summaryrefslogtreecommitdiff
path: root/man
AgeCommit message (Collapse)Author
2016-11-01seccomp: allow specifying arm64, mips, ppc (#4491)Zbigniew Jędrzejewski-Szmek
"Secondary arch" table for mips is entirely speculative…
2016-10-31man: fix typos (#4527)Jakub Wilk
2016-10-30Implement VeraCrypt volume handling in crypttab (#4501)George Hilliard
This introduces a new option, `tcrypt-veracrypt`, that sets the corresponding VeraCrypt flag in the flags passed to cryptsetup.
2016-10-30man: make systemd-escape examples more consistentLucas Werkmeister
The first example wasn't phrased with "To ..." as the other three are, and the last example was lacking the colon.
2016-10-30man: add missing periodLucas Werkmeister
2016-10-30man: improve systemd-escape --path descriptionLucas Werkmeister
The option does more than the documentation gave it credit for.
2016-10-28Merge pull request #4495 from topimiettinen/block-shmat-execDjalal Harouni
seccomp: also block shmat(..., SHM_EXEC) for MemoryDenyWriteExecute
2016-10-28Merge pull request #4458 from keszybz/man-nonewprivilegesMartin Pitt
Document NoNewPrivileges default value
2016-10-28udev: allow substitutions for SECLABEL key (#4505)Michal Sekletar
2016-10-27Merge pull request #4442 from keszybz/detect-virt-usernsEvgeny Vereshchagin
detect-virt: add --private-users switch to check if a userns is active; add Condition=private-users
2016-10-26detect-virt: add --private-users switch to check if a userns is activeZbigniew Jędrzejewski-Szmek
Various things don't work when we're running in a user namespace, but it's pretty hard to reliably detect if that is true. A function is added which looks at /proc/self/uid_map and returns false if the default "0 0 UINT32_MAX" is found, and true if it finds anything else. This misses the case where an 1:1 mapping with the full range was used, but I don't know how to distinguish this case. 'systemd-detect-virt --private-users' is very similar to 'systemd-detect-virt --chroot', but we check for a user namespace instead.
2016-10-26vconsole: manual update (#4021)Michal Soltys
To more correctly reflect current behaviour as well as to provide a few more details.
2016-10-26seccomp: also block shmat(..., SHM_EXEC) for MemoryDenyWriteExecuteTopi Miettinen
shmat(..., SHM_EXEC) can be used to create writable and executable memory, so let's block it when MemoryDenyWriteExecute is set.
2016-10-25man: document that systemctl cat shows file content (#4488)Lucas Werkmeister
... and that that content might be outdated.
2016-10-25Merge pull request #4474 from poettering/nsswitchMartin Pitt
various nss module/resolved fixes
2016-10-24man: document the default value of NoNewPrivileges=Zbigniew Jędrzejewski-Szmek
Fixes #4329.
2016-10-25man: Fix event source priority enum names in synopsis (#4478)Martin Ejdestig
2016-10-24man: sync up the suggested nsswitch.conf configuration for our four NSS modulesLennart Poettering
This unifies the suggested nsswitch.conf configuration for our four NSS modules to this: hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname Note that this restores "myhostname" to the suggested configuration of nss-resolve for the time being, undoing 4484e1792b64b01614f04b7bde97bf019f601bf9. "myhostname" should probably be dropped eventually, but when we do this we should do it in full, and not only drop it from the suggested nsswitch.conf for one of the modules, but also drop it in source and stop referring to it altogether. Note that nss-resolve doesn't replace nss-myhostname in full: the former only works if D-Bus/resolved is available for resolving the local hostname, the latter works in all cases even if D-Bus or resolved are not in operation, hence there's some value in keeping the line as it is right now. Note that neither dns nor myhostname are considered at all with the above configuration unless the resolve module actually returns UNAVAIL. Thus, even though handling of local hostname resolving is implemented twice this way it is only executed once for each lookup.
2016-10-24Merge pull request #4459 from keszybz/commandline-parsingLennart Poettering
Commandline parsing simplification and udev fix
2016-10-24shared, systemctl: teach is-enabled to show installation targetsJan Synacek
It may be desired by users to know what targets a particular service is installed into. Improve user friendliness by teaching the is-enabled command to show such information when used with --full. This patch makes use of the newly added UnitFileFlags and adds UNIT_FILE_DRY_RUN flag into it. Since the API had already been modified, it's now easy to add the new dry-run feature for other commands as well. As a next step, --dry-run could be added to systemctl, which in turn might pave the way for a long requested dry-run feature when running systemctl start.
2016-10-22Merge pull request #4428 from lnykryn/ctrl_v2Zbigniew Jędrzejewski-Szmek
rename failure-action to emergency-action and use it for ctrl+alt+del burst
2016-10-22journald: convert journald to use parse_proc_cmdlineZbigniew Jędrzejewski-Szmek
This makes journald use the common option parsing functionality. One behavioural change is implemented: "systemd.journald.forward_to_syslog" is now equivalent to "systemd.journald.forward_to_syslog=1". I think it's nicer to use this way.
2016-10-21journald: systemd.journald.max_level_* kernel command line options (#4427)Umut Tezduyar Lindskog
The log forward levels can be configured through kernel command line.
2016-10-21core: use emergency_action for ctr+alt+del burstLukas Nykryn
Fixes #4306
2016-10-20man: document default for User=Lennart Poettering
Replaces: #4375
2016-10-20man: one more cgroup wording fixLennart Poettering
2016-10-20Merge pull request #4417 from keszybz/man-and-rlimitLennart Poettering
Two unrelated patches: man page tweaks and rlimit log levels
2016-10-19man: document dependencies implied by Sockets= (#4412)Lucas Werkmeister
Fixes #4410. Also includes two minor improvements to the previous sentence.
2016-10-19Merge pull request #4390 from keszybz/install-specifiersLennart Poettering
Various install-related tweaks
2016-10-17core/exec: add a named-descriptor option ("fd") for streams (#4179)Luca Bruno
This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-17man: add a note that NULL "s" arg for sd_bus_message_appendZbigniew Jędrzejewski-Szmek
2016-10-17man: avoid abbreviated "cgroups" terminology (#4396)Lennart Poettering
Let's avoid the overly abbreviated "cgroups" terminology. Let's instead write: "Linux Control Groups (cgroups)" is the long form wherever the term is introduced in prose. Use "control groups" in the short form wherever the term is used within brief explanations. Follow-up to: #4381
2016-10-17man: mention that systemctl --root=/ operates on the fs directlyZbigniew Jędrzejewski-Szmek
2016-10-17Merge pull request #4381 from keszybz/man-pagesMartin Pitt
2016-10-16man: document sd_event_get_tid() return value (#4385)Martin Ejdestig
2016-10-15man: drop discouragment of runtime and vendor drop-insZbigniew Jędrzejewski-Szmek
In certain situations drop-ins in /usr/lib/ are useful, for example when one package wants to modify the behaviour of another package, or the vendor wants to tweak some upstream unit without patching. Drop-ins in /run are useful for testing, and may also be created by systemd itself. Follow-up for the discussion in #2103.
2016-10-15man: add journal-upload.conf(5)Zbigniew Jędrzejewski-Szmek
Fixes #3370.
2016-10-15man: add notes about thread safety of sd_journal_* functionsZbigniew Jędrzejewski-Szmek
Fixes #4056.
2016-10-15man: add crosslink between systemd.resource-control(5) and systemd.exec(5)Zbigniew Jędrzejewski-Szmek
Fixes #4379.
2016-10-14core: make settings for unified cgroup hierarchy supersede the ones for ↵Tejun Heo
legacy hierarchy (#4269) There are overlapping control group resource settings for the unified and legacy hierarchies. To help transition, the settings are translated back and forth. When both versions of a given setting are present, the one matching the cgroup hierarchy type in use is used. Unfortunately, this is more confusing to use and document than necessary because there is no clear static precedence. Update the translation logic so that the settings for the unified hierarchy are always preferred. systemd.resource-control man page is updated to reflect the change and reorganized so that the deprecated settings are at the end in its own section.
2016-10-13Merge pull request #4243 from ↵Lennart Poettering
endocode/djalal/sandbox-first-protection-kernelmodules-v1 core:sandbox: Add ProtectKernelModules= and some fixes
2016-10-12man: typo fixesThomas Hindoe Paaboel Andersen
A mix of fixes for typos and UK english
2016-10-12core:sandbox: lets make /lib/modules/ inaccessible on ProtectKernelModules=Djalal Harouni
Lets go further and make /lib/modules/ inaccessible for services that do not have business with modules, this is a minor improvment but it may help on setups with custom modules and they are limited... in regard of kernel auto-load feature. This change introduce NameSpaceInfo struct which we may embed later inside ExecContext but for now lets just reduce the argument number to setup_namespace() and merge ProtectKernelModules feature.
2016-10-12doc: minor hint about InaccessiblePaths= in regard of ProtectKernelTunables=Djalal Harouni
2016-10-12core:sandbox: remove CAP_SYS_RAWIO on PrivateDevices=yesDjalal Harouni
The rawio system calls were filtered, but CAP_SYS_RAWIO allows to access raw data through /proc, ioctl and some other exotic system calls...
2016-10-12core:sandbox: Add ProtectKernelModules= optionDjalal Harouni
This is useful to turn off explicit module load and unload operations on modular kernels. This option removes CAP_SYS_MODULE from the capability bounding set for the unit, and installs a system call filter to block module system calls. This option will not prevent the kernel from loading modules using the module auto-load feature which is a system wide operation.
2016-10-11Merge pull request #4348 from poettering/docfixesZbigniew Jędrzejewski-Szmek
Various smaller documentation fixes.
2016-10-11Merge pull request #4067 from poettering/invocation-idZbigniew Jędrzejewski-Szmek
Add an "invocation ID" concept to the service manager
2016-10-11man: beef up documentation on per-unit resource limits a bitLennart Poettering
Let's clarify that for user services some OS-defined limits bound the settings in the unit files. Fixes: #4232
2016-10-11man: document that Type=idle is subject to a 5s time-outLennart Poettering
Fixes: #4116