Age | Commit message (Collapse) | Author |
|
|
|
Fix machinectl login with containers in user namespaces (v2)
|
|
Delete unnecessary checks before some function calls
|
|
Regression: 'journalctl -f -t unmatched' doesn't block properly
|
|
To be able to use `systemd-run` or `machinectl login` on a container
that is in a private user namespace, the sub-process must have entered
the user namespace before connecting to the container's D-Bus, otherwise
the UID and GID in the peer credentials are garbage.
So we extend namespace_open and namespace_enter to support UID namespaces,
and we enter the UID namespace in bus_container_connect_{socket,kernel}.
namespace_open will degrade to a no-op if user namespaces are not enabled
in the kernel.
Special handling is required for the setns call in namespace_enter with
a user namespace, since transitioning to your own namespace is forbidden,
as it would result in re-entering your user namespace as root.
Arguably it may be valid to check this at the call site, rather than
inside namespace_enter, but it is less code to do it inside, and if the
intention of calling namespace_enter is to *be* in the target namespace,
rather than to transition to the target namespace, it is a reasonable
approach.
The check for whether the user namespace is the same must happen before
entering namespaces, as we may not be able to access /proc during the
intermediate transition stage.
We can't instead attempt to enter the user namespace and then ignore
the failure from it being the same namespace, since the error code is
not distinct, and we can't compare namespaces while mid-transition.
|
|
The following functions return immediately if a null pointer was passed.
* calendar_spec_free
* link_address_free
* manager_free
* sd_bus_unref
* sd_journal_close
* udev_monitor_unref
* udev_unref
It is therefore not needed that a function caller repeats a corresponding check.
This issue was fixed by using the software Coccinelle 1.0.1.
|
|
tree-wide: generate EBADF when we get invalid fds
|
|
man: extend documentation for timedatectl's set-ntp command
|
|
sd-bus: always fill in sd_bus_error paramters, on error
|
|
resolved: debugging improvements
|
|
Previously the following command:
$ journalctl -f -t unmatchedtag12345
... would block when called with criteria that did not match any
journal lines. Once log lines appeared that matched the criteria
they were displayed.
Commit 02ab86c732576a71179ce12e97d44c289833236d broke this
behavior and the journal was not followed, but the command
exits with '-- No entries --' displayed.
This commit fixes the issue.
More information downstream:
https://bugzilla.redhat.com/show_bug.cgi?id=1253649
|
|
The function "free" is documented in the way that no action shall occur for
a passed null pointer. It is therefore not needed that a function caller
repeats a corresponding check.
http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first
This issue was fixed by using the software Coccinelle 1.0.1.
|
|
The function "mfree" should be called instead of "free" at a specific
source code place.
|
|
|
|
Whenever one of our calls is invoked with a non-NULL, writable
sd_bus_error parameter, let's fill in some valid error on failure. We
previously only filled in remote errors, but never local errors, which is
hard to handle by users. Hence, let's clean this up to always fill in
the error.
This introduces a new bus_assert_return() macro that works like
assert_return() but optionally also initializes a bus_error struct.
Fixes #224.
Based on a patch by Umut Tezduyar.
|
|
|
|
Allow arbitrary file paths to be passed to nspawn (v3)
|
|
Chris Kühl does not work at Endocode anymore, the contact data is no
longer valid.
|
|
|
|
|
|
|
|
resolved: enable synthesizing of A, AAAA and PTR records for "localhost"
|
|
nss-myhostname: use LOOPBACK_IFINDEX instead of if_nametoindex("lo")
|
|
resolve-host: enable auto start of resolved
|
|
There's no reason to explicitly turn off bus activation for resolved
here. The reason this was done before was that the code was copied from
nss-resolve, which has a fallback to glibc's nss-dns if resolved is not
reachable. However, such a logic makes no sense for resolve-host since
such a fallback doesn't make sense here, which means we can actually
turn on activation. Let's do it hence.
|
|
NEWS: fix the "indirect" state description
|
|
|
|
Update shell completion for machinectl
|
|
This extends on the relationship between timedatectl's set-ntp command
and its effect on the systemd-timesyncd.service unit. This also links
that unit back to the timedatectl man page.
Closes #798.
|
|
|
|
"machinectl list" only lists running machines while many of the MACHINES
commands use names of images; both running and non-running.
List machines from both "list" and "list-images" and use sort -u to
avoid duplicates.
|
|
Many new subcommands have been added since the bash completion was last
updated. Bring it up to speed.
|
|
man: Describe when ExecStartFoo= commands are run in more detail
|
|
UML: Fix block device setup
|
|
Update bash-completion: generate all unit types
|
|
|
|
sd-bus: do not connect to dbus-1 socket when kdbus is available
|
|
zsh completion: update busctl
|
|
|
|
This is a follow-up to #907, and makes the same change for all our other
public APIs.
|
|
logind: actually fail on OOM
|
|
We should never allow leaking of "localhost" queries onto the network,
even if there's an explicit domain rotue set for this.
|
|
Let's make sure that clients querying resolved via the bus for A, AAAA
or PTR records for "localhost" get a synthesized, local reply, so that
we do not hit the network.
This makes part of nss-myhostname redundant, if used in conjunction.
However, given that nss-resolve shall be optional we need to keep this
code in both places for now.
|
|
Given that we already hardocde the loopback ifindex, following the
kernel's own logic, we can replace the invocation of
if_nametoindex("lo") with LOOPBACK_IFINDEX.
|
|
|
|
Since dacd6cee76a08331b8c8616c5f30f70ee49aa2f9 the two OOM's are
ignored as the value of r will be overwritten and we only log in
the fail section anyway.
This patch jumps to fail on OOM.
Note that this is different behavior compared to both the current
code and previous to dacd6cee76a08331b8c8616c5f30f70ee49aa2f9. Before
that commit we would log that saving the inhibit data failed, but
still write the file, though without the WHO/WHY section.
CID# 1313545
|
|
sd-daemon: return EBADF for invalid fd numbers
|
|
hwdb: add DPI for a few more mice
|
|
|
|
support reboot -f for kexec kernel
|