF_INET 127.0.0.1
_nss_myhostname_gethostbyaddr2_r("192.168.0.14") → status=NSS_STATUS_SUCCESS
errno=0/--- h_errno=0/Resolver Error 0 (no error) ttl=0
"laptop"
AF_INET 192.168.0.14
AF_INET 192.168.122.1
AF_INET 169.254.209.76
_nss_myhostname_gethostbyaddr_r("192.168.0.14") → status=NSS_STATUS_SUCCESS
errno=0/--- h_errno=0/Resolver Error 0 (no error)
"laptop"
AF_INET 192.168.0.14
AF_INET 192.168.122.1
AF_INET 169.254.209.76
|
|
|
|
tests: fix kernel/initrd searching (Arch)
|
|
We can run
sudo make run
instead of the
sudo make run KERNEL_BIN=/boot/vmlinuz-linux INITRD=/boot/initramfs-linux.img
See https://github.com/systemd/systemd/issues/4607
|
|
Allow setting custom port for the DHCP client to listen on in networkd.
[DHCP]
ListenPort=6677
|
|
resolved: unlink /run/systemd/resolve/resolv.conf upon exit
|
|
|
|
Link: port to new ethtool ETHTOOL_xLINKSETTINGS
|
|
busctl introspect: accept direction="out" for signals.
|
|
This certainly fixes a bug that was introduced by PR
https://github.com/systemd/systemd/pull/4594 that intended to fix
https://github.com/systemd/systemd/issues/4567.
The fix was not complete. This patch makes sure that we count and free
all paths that fail inside chase_all_symlinks().
Fixes https://github.com/systemd/systemd/issues/4567
|
|
This fixes the logic with systemd-nspawn which checks for private
resov.conf to decide whether or not to mount it into the container.
|
|
Use the macro from header file to have a single definition of the path.
|
|
Link: port to new ethtool ETHTOOL_xLINKSETTINGS
This patch defines a new ETHTOOL_GLINKSETTINGS/SLINKSETTINGS API,
handled by the new get_link_ksettings/set_link_ksettings .
This is a WIP version based on this [kernel
patch](https://patchwork.kernel.org/patch/8411401/).
commit 0527f1c
http://github.com/torvalds/linux/commit/3f1ac7a700d039c61d8d8b99f28d605d489a60cfommit
35afb33
|
|
Too many things don't get along with the unified hierarchy yet:
* https://github.com/opencontainers/runc/issues/1175
* https://github.com/docker/docker/issues/28109
* https://github.com/lxc/lxc/issues/1280
So revert the default to the legacy hierarchy for now. Developers of the above
software can opt into the unified hierarchy with
"systemd.legacy_systemd_cgroup_controller=0".
|
|
|
|
|
|
According to the D-Bus spec (v0.29),
| The direction element on <arg> may be omitted, in which case it
| defaults to "in" for method calls and "out" for signals. Signals only
| allow "out" so while direction may be specified, it's pointless.
Therefore we still should accept a 'direction' attribute, even if it's
useless in reality.
Closes: #4616
|
|
The file /usr/lib/systemd/resolv.conf can be stale, it does not tell us
whether or not systemd-resolved is running or not.
So check for /run/systemd/resolve/resolv.conf as well, which is created
at runtime and hence is a better indication.
|
|
(#4596)
This adds a variable that is always set to false to make sure that
protect paths inside sandbox are always enforced and not ignored. The only
case when it is set to true is on DynamicUser=no and RootDirectory=/chroot
is set. This allows users to use more our sandbox features inside RootDirectory=
The only exception is ProtectSystem=full|strict and when DynamicUser=yes
is implied. Currently RootDirectory= is not fully compatible with these
due to two reasons:
* /chroot/usr|etc has to be present on ProtectSystem=full
* /chroot// has to be a mount point on ProtectSystem=strict.
|
|
core: add new RestrictNamespaces= unit file setting
Merging, not rebasing, because this touches many files and there were tree-wide cleanups in the mean time.
|
|
Format string tweaks (and a small fix on 32bit)
|