Age | Commit message (Collapse) | Author |
|
Systemctl fixes
|
|
When unit is marked as UNSURE, we are trying to find if it state was
changed over and over again. So lets not go through the UNSURE states
again. Also when we find a GOOD unit lets propagate the GOOD state to
all units that this unit reference.
This is a problem on machines with a lot of initscripts with different
starting priority, since those units will reference each other and the
original algorithm might get to n! complexity.
Thanks HATAYAMA Daisuke for the expand_good_state code.
|
|
notifications (#3531)
Fixes: #3483
|
|
Fix issue where IN6_ADDR_GEN_MODE_STABLE_PRIVACY is undefined but
IFLA_INET6_ADDR_GEN_MODE is defined and thus the former does not get
fixed in missing.h. This occurs with kernel headers new enough to have
the IFLA_INET6_ADDR_GEN_MODE but old enough to not yet have
IN6_ADDR_GEN_MODE_STABLE_PRIVACY (e.g. 3.18).
|
|
This reworks "systemctl status" and "systemctl show" a bit. It removes the
definition of the `property_info` structure, because we can simply reuse the
existing UnitStatusInfo type for that.
The "could not be found" message is now printed by show_one() itself (and not
its caller), so that it is shown regardless by who the function is called.
(This makes it necessary to pass the unit name to the function.)
This also adds all properties found to a set, and then checks if any of the
properties passed via "--property=" is mising in it, if so, a proper error is
generated.
Support for checking the PID file of a unit is removed, as this cannot be done
reasonably client side (since the systemd instance we are talking to might sit
on another host)
Replaces: #3411
Fixes: #3425
Also see: #3504
|
|
|
|
|
|
hwdb: update UEFI/ACPI/PNP/EISA/EDID database from UEFI web site
|
|
Syscall filter fixes, tighter nspawn seccomp sandbox by default
|
|
Typing `rd.rescue` is easier than `rd.systemd.unit=rescue.target`.
|
|
More verbose logging in localed, unit tests, and a few tweaks to keymap conversions
|
|
Let's block access to the kernel keyring and a number of obsolete system calls.
Also, update list of syscalls that may alter the system clock, and do raw IO
access. Filter ptrace() if CAP_SYS_PTRACE is not passed to the container and
acct() if CAP_SYS_PACCT is not passed.
This also changes things so that kexec(), some profiling calls, the swap calls
and quotactl() is never available to containers, not even if CAP_SYS_ADMIN is
passed. After all we currently permit CAP_SYS_ADMIN to containers by default,
but these calls should not be available, even then.
|
|
Take away kernel keyring access, CPU emulation system calls and various debug
system calls from the various daemons we have.
|
|
This adds three new seccomp syscall groups: @keyring for kernel keyring access,
@cpu-emulation for CPU emulation features, for exampe vm86() for dosemu and
suchlike, and @debug for ptrace() and related calls.
Also, the @clock group is updated with more syscalls that alter the system
clock. capset() is added to @privileged, and pciconfig_iobase() is added to
@raw-io.
Finally, @obsolete is a cleaned up. A number of syscalls that never existed on
Linux and have no number assigned on any architecture are removed, as they only
exist in the man pages and other operating sytems, but not in code at all.
create_module() is moved from @module to @obsolete, as it is an obsolete system
call. mem_getpolicy() is removed from the @obsolete list, as it is not
obsolete, but simply a NUMA API.
|
|
|
|
|
|
Follow-up for #3502.
|
|
Add RELEASE.md
|
|
Enhance test-process-util to take the PID to look at
|
|
Not every link has kind associated with it.
(gdb) r
Starting program: /home/sus/tt/systemd/systemd-networkd
Missing separate debuginfos, use: dnf debuginfo-install
glibc-2.23.1-7.fc24.x86_64
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
vboxnet0: Gained IPv6LL
wlp3s0: Gained IPv6LL
enp0s25: Gained IPv6LL
Enumeration completed
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6e27ade in __strcmp_sse2_unaligned () from /lib64/libc.so.6
(gdb) bt
src/network/networkd-link.c:2008
src/network/networkd-link.c:2059
src/network/networkd-link.c:2442
m=0x555555704a30, userdata=0x55555570bfe0) at src/network/networkd-link.c:2497
at src/libsystemd/sd-netlink/sd-netlink.c:347
src/libsystemd/sd-netlink/sd-netlink.c:402
src/libsystemd/sd-netlink/sd-netlink.c:432
userdata=0x5555556f7470) at src/libsystemd/sd-netlink/sd-netlink.c:739
src/libsystemd/sd-event/sd-event.c:2275
src/libsystemd/sd-event/sd-event.c:2626
timeout=18446744073709551615) at src/libsystemd/sd-event/sd-event.c:2685
bus=0x5555556f9af0, name=0x555555692315 "org.freedesktop.network1",
timeout=30000000,
check_idle=0x55555556ac84 <manager_check_idle>, userdata=0x5555556f6b20) at
src/shared/bus-util.c:134
src/network/networkd-manager.c:1128
src/network/networkd.c:127
(gdb) f 1
src/network/networkd-link.c:2008
2008 if (link->network->bridge || streq("bridge", link->kind)) {
(gdb) p link->kind
$1 = 0x0
|
|
safe_atou32 (#3522)
|
|
Move the merger of environment variables before setting up the PAM
session and pass the aggregate environment to PAM setup. This allows
control over the PAM session hooks through environment variables.
PAM session initiation may update the environment. On successful
initiation of a PAM session, we adopt the environment of the
PAM context.
|
|
... as well as halt/poweroff/kexec/suspend/hibernate/hybrid-sleep.
Running those commands will fail in user mode, but we try to set the wall
message first, which might even succeed for privileged users. Best to nip
the whole sequence in the bud.
https://github.com/systemd/systemd/pull/3453#issuecomment-225455156
|
|
I put it in .github, so it doesn't stand out too much; after all
it's not interesting to most people.
|
|
|
|
GitHub displays this file poorly, because it preserves the newlines.
Let's try how things look without any wrapping.
|
|
Our functions that query /proc/pid/ support using pid==0 to mean
self. get_process_id also seemed to support that, but it was not implemented
correctly: the result should be in *uid, not returned, and also it gave
completely bogus result when called from get_process_gid(). But afaict,
get_process_{uid,gid} were never called with pid==0, so it's not an actual
bug. Remove the broken code to avoid confusion.
|
|
This makes it easy to test the query code on "ssh localhost"
and similar.
|
|
This fixes a bunch of copy&paste errors in the output.
|
|
If max_length is equal or greater than cmdline length all trailing non-printable
characters are dropped. If max_length is 0 it should do the same.
This should also fix cmdline truncation if the last character is not '\0'.
Fixes #3469.
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=96225
and specifically the tech specs here:
http://support.logitech.com/en_us/product/corded-mouse-m500
|
|
resolved: allow clients request cache flushes
|
|
Fixes #3353.
|
|
use config_parse_vlanid to parse vlan for BridgeFDB entries
|
|
cleanup minor nitpicks mentioned in #3428
|
|
|
|
This adds (undocumented) environment variables SYSTEMD_KBD_MODEL_MAP
and SYSTEMD_LANGUAGE_FALLBACK_MAP, which, if set, override compiled-in
locations of those two files.
Instead of skipping tests when the maps are not installed, just use
the one from the source dir. We still cannot do the mappings the other
way if /usr/lib/kbd/keymaps is not present, so truncate the tests in
that case.
Also tweak the debug messages a bit to make it easier to see
which function is failing.
|
|
Let's hook up the ACPI database we maintain from the upstream UEFI sources.
This adds a tool to convert the database provided upstream to our native
format, similar to how this is handled for the PCI and USB databases.
Note that the upstream web site claims to offer an XLS download, but the actual
data made available is an HTML file in reality, just one with the ".xls"
suffix...
The data provided from the UEFI folks is not very high quality nor complete,
hence apply a patch after the conversion step that fixes up a few things and
adds in more entries from various sources. For example, the EDID ids maintained
by GNOME and other sources have been added too, as they all appear to use the
same ID namespace.
This also adds explicit support for 4 character ACPI ids, in addition to the
normal 3 character PNP ids.
Also fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=90524
|
|
Previously, we checked only for the various SetLinkXYZ() calls on the Manager
object exposed on the bus if the specified interface is managed/unmanaged by
networkd (as we don't permit overriding DNS configuration via bus calls if
networkd owns the device), but the equivalent SetXYZ() calls on the Link object
did not have such a check. Fix that by moving the appropriate check into the
latter, as the former just calls that anyway.
|
|
And expose it in "resolve-tool --flush-caches".
|
|
|
|
|
|
yet (#3499)
Corrects: 1b566071
Also see: https://github.com/systemd/systemd/pull/3478#issuecomment-225008542
|
|
|
|
Reloading or reexecuting PID 1 means the unit generators are rerun, which are
timed out at 90s. Make sure the method call asking for the reload is timed out
at twice that, so that the generators have 90s and the reload operation has 90s
too.
This reworks the daemon_reload() call in systemctl, and makes it exclusively
about reloading/reexecing. Previously it was used for other trivial method
calls too, which didn't really help readability. As the code paths are now
sufficiently different, split out the old code into a new function
trivial_method().
This call also does a similar change as
c8ad4efb277c3235d58789170af11bb3c847d655 but for the reload/reexec operation.
Fixes: #3353
|
|
For legacy commands such as /sbin/halt or /sbin/poweroff we support legacy
fallbacks that talk via traditional SysV way with PID 1 to issue the desired
operation. We do this on any kind of error if the primary method of operation
fails. When this is the case we suppress any error message that is normally
generated, in order to not confuse the user. When suppressing this log message,
don't suppress the original error code, because there's really no reason to.
|
|
|
|
|
|
This patch implements the new magic character '!'. By putting '!' in front
of a command, systemd executes it with full privileges ignoring paramters
such as User, Group, SupplementaryGroups, CapabilityBoundingSet,
AmbientCapabilities, SecureBits, SystemCallFilter, SELinuxContext,
AppArmorProfile, SmackProcessLabel, and RestrictAddressFamilies.
Fixes partially https://github.com/systemd/systemd/issues/3414
Related to https://github.com/coreos/rkt/issues/2482
Testing:
1. Create a user 'bob'
2. Create the unit file /etc/systemd/system/exec-perm.service
(You can use the example below)
3. sudo systemctl start ext-perm.service
4. Verify that the commands starting with '!' were not executed as bob,
4.1 Looking to the output of ls -l /tmp/exec-perm
4.2 Each file contains the result of the id command.
`````````````````````````````````````````````````````````````````
[Unit]
Description=ext-perm
[Service]
Type=oneshot
TimeoutStartSec=0
User=bob
ExecStartPre=!/usr/bin/sh -c "/usr/bin/rm /tmp/exec-perm*" ;
/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start-pre"
ExecStart=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start" ;
!/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-star-2"
ExecStartPost=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start-post"
ExecReload=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-reload"
ExecStop=!/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-stop"
ExecStopPost=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-stop-post"
[Install]
WantedBy=multi-user.target]
`````````````````````````````````````````````````````````````````
|
|
Since the introduction of the whitelist in 60-persistent-storage.rules
block device symlinks are no longer created for scm block devices.
Add scm to the whitelist.
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
|