| Age | Commit message (Collapse) | Author |
|---|
|
This slightly extends the roothash loading logic to first check for a
user.verity.roothash extended attribute on the image file. If it exists,
it is used as Verity root hash and the ".roothash" file is not used.
This should improve the chance that the roothash is retained when the
file is moved around, as the data snippet is attached directly to the
image file. The field is still detached from the file payload however,
in order to make sure it may be trusted independently.
This does not replace the ".roothash" file loading, it simply adds a
second way to retrieve the data.
Extended attributes are often a poor choice for storing metadata like
this as it is usually difficult to discover for admins and users, and
hard to fix if it ever gets out of sync. However, in this case I think
it's safe as verity implies read-only access, and thus there's little
chance of it to get out of sync.
|
|
directory for a service
This is similar to RootDirectory= but mounts the root file system from a
block device or loopback file instead of another directory.
This reuses the image dissector code now used by nspawn and
gpt-auto-discovery.
|
|
conjunction with RootDirectory=
This adds a boolean unit file setting MountAPIVFS=. If set, the three
main API VFS mounts will be mounted for the service. This only has an
effect on RootDirectory=, which it makes a ton times more useful.
(This is basically the /dev + /proc + /sys mounting code posted in the
original #4727, but rebased on current git, and with the automatic logic
replaced by explicit logic controlled by a unit file setting)
|
|
make RestrictAddressFamilies= officially a NOP on i386
|
|
|
|
|
|
We already say that it doesn't work on i386, but there are more archs
like that apparently.
|
|
Fix WorkDir=~ with empty User=
|
|
|
|
Fixes #4916.
|
|
This changes the environment for services running as root from:
LANG=C.utf8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
INVOCATION_ID=ffbdec203c69499a9b83199333e31555
JOURNAL_STREAM=8:1614518
to
LANG=C.utf8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root
USER=root
SHELL=/bin/sh
INVOCATION_ID=15a077963d7b4ca0b82c91dc6519f87c
JOURNAL_STREAM=8:1616718
Making the environment special for the root user complicates things
unnecessarily. This change simplifies both our logic (by making the setting
of the variables unconditional), and should also simplify the logic in
services (particularly scripts).
Fixes #5124.
|
|
systemd-cgls --unit --user-unit
|
|
|
|
$ systemd-cgls -u systemd-journald.service machine.slice
I opted for a "global" switch, instead of modifying the behaviour of just one
argument. It seem to be a more useful setting, since usually one will want to
query one or more units, and not mix unit names with paths.
Closes #5156.
|
|
|
|
'systemctl --failed' is an extremely common operation and it's nice to have
a shortcut for it.
Revert "man: don't document systemctl --failed" and add the option back to
systemctl's help and shell completion scripts.
This reverts commit 036359ba8d0aba7db7eac75d10073a849a033fd1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- Show example of all `systemctl status` output and documents what possible
"Loaded:", "Active" and "Enabled" values mean.
- Documents what different colors of the dot mean.
- Documents "gotcha" with load-on-demand behavior which will report units as
"loaded" even if they are only loaded to show their status.
(From @poettering: https://github.com/systemd/systemd/issues/5063#issuecomment-272115024 )
|
|
Small fixes and enhancements to docs and code
|
|
|
|
|
|
When a user is trying to understand what is going on with a restart action, it is useful to explicitly describe how the action is run. It may seem obvious, but it is helpful to be explicit so one knows there isn't a special ExecRestart= or similar option that they could be looking at.
|
|
Loosely inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1411134.
|
|
Add AF_VSOCK socket activation support
|
|
Accept AF_VSOCK listen addresses in socket unit files. Both guest and
host can now take advantage of socket activation.
The QEMU guest agent has recently been modified to support socket
activation and can run over AF_VSOCK with this patch.
|
|
|
|
|
|
|
|
|
|
automatically clean up PrivateTmp= left-overs in /var/tmp on next boot
|
|
PAMName= (#4967)
A follow-up for #4942, adding a brief but more correct explanation of
the processes.
|
|
systemd-tmpfiles-setup.service
Preparation for fixing #4401.
|
|
shell" does not
This adds a brief explanation, suggesting the use of "systemd-run -M" to
acquire exit status/code information for the invoked process.
My original plan was to propagate the exit code/status in "machinectl
shell" too, but this would mean we'd have to actively watch the shell's
runtime status, and thus would need full, highly privileged and
continious access to the container's system manager, the way
"systemd-run" does it. This would be quite a departure from the
simplistic, low-priviliged OpenShell() bus call implementation of the
current code, that really just acquires a PTY device with a shell
connected.
Moreover it would blur the lines between the two commands even further,
which I think is not desirable. Hence, from now on:
"machinectl shell" is the full-session, interactive shell for human
users
"systemd-run -M …" is the low-level tool, that supports
on-interactive mode, and is more configurable and suitable for
streaming.
Fixes: #4215
|
|
These groupe reboot()/kexec() and swapon()/swapoff() respectively
|
|
|
|
The manpage claimed that ExecStop would be followed immediately by
SIGKILL, whereas the actual behavior is to go through KillMode= and
KillSignal= first.
Fixes #4490
|
|
Fixes: #4914
|
|
Rename the arp proxy option to IPv4ProxyARP= in order to clarify
its relationship to IPv4, and map to the various IPv6 options we have.
Fixes: #4768
|
|
Fix wrong condition test in manager_etc_hosts_lookup(), which caused it to
return an IPv4 answer when an IPv6 question was asked, and vice versa.
Also only return success if we actually found any A or AAAA record.
In systemd-resolved.service(8), point out that /etc/hosts mappings only
affect address-type lookups, not other types.
The test case currently disables DNSSEC in resolved, as there is a bug
where "-t MX" fails due to "DNSSEC validation failed" even after
"downgrading to non-DNSSEC mode". This should be dropped once that bug
gets fixed.
Fixes #4801
|
|
active_slave:
Specifies the new active slave for modes that support it
(active-backup, balance-alb and balance-tlb).
primary slave:
systemd-networks currently lacks the capability to set the primary slave
in an
active-backup bonding. This is necessary if you prefer one interface
over the
other. A common example is a eth0-wlan0 bonding on a laptop where you'd
want to
switch to the wired connection whenever it's available.
Fixes: #2837
|
|
Fixes: #4521
|
|
Fixes: #4928
|
|
|
|
This adds a generator and a small service that will look for "roothash="
on the kernel command line and use it for setting up a very partition
for the root device.
This provides similar functionality to nspawn's existing --roothash=
switch.
|
|
This adds support for a new kernel command line option "systemd.volatile=" that
provides the same functionality that systemd-nspawn's --volatile= switch
provides, but for host systems (i.e. systems booting with a kernel).
It takes the same parameter and has the same effect.
In order to implement systemd.volatile=yes a new service
systemd-volatile-root.service is introduced that only runs in the initrd and
rearranges the root directory as needed to become a tmpfs instance. Note that
systemd.volatile=state is implemented different: it simply generates a
var.mount unit file that is part of the normal boot and has no effect on the
initrd execution.
The way this is implemented ensures that other explicit configuration for /var
can always override the effect of these options. Specifically, the var.mount
unit is generated in the "late" generator directory, so that it only is in
effect if nothing else overrides it.
|
