| Age | Commit message (Collapse) | Author |
|---|
|
Use _cleanup_ and wrap lines to ~80 chars and such.
|
|
|
|
|
|
This completes c1dae1b3c9729fb8ab749dd4e2dad07e0fad7ed8 in a way.
|
|
Back from old times when we developed systemd on non-systemd hosts we
still mounted the missing directories such as the cgroup stuff even when
running with a PID != 1. There's no point for that anymore, so let's
just do that if we are actually PID 1, and never otherwise.
https://bugs.freedesktop.org/show_bug.cgi?id=62354
|
|
In order to maintain compatibility with older initrds which do not have
AllowIsolate=yes set for their target units, fallback to JOB_REPLACE if
JOB_ISOLATE doesn't work, but complain about it.
|
|
SMACK is the Simple Mandatory Access Control Kernel, a minimal
approach to Access Control implemented as a kernel LSM.
The kernel exposes the smackfs filesystem API through which access
rules can be loaded. At boot time, we want to load the access rules
as early as possible to ensure all early boot steps are checked by Smack.
This patch mounts smackfs at the new location at /sys/fs/smackfs for
kernels 3.8 and above. The /smack mountpoint is not supported.
After mounting smackfs, rules are loaded from the usual location.
For more information about Smack see:
http://www.kernel.org/doc/Documentation/security/Smack.txt
|
|
move mount_setup_early() call to main.c, before security module setup,
so there are no more repeat calls.
|
|
arguments in PID 1
https://bugzilla.redhat.com/show_bug.cgi?id=880025
|
|
This allows switch-root to work correctly if a unit is active both before and
after the switch-root, but its dependencies change. Before the patch, any
dependencies added to active units by switch-root will not be pulled, in
particular filesystems configured in /etc/fstab would not be activated if
local-fs.target was active in the initrd.
It is not clear to me if there is a bug in the REPLACE handling, or if it is
working as expected and that we really want to use ISOLATE instead as this patch
does.
|
|
Also split out some fileio functions to fileio.c and provide a SELinux
aware pendant in fileio-label.c
see https://bugzilla.redhat.com/show_bug.cgi?id=881577
|
|
|
|
Yay, we now have a completely generic systemd. No distribution specific checks anymore!
|
|
|
|
kmod is unecessary if loadable module support is disabled in the kernel,
so make the dependency optional.
|
|
|
|
systemd.
Running as a user instance won't work at all if systemd isn't running as system
manager, so refuse to start in that case.
|
|
Turns out cpuset needs explicit initialization before we could make use
of it. Thus mounting cpuset with cpu/cpuacct would make it impossible to
just create a group in "cpu" and start it.
|
|
Note: I did s/MANAGER/SYSTEMD/ everywhere, even though it makes the
patch quite verbose. Nevertheless, keeping MANAGER prefix in some
places, and SYSTEMD prefix in others would just lead to confusion down
the road. Better to rip off the band-aid now.
|
|
When the new PID is invoked the journal socket from the initrd might
still be around. Due to the default log target being journal we'd log to
that initially when the new main systemd initializes even if the kernel
command line included a directive to redirect systemd's logging
elsewhere.
With this fix we initially always log to kmsg now, if we are PID1, and
only after parsing the kernel cmdline try to open the journal if that's
desired.
(The effective benefit of this is that SELinux performance data is now
logged again to kmsg like it used to be.)
|
|
Properly tell the kernel at bootup, and any later time zone changes,
the actual system time zone.
Things like the kernel's FAT filesystem driver needs the actual time
zone to calculate the proper local time to use for the on-disk time
stamps.
https://bugzilla.redhat.com/show_bug.cgi?id=802198
|
|
For setups with many listening sockets the default kernel resource limit
of 1024 fds is not enough. Bump this up to 64K to avoid any limitations
in this regard. We are careful to pass on the kernel default to daemons
however, since normally resource limits are a good to enforce,
especially since select() can't handle fds > 1023.
|
|
Let's make sure libselinux doesn't spew to stderr
|
|
|
|
After talking to the cgroup kernel folks at LPC we came to the
conclusion that it is probably a good idea to mount all CPU related
resp. all network related cgroup controllers together, both because they
are good defaults for admins and because this might prepare
for eventual kernel cleanups where the ability to mount them separately
is removed.
|
|
|
|
|
|
|
|
|
|
Adds messages for formally silent errors: new "Failed on cmdline argument %s: %s".
Removes some specific error messages for -ENOMEM in mount-setup.c. A few specific
ones have been left in other binaries.
|
|
Become the reaper for all children part of the user session. Tested
with several forking services.
|
|
|
|
When we transition from the initrd to the main system, don't reap
processes, so that they can be handled normally after deserialization.
|
|
systemd --version mirrors systemctl --version:
$ ./systemd --version
systemd 186
other
+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT -LIBCRYPTSETUP
This information can be retrieved by other means (systemctl, etc.),
but it's easier for a newbie if 'systemd --version' says something
useful. And 'systemd --help' is already there, so let's complement
that with '--version'.
|
|
There's no point in reopening /dev/console if we reopen it anyway
afterwards.
|
|
|
|
|
|
|
|
|
|
This adds a timeout if the TTY cannot be acquired and makes sure we
always output the question to the console, never to the TTY of the
respective service.
|
|
This option never made much sense. It was originally intended to make
sure that the usual startup output of sysv scripts goes to the terminal.
However, since SysV scripts started from a terminal would not output to
that terminal, but rather /dev/console this effect was more often than
not actually taking place. Nowadays systemd has much nicer boot time
status output than SysV which makes the sysv output redundant. Finally,
all output of services goes to the journal anyway, and is not lost.
Hence, let's drop this option, and simplify things a bit.
|
|
This generalizes a bit of the functionality already available in dracut.
|
|
|
|
|
|
usermode helpers
This hooks things up with /proc/sys/kernel/usermodehelper/bset and
/proc/sys/kernel/usermodehelper/inheritable.
|
|
This also ensures that caps dropped from the bounding set are also
dropped from the inheritable set, to be extra-secure. Usually that should
change very little though as the inheritable set is empty for all our uses
anyway.
|
|
|
|
This also introduces rd.systemd.unit= to specify the unit to boot into
in the initrd.
|
|
|
|
|
