summaryrefslogtreecommitdiff
path: root/man
AgeCommit message (Collapse)Author
2014-02-17doc: detail what "UID" isJan Engelhardt
2014-02-17doc: quote consistently in autoconf codeJan Engelhardt
AS_HELP_STRING has been observed to expand such that the surround function complains; play it safe and consistenly quote the example code throughout.
2014-02-17man: fix a typoAnsgar Burchardt
2014-02-17Revert "man: systemd.service(5): clarify behavior of SuccessExitStatus"Lennart Poettering
This reverts commit 29e254f7f093c07a1ec7e845e60203357f585235. Conflicts: man/systemd.service.xml
2014-02-17Some modernizationsZbigniew Jędrzejewski-Szmek
2014-02-16nspawn: add new --network-bridge= switchTom Gundersen
This adds the host side of the veth link to the given bridge. Also refactor the creation of the veth interfaces a bit to set it up from the host rather than the container. This simplifies the addition to the bridge, but otherwise the behavior is unchanged.
2014-02-14man: use spaces instead of tabsJason St. John
Several sections of the man pages included intermixed tabs and spaces; this commit replaces all tabs with spaces.
2014-02-14man: replace STDOUT with standard output, etc.Zbigniew Jędrzejewski-Szmek
Actually 'STDOUT' is something that doesn't appear anywhere: in the stdlib we have 'stdin', and there's only the constant STDOUT_FILENO, so there's no reason to use capitals. When refering to code, STDOUT/STDOUT/STDERR are replaced with stdin/stdout/stderr, and in other places they are replaced with normal phrases like standard output, etc.
2014-02-14man: fix grammatical errors and other formatting issuesJason St. John
* standardize capitalization of STDIN, STDOUT, and STDERR * reword some sentences for clarity * reflow some very long lines to be shorter than ~80 characters * add some missing <literal>, <constant>, <varname>, <option>, and <filename> tags
2014-02-14man: always place <programlisting> and </programlisting> in a line with ↵Lennart Poettering
actual sources, so that we don't get spurious newlines in the man page output
2014-02-14man: systemd.service(5): clarify behavior of SuccessExitStatusDave Reisner
The behavior of this is a little cryptic in that $MAINPID must exit as a direct result of receiving a signal in order for a listed signal to be considered a success condition.
2014-02-13nspawn: add new --network-veth switch to add a virtual ethernet link to the hostLennart Poettering
2014-02-13nspawn: --private-network should imply CAP_NET_ADMINLennart Poettering
2014-02-13nspawn: add new --network-interface= switch to move an existing interface ↵Lennart Poettering
into the container
2014-02-13nspawn: introduce --capability=all for retaining all capabilitiesLennart Poettering
2014-02-13core: add a system-wide SystemCallArchitectures= settingLennart Poettering
This is useful to prohibit execution of non-native processes on systems, for example 32bit binaries on 64bit systems, this lowering the attack service on incorrect syscall and ioctl 32→64bit mappings.
2014-02-13core: add SystemCallArchitectures= unit setting to allow disabling of non-nativeLennart Poettering
architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-12core: rework syscall filterLennart Poettering
- Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12syscallfilter: port to libseccompRonny Chevalier
2014-02-12man: use xinclude to de-deduplicate common textZbigniew Jędrzejewski-Szmek
I only tested with python-lxml. I'm not sure if xml.etree should be deprecated.
2014-02-12pager: support SYSTEMD_LESS environment variableJason A. Donenfeld
This allows customization of the arguments used by less. The main motivation is that some folks might not like having --no-init on every invocation of less.
2014-02-12nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use ↵Lennart Poettering
of this
2014-02-12machinectl: add new "machinectl reboot" callLennart Poettering
2014-02-11machined: optionally, allow registration of pre-existing units (scopesLennart Poettering
or services) as machine with machined
2014-02-11nspawn: add --register=yes|no switch to optionally disable registration of ↵Lennart Poettering
the container with machined
2014-02-10networkd: VLAN - allow multiple vlans to be created on a linkTom Gundersen
Also limit the range of vlan ids. Other implementations and documentation use the ranges {0,1}-{4094,4095}, but we use the one accepted by the kernel: 0-4094. Reported-by: Oleksii Shevchuk <alxchk@gmail.com>
2014-02-10nspawn: add new --share-system switch to run a container without PID/UTS/IPC ↵Lennart Poettering
namespacing
2014-02-10nspawn,man: use a common vocabulary when referring to selinux security contextsLennart Poettering
Let's always call the security labels the same way: SMACK: "Smack Label" SELINUX: "SELinux Security Context" And the low-level encapsulation is called "seclabel". Now let's hope we stick to this vocabulary in future, too, and don't mix "label"s and "security contexts" and so on wildly.
2014-02-10exec: Add support for ignoring errors on SELinuxContext by prefixing it with ↵Michael Scherer
-, like for others settings. Also remove call to security_check_context, as this doesn't serve anything, since setexeccon will fail anyway.
2014-02-10exec: Add SELinuxContext configuration itemMichael Scherer
This permit to let system administrators decide of the domain of a service. This can be used with templated units to have each service in a différent domain ( for example, a per customer database, using MLS or anything ), or can be used to force a non selinux enabled system (jvm, erlang, etc) to start in a different domain for each service.
2014-02-09man: fix another reference in systemd-inhibit(1)Zbigniew Jędrzejewski-Szmek
http://bugs.debian.org/738316
2014-02-09man: fix reference in systemd-inhibit(1)Zbigniew Jędrzejewski-Szmek
http://bugs.debian.org/738316
2014-02-07nspawn: rename --file-label to --apifs-label since it's really just about ↵Lennart Poettering
the API file systems, nothing else
2014-02-07networkd: netdev - rename Netdev to NetDevTom Gundersen
Both in the configuration file format and everywhere else in the code.
2014-02-07man: cryptsetup-1.6.3 now allows partition device file in system modeJan Janssen
2014-02-06nspawn: add --quiet switch for turning off any output noiseLennart Poettering
2014-02-05man: introduce new "Desktop" property for sessionsLennart Poettering
This is initialized from XDG_SESSION_DESKTOP and is useful for GNOME to recognize its own sessions. It's supposed to be set to a short string identifying the session, such as "kde" or "gnome".
2014-02-05logind: make session type and class settable via the same waysLennart Poettering
If the session type/class is set via environment variables, use that, and otherwise fallback to something that is set via the PAM module command line.
2014-02-04nspawn: various fixes in selinux hookupLennart Poettering
- As suggested, prefix argument variables with "arg_" how we do this usually. - As suggested, don't involve memory allocations when storing command line arguments. - Break --help text at 80 chars - man: explain that this is about SELinux - don't do unnecessary memory allocations when putting together mount option string
2014-02-04Add SELinux support to systemd-nspawnDan Walsh
This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
2014-01-30networkd: dhcpv4 - add notion of 'CriticalConnection'Tom Gundersen
These connections are never torn down, even when the DHCP specifications say that they should be. This is useful/necessary when the rootfs (or another critical fs) is mounted over this network connection, and dataloss would result if the connection is lost. This option defaults to off, but our initrd generator (TBD) will enable it when applicable.
2014-01-29core: introduce new KillMode=mixed which sends SIGTERM only to the main ↵Lennart Poettering
process, but SIGKILL to all daemon processes This should fix some race with terminating systemd --user, where the system systemd instance might race against the user systemd instance when sending SIGTERM.
2014-01-28man: remove erroneous history sectionZbigniew Jędrzejewski-Szmek
2014-01-27manager: add systemd.show_status=auto modeZbigniew Jędrzejewski-Szmek
When set to auto, status will shown when the first ephemeral message is shown (a job has been running for five seconds). Then until the boot or shutdown ends, status messages will be shown. No indication about the switch is done: I think it should be clear for the user that first the cylon eye and the ephemeral messages appear, and afterwards messages are displayed. The initial arming of the event source was still wrong, but now should really be fixed.
2014-01-27journal: guarantee async-signal-safety in sd_journald_sendvZbigniew Jędrzejewski-Szmek
signal(7) provides a list of functions which may be called from a signal handler. Other functions, which only call those functions and don't access global memory and are reentrant are also safe. sd_j_sendv was mostly OK, but would call mkostemp and writev in a fallback path, which are unsafe. Being able to call sd_j_sendv in a async-signal-safe way is important because it allows it be used in signal handlers. Safety is achieved by replacing mkostemp with open(O_TMPFILE) and an open-coded writev replacement which uses write. Unfortunately, O_TMPFILE is only available on kernels >= 3.11. When O_TMPFILE is unavailable, an open-coded mkostemp is used. https://bugzilla.gnome.org/show_bug.cgi?id=722889
2014-01-26cryptsetup: Support key-slot optionChristian Seiler
Debian recently introduced the option key-slot to /etc/crypttab to specify the LUKS key slot to be used for decrypting the device. On systems where a keyfile is used and the key is not in the first slot, this can speed up the boot process quite a bit, since cryptsetup does not need to try all of the slots sequentially. (Unsuccessfully testing a key slot typically takes up to about 1 second.) This patch makes systemd aware of this option. Debian bug that introduced the feature: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704470
2014-01-25networkd: add basic VLAN supportTom Gundersen
2014-01-22networkd: add basic bonding supportTom Gundersen
Refactor bridging support to be generic netdev support and extend it to cover bonding as well.
2014-01-22man: document message timestamping/sequence number APILennart Poettering
2014-01-20exec: introduce PrivateDevices= switch to provide services with a private /devLennart Poettering
Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them.