Age | Commit message (Collapse) | Author |
|
Othewise we might follow the symlinks on the host, instead of the
container.
Fixes #1400
|
|
Make sure we acquire CAP_NET_ADMIN if we require virtual networking.
Make sure we imply virtual ethernet correctly when bridge is request.
Fixes: #1511
Fixes: #1554
Fixes: #1590
|
|
/dev/loop*p* block devices are of the "blkext" subsystem, not of loop,
hence whitelist this too.
Fixes #1446
|
|
|
|
|
|
using "machinectl set-limit"
Previously, we already accepted "-" as special value for dropping
limits. Add "infinity", as that's what we support for RLIMITs and hence
should support here to. Also add "none" as that's what the btrfs tools
use.
|
|
|
|
Let's make sure the subvolumes we create fit into a sensible definition
of a quota tree.
|
|
This allows us to set up the quota group hierarchy in a reasonable way
on btrfs file systems.
|
|
|
|
With this change we understand more than just leaf quota groups for
btrfs file systems. Specifically:
- When we create a subvolume we can now optionally add the new subvolume
to all qgroups its parent subvolume was member of too. Alternatively
it is also possible to insert an intermediary quota group between the
parent's qgroups and the subvolume's leaf qgroup, which is useful for
a concept of "subtree" qgroups, that contain a subvolume and all its
children.
- The remove logic for subvolumes has been updated to optionally remove
any leaf qgroups or "subtree" qgroups, following the logic above.
- The snapshot logic for subvolumes has been updated to replicate the
original qgroup setup of the source, if it follows the "subtree"
design described above. It will not cover qgroup setups that introduce
arbitrary qgroups, especially those orthogonal to the subvolume
hierarchy.
This also tries to be more graceful when setting up /var/lib/machines as
btrfs. For example, if mkfs.btrfs is missing we don't even try to set it
up as loopback device.
Fixes #1559
Fixes #1129
|
|
|
|
I accidentally broke this a while back when I ported systemctl to the
verbs logic.
Add support for this back.
|
|
Simplify the call, and add dir_is_populated() as inverse call, in order
to make some checks easier to read.
|
|
core dbus: Check that flush works with memstream
|
|
|
|
shell-completion: systemd-run: add new property EnvironmentFile
|
|
|
|
core: fix namespace parsing
|
|
Add zsh completion on systemd-run's properties
|
|
|
|
ReadOnlyDirectories=-/ works fine
|
|
systemd-run can launch units with ReadWriteDirectories, ReadOnlyDirectories, InaccessibleDirectories
|
|
networkd: assorted fixes
|
|
Every time the state is written out we may trigger third-party apps, so
let's be a bit more careful about writing this out unnecessarily.
|
|
|
|
|
|
|
|
We only keep the addresses that we added ourselves in link->addresses, and
introduce a new set link->addresses_foreign to keep addresses of unknown
origin.
Only functional change is that "foreign" addresses no longer prevent a link
from entering "configured" state.
|
|
Establish the firewall rule before creating the address, and do not create the address
if the firewall rule could not be created. Also, only drop the firewall rule once
the address has been removed from the kernel.
|
|
These functions are almost entirely the same, so avoid duplication.
|
|
Call back into link_check_ready() whenever an address state change may have
made a link ready.
|
|
We were considering a link configured whilst its IPv6 addresses were still
tentative.
Fixes issue #650.
|
|
"ReadWriteDirectories", "ReadOnlyDirectories", "InaccessibleDirectories"
|
|
InaccessibleDirectories
|
|
dbus-execute: remove unused variable
|
|
from ceb728cf
|
|
run: fix Environment parsing
|
|
networkd: add support to configure IPv6 DAD
|
|
* `Environment=` resets previous assignments
* `Environment='a=1 b=2'` sets `a` to `1` and `b` to `2`
* `Environment='"a=1 2" b=2"'` sets `a` to `1 2` and `b` to `2`
|
|
nspawn: skip /sys-as-tmpfs if we don't use private-network
|
|
various fixes, for various things
|
|
Since v3.11/7dc5dbc ("sysfs: Restrict mounting sysfs"), the kernel
doesn't allow mounting sysfs if you don't have CAP_SYS_ADMIN rights over
the network namespace.
So the mounting /sys as a tmpfs code introduced in
d8fc6a000fe21b0c1ba27fbfed8b42d00b349a4b doesn't work with user
namespaces if we don't use private-net. The reason is that we mount
sysfs inside the container and we're in the network namespace of the host
but we don't have CAP_SYS_ADMIN over that namespace.
To fix that, we mount /sys as a sysfs (instead of tmpfs) if we don't use
private network and ignore the /sys-as-a-tmpfs code if we find that /sys
is already mounted as sysfs.
Fixes #1555
|
|
|
|
|
|
A bit snake-oilish, but can't hurt.
|
|
Fixes one of the issues pointed out in #1522.
|
|
|
|
|
|
|