summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-09-24kernel-install: allow plugins to terminate the procedure (#4174)Zbigniew Jędrzejewski-Szmek
Replaces #4103.
2016-09-24Merge pull request #4207 from fbuihuu/fix-journal-hmac-calculationZbigniew Jędrzejewski-Szmek
Fix journal hmac calculation.
2016-09-24sysctl: configure kernel parameters in the order they occur in each sysctl ↵HATAYAMA Daisuke
configuration files (#4205) Currently, systemd-sysctl command configures kernel parameters in each sysctl configuration files in random order due to characteristics of iterator of Hashmap. However, kernel parameters need to be configured in the order they occur in each sysctl configuration files. - For example, consider fs.suid_coredump and kernel.core_pattern. If fs.suid_coredump=2 is configured before kernel.core_pattern= whose default value is "core", then kernel outputs the following message: Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required. Note that the security issue mentioned in this message has already been fixed on recent kernels, so this is just a warning message on such kernels. But it's still confusing to users that this message is output on some boot and not output on another boot. - I don't know but there could be other kernel parameters that are significant in the order they are configured. - The legacy sysctl command configures kernel parameters in the order they occur in each sysctl configuration files. Although I didn't find any official specification explaining this behavior of sysctl command, I don't think there is any meaningful reason to change this behavior, in particular, to the random one. This commit does the change by simply using OrderedHashmap instead of Hashmap.
2016-09-24nspawn: decouple --boot from CLONE_NEWIPC (#4180)Luca Bruno
This commit is a minor tweak after the split of `--share-system`, decoupling the `--boot` option from IPC namespacing. Historically there has been a single `--share-system` option for sharing IPC/PID/UTS with the host, which was incompatible with boot/pid1 mode. After the split, it is now possible to express the requirements with better granularity. For reference, this is a followup to #4023 which contains references to previous discussions. I realized too late that CLONE_NEWIPC is not strictly needed for boot mode.
2016-09-23journal: fix HMAC calculation when appending a data objectFranck Bui
Since commit 5996c7c295e073ce21d41305169132c8aa993ad0 (v190 !), the calculation of the HMAC is broken because the hash for a data object including a field is done in the wrong order: the field object is hashed before the data object is. However during verification, the hash is done in the opposite order as objects are scanned sequentially.
2016-09-23journal: warn when we fail to append a tag to a journalFranck Bui
We shouldn't silently fail when appending the tag to a journal file since FSS protection will simply be disabled in this case.
2016-09-23l10n: update Czech translation (#4203)AsciiWolf
2016-09-22machine: Disable more output when quiet flag is set (#4196)Wilhelm Schuster
2016-09-21l10n: add Czech Translation (#4195)Daniel Maixner
2016-09-20nspawn: fix comment typo in setup_timezone example (#4183)Michael Pope
2016-09-18journal: fix typo in comment (#4176)Felix Zhang
2016-09-17Revert "kernel-install: Add KERNEL_INSTALL_NOOP (#4103)"Martin Pitt
Further discussion showed that this better gets addressed at the packaging level. This reverts commit 34210af7c63640fca1fd4a09fc23b01a8cd70bf3.
2016-09-17Merge pull request #4123 from keszybz/network-file-dropinsMartin Pitt
Network file dropins
2016-09-17nspawn: clarify log warning for /etc/localtime not being a symbolic link (#4163)Michael Pope
2016-09-16networkd: change message about missing KindZbigniew Jędrzejewski-Szmek
If Kind is not specied, the message about "Invalid Kind" was misleading. If Kind was specified in an invalid way, we get a message in the parsing phase anyway. Reword the message to cover both cases better.
2016-09-16man: mention that netdev,network files support dropinsZbigniew Jędrzejewski-Szmek
Also update the description of drop-ins in systemd.unit(5) to say that .d directories, not .conf files, are in /etc/system/system, /run/systemd/system, etc.
2016-09-16networkd: support drop-in dirs for .network filesZbigniew Jędrzejewski-Szmek
2016-09-16shared/conf-parser: add config_parse_many which takes strv with dirsZbigniew Jędrzejewski-Szmek
This way we don't have to create a nulstr just to unpack it in a moment.
2016-09-16tree-wide: rename config_parse_many to …_nulstrZbigniew Jędrzejewski-Szmek
In preparation for adding a version which takes a strv.
2016-09-16networkd: support drop-in directories for .network filesJean-Sébastien Bour
Fixes #3655. [zj: Fix the tests.]
2016-09-16networkd-test: add a helper function to always clean up temporary config filesZbigniew Jędrzejewski-Szmek
2016-09-16Updated formatting for printing the key for FSS (#4165)hi117
The key used to be jammed next to the local file path. Based on the format string on line 1675, I determined that the order of arguments was written incorrectly, and updated the function based on that assumption. Before: ``` Please write down the following secret verification key. It should be stored at a safe location and should not be saved locally on disk. /var/log/journal/9b47c1a5b339412887a197b7654673a7/fss8f66d6-f0a998-f782d0-1fe522/18fdb8-35a4e900 The sealing key is automatically changed every 15min. ``` After: ``` Please write down the following secret verification key. It should be stored at a safe location and should not be saved locally on disk. d53ed4-cc43d6-284e10-8f0324/18fdb8-35a4e900 The sealing key is automatically changed every 15min. ```
2016-09-16man: Update example for downloading a Fedora image (#4166)Stefan Schweter
2016-09-15man: update url to openpgpkey rfc (#4156)Stefan
2016-09-15Merge pull request #4131 from intelfx/update-done-timestamps-precisionZbigniew Jędrzejewski-Szmek
condition: ignore nanoseconds in timestamps for ConditionNeedsUpdate= Fixes #4130.
2016-09-16logind: fix /run/user/$UID creation in apparmor-confined containers (#4154)Tomáš Janoušek
When a docker container is confined with AppArmor [1] and happens to run on top of a kernel that supports mount mediation [2], e.g. any Ubuntu kernel, mount(2) returns EACCES instead of EPERM. This then leads to: systemd-logind[33]: Failed to mount per-user tmpfs directory /run/user/1000: Permission denied login[42]: pam_systemd(login:session): Failed to create session: Access denied and user sessions don't start. This also applies to selinux that too returns EACCES on mount denial. [1] https://github.com/docker/docker/blob/master/docs/security/apparmor.md#understand-the-policies [2] http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/kernel-patches/4.7/0025-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch
2016-09-15hwdb: Update database of Bluetooth company identifiersMarcel Holtmann
2016-09-15test-execute: fix %n typo (#4153)Zbigniew Jędrzejewski-Szmek
2016-09-15Merge pull request #4150 from ssahani/net1Martin Pitt
networkd: trivial fixes
2016-09-15Update systemctl.xml (#4151)kristbaum
2016-09-15hwdb: add Lenovo *40 series resolution fixes (#4149)Peter Hutterer
2016-09-15networkd: network fix log messageSusant Sahani
2016-09-15networkd: netdev fixup copy paste errorSusant Sahani
2016-09-15TODO: update networkd TODOSusant Sahani
2016-09-15update-done, condition: write the timestamp to the file as well and use it ↵Ivan Shapovalov
to prevent false-positives This fixes https://bugs.freedesktop.org/show_bug.cgi?id=90192 and #4130 for real. Also, remove timestamp check in update-done.c altogether since the whole operation is idempotent.
2016-09-15time-util: export timespec_load_nsec()Ivan Shapovalov
2016-09-14shell-completion: add --wait to systemd-run completions (#4140)Davide Cavalca
2016-09-14gitignore: ignore image.raw from mkosi (#4141)Davide Cavalca
2016-09-14networkd: add support to configure virtual CAN device (#4139)Susant Sahani
1. add support for kind vcan 2. fixup indention netlink-types.c, networkd-netdev.c
2016-09-14Merge pull request #4133 from keszybz/strerror-removalMartin Pitt
Strerror removal and other janitorial cleanups
2016-09-14kernel-install: Add KERNEL_INSTALL_NOOP (#4103)Colin Walters
Will be used by rpm-ostree (and likely lorax) to suppress RPM->kernel->%posttrans->dracut runs, and basically everything else this script is doing. I'll also likely change the `kernel.spec` to respect this as well.
2016-09-14NEWS: add a bunch of stuff for the 232 release (#4132)Zbigniew Jędrzejewski-Szmek
This does not include the description of the mixed v1/v2 mode, but everything important apart from that should be covered.
2016-09-13TODO: remove duplicated itemZbigniew Jędrzejewski-Szmek
2016-09-13Always use unicode ellipsis when ellipsizingZbigniew Jędrzejewski-Szmek
We were already unconditionally using the unicode character when the input string was not pure ASCII, leading to different behaviour in depending on the input string. systemd[1]: Starting printit.service. python3[19962]: foooooooooooooooooooooooooooooooooooo…oooo python3[19964]: fooąęoooooooooooooooooooooooooooooooo…oooo python3[19966]: fooąęoooooooooooooooooooooooooooooooo…ąęąę python3[19968]: fooąęoooooooooooooooooąęąęąęąęąęąęąęą…ąęąę systemd[1]: Started printit.service.
2016-09-13TODO: remove strerror entryZbigniew Jędrzejewski-Szmek
I believe the remaining call sites are legitimate uses which cannot be easily replaced with %m.
2016-09-13tests: get rid of strerrorZbigniew Jędrzejewski-Szmek
2016-09-13tree-wide: use %m in calls to sd_bus_error_set_errnofZbigniew Jędrzejewski-Szmek
sd_bus_error_set_errnof supports %m, so there's no need to call strerror manually.
2016-09-13journal-verify: get rid of strerrorZbigniew Jędrzejewski-Szmek
2016-09-13microhttpd-util: add the trailing newline automaticallyZbigniew Jędrzejewski-Szmek
It's prone to error and annoying to have to add it manually. It was missing from a few places.
2016-09-13journal-remote: implement %m support in mhd_respondfZbigniew Jędrzejewski-Szmek
errno value is not protected (it is undefined after this function returns). Various mhd_* functions are not documented to protect errno, so this could not guaranteed anyway.