Age | Commit message (Collapse) | Author |
|
or services) as machine with machined
|
|
the container with machined
|
|
Also limit the range of vlan ids. Other implementations and
documentation use the ranges {0,1}-{4094,4095}, but we use
the one accepted by the kernel: 0-4094.
Reported-by: Oleksii Shevchuk <alxchk@gmail.com>
|
|
namespacing
|
|
Let's always call the security labels the same way:
SMACK: "Smack Label"
SELINUX: "SELinux Security Context"
And the low-level encapsulation is called "seclabel". Now let's hope we
stick to this vocabulary in future, too, and don't mix "label"s and
"security contexts" and so on wildly.
|
|
-, like for others settings.
Also remove call to security_check_context, as this doesn't serve anything, since
setexeccon will fail anyway.
|
|
This permit to let system administrators decide of the domain of a service.
This can be used with templated units to have each service in a différent
domain ( for example, a per customer database, using MLS or anything ),
or can be used to force a non selinux enabled system (jvm, erlang, etc)
to start in a different domain for each service.
|
|
http://bugs.debian.org/738316
|
|
http://bugs.debian.org/738316
|
|
the API file systems, nothing else
|
|
Both in the configuration file format and everywhere else in the code.
|
|
|
|
|
|
This is initialized from XDG_SESSION_DESKTOP and is useful for GNOME
to recognize its own sessions. It's supposed to be set to a short string
identifying the session, such as "kde" or "gnome".
|
|
If the session type/class is set via environment variables, use that,
and otherwise fallback to something that is set via the PAM module
command line.
|
|
- As suggested, prefix argument variables with "arg_" how we do this
usually.
- As suggested, don't involve memory allocations when storing command
line arguments.
- Break --help text at 80 chars
- man: explain that this is about SELinux
- don't do unnecessary memory allocations when putting together mount
option string
|
|
This patch adds to new options:
-Z PROCESS_LABEL
This specifies the process label to run on processes run within the container.
-L FILE_LABEL
The file label to assign to memory file systems created within the container.
For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following
chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
|
|
These connections are never torn down, even when the DHCP specifications say that
they should be. This is useful/necessary when the rootfs (or another critical fs)
is mounted over this network connection, and dataloss would result if the connection
is lost.
This option defaults to off, but our initrd generator (TBD) will enable it when
applicable.
|
|
process, but SIGKILL to all daemon processes
This should fix some race with terminating systemd --user, where the
system systemd instance might race against the user systemd instance
when sending SIGTERM.
|
|
|
|
When set to auto, status will shown when the first ephemeral message
is shown (a job has been running for five seconds). Then until the
boot or shutdown ends, status messages will be shown.
No indication about the switch is done: I think it should be clear
for the user that first the cylon eye and the ephemeral messages appear,
and afterwards messages are displayed.
The initial arming of the event source was still wrong, but now should
really be fixed.
|
|
signal(7) provides a list of functions which may be called from a
signal handler. Other functions, which only call those functions and
don't access global memory and are reentrant are also safe.
sd_j_sendv was mostly OK, but would call mkostemp and writev in a
fallback path, which are unsafe.
Being able to call sd_j_sendv in a async-signal-safe way is important
because it allows it be used in signal handlers.
Safety is achieved by replacing mkostemp with open(O_TMPFILE) and an
open-coded writev replacement which uses write. Unfortunately,
O_TMPFILE is only available on kernels >= 3.11. When O_TMPFILE is
unavailable, an open-coded mkostemp is used.
https://bugzilla.gnome.org/show_bug.cgi?id=722889
|
|
Debian recently introduced the option key-slot to /etc/crypttab to
specify the LUKS key slot to be used for decrypting the device. On
systems where a keyfile is used and the key is not in the first slot,
this can speed up the boot process quite a bit, since cryptsetup does
not need to try all of the slots sequentially. (Unsuccessfully testing
a key slot typically takes up to about 1 second.)
This patch makes systemd aware of this option.
Debian bug that introduced the feature:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704470
|
|
|
|
Refactor bridging support to be generic netdev support and extend it to
cover bonding as well.
|
|
|
|
Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that
sets up a private /dev with only the API pseudo-devices like /dev/null,
/dev/zero, /dev/random, but not any physical devices in them.
|
|
|
|
|
|
|
|
This may be used in graphical session start-up scripts to upload
environment variables such as $DISPLAY into the systemd manager easily.
|
|
Setting UseDNS=no will ignore any received DNS servers.
|
|
Documentation was updated to refer to either 'libsystemd' or 'sd-bus' in place
of libsystemd-bus.
|
|
|
|
Before, journald would remove journal files until both MaxUse= and
KeepFree= settings would be satisfied. The first one depends (if set
automatically) on the size of the file system and is constant. But
the second one depends on current use of the file system, and a spike
in disk usage would cause journald to delete journal files, trying to
reach usage which would leave 15% of the disk free. This behaviour is
surprising for the user who doesn't expect his logs to be purged when
disk usage goes above 85%, which on a large disk could be some
gigabytes from being full. In addition attempting to keep 15% free
provides an attack vector where filling the disk sufficiently disposes
of almost all logs.
Instead, obey KeepFree= only as a limit on adding additional files.
When replacing old files with new, ignore KeepFree=. This means that
if journal disk usage reached some high point that at some later point
start to violate the KeepFree= constraint, journald will not add files
to go above this point, but it will stay (slightly) below it. When
journald is restarted, it forgets the previous maximum usage value,
and sets the limit based on the current usage, so if disk remains to
be filled, journald might use one journal-file-size less on each
restart, if restarts happen just after rotation. This seems like a
reasonable compromise between implementation complexity and robustness.
|
|
This is a continuation of e3e0314b systemctl: allow globbing in commands
which take multiple unit names.
Multiple patterns can be specified, as separate arguments, or as one argument
with patterns seperated by commas.
If patterns are given, at least one unit must be matched (by any of the patterns).
This is different behaviour than systemctl, but here it is necessary because
otherwise anything would be matched, which is unlikely to be the intended
behaviour.
https://bugs.freedesktop.org/show_bug.cgi?id=59336
|
|
|
|
|
|
|
|
|
|
|
|
|
|
These keys are mandatory in [Address]/[Route] sections. Otherwise, we
hit an assert:
ens3: setting addresses
Assertion 'address->family == 2 || address->family == 10' failed at /build/amd64-generic/tmp/portage/sys-apps/systemd-9999-r1/work/systemd-9999/src/network/networkd-address.c:137, function address_configure(). Aborting.
Reported-by: Alex Polvi <alex.polvi@coreos.com>
At the same time make sure Route's Destination and Gateway uses the same address family.
|
|
|
|
This reverts commit 4cd1214db6cf4b262e8ce6381bc710091b375c96.
This may still be fixed in the kernel, revert this for now until
we see how it all shakes out.
|
|
|
|
|
|
When DEVTYPE is not set for a nic, it means it is a wired/ethernet
device.
|
|
As suggested by Kay, it is better to describe what is done,
not what might happen.
|
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727708#1694
|