Age | Commit message (Collapse) | Author |
|
events correctly
|
|
When we enter the running state we should forget about any control processes, in all cases, and not just when hit a
reload timeout...
|
|
We really shouldn't fail silently, but print a log message about these errors. Also make sure to attach error codes to
all log messages where that makes sense.
(While we are at it, add a couple of (void) casts to functions where we knowingly ignore return values.)
|
|
This makes sure we never run two control processes at the same time, we cannot keep track off.
This introduces a slight change of behaviour but cleans up the definition of ExecStop= and ExecStopPost=. The former is
now invoked only if the service managed to start-up correctly. The latter is called even if start-up failed half-way.
Thus, ExecStopPost= may be used as clean-up step for both successful and failed start-up attempts, but ExecStop='s
purpose is clearly defined as being responsible for shutting down the service and nothing else.
The precise behaviour of this was not documented yet. This commit adds the necessary docs.
Fixes: #1254
|
|
For use in timesyncd we already defined a compile-time "epoch" value, which is based on the mtime of the NEWS file, and
specifies a point in time we know lies in the past at runtime. timesyncd uses this to filter out nonsensical timestamp
file data, and bump the system clock to a time that is after the build time of systemd. This patch adds similar bumping
code to earliest PID 1 initialization, so that the system never continues operation with a clock that is in the 1970ies
or even 1930s.
|
|
mount-setup: introduce mount_points_setup
|
|
The mount_setup_early() can fail and if it will occur, there is
no sense to make selinux setup and etc.
|
|
The mount_setup_early() and mount_setup() contain almost the same
pieces of code which calls mount_one() for a certain mount point
from the mount_table. This patch introduces mount_points_setup()
helper to prevent code duplication.
|
|
|
|
This clean-ups timeout handling in PID 1. Specifically, instead of storing 0 in internal timeout variables as
indication for a disabled timeout, use USEC_INFINITY which is in-line with how we do this in the rest of our code
(following the logic that 0 means "no", and USEC_INFINITY means "never").
This also replace all usec_t additions with invocations to usec_add(), so that USEC_INFINITY is properly propagated,
and sd-event considers it has indication for turning off the event source.
This also alters the deserialization of the units to restart timeouts from the time they were originally started from.
Before this patch timeouts would be restarted beginning with the time of the deserialization, which could lead to
artificially prolonged timeouts if a daemon reload took place.
Finally, a new RuntimeMaxSec= setting is introduced for service units, that specifies a maximum runtime after which a
specific service is forcibly terminated. This is useful to put time limits on time-intensive processing jobs.
This also simplifies the various xyz_spawn() calls of the various types in that explicit distruction of the timers is
removed, as that is done anyway by the state change handlers, and a state change is always done when the xyz_spawn()
calls fail.
Fixes: #2249
|
|
Make sure we can properly process resource limit properties. Specifically, allow transient configuration of both the
soft and hard limit, the same way from the unit files. Previously, only the the hard rlimits could be configured but
they'd implicitly spill into the soft hard rlimits.
This also updates the client-side code to be able to parse hard/soft resource limit specifications. Since we need to
serialize two properties in bus_append_unit_property_assignment() now, the marshalling of the container around it is
now moved into the function itself. This has the benefit of shortening the calling code.
As a side effect this now beefs up the rlimit parser of "systemctl set-property" to understand time and disk sizes
where that's appropriate.
|
|
Let's simplify things a bit, and make sure we don't lose accuracy.
|
|
Clear up some confusion regarding the USec and Sec suffixes we use. In configuration files we usually use the Sec
suffix, to indicate the implied time unit if none is specified. The respective bus properties however use the USec
property, since they expose 64bit unsigned integers containing time in µs.
Before this patch timer units exposed a bus property AccuracyUSec (which hence is the correct name) but when parsing
transient property data would look for AccuracySec instead (which is incorrect). This patch ensures we look for
AccuracySec correctly, but keeps the code for AccuracyUSec in place for compatibility, but adds a warning to ensure
that apps are updated to use the right property.
|
|
This way we can reuse it for parsing rlimit settings in "systemctl set-property" and related commands.
|
|
This adds a new timestamp field to the Unit struct, storing when the last low-level state change took place, and make
sure this is restored after a daemon reload. This new field is useful to allow restarting of per-state timers exactly
where they originally started.
|
|
|
|
remove duplication
|
|
Fixes:
-bash-4.3# echo 1 >/sys/fs/selinux/enforce
-bash-4.3# runcon -t systemd_test_start_t systemctl start hola
-bash-4.3# sesearch --allow -s systemd_test_reload_t -c service
Found 1 semantic av rules:
allow systemd_test_reload_t systemd_unit_file_t : service reload ;
-bash-4.3# runcon -t systemd_test_reload_t systemctl reload hola
Failed to reload hola.service: Access denied
See system logs and 'systemctl status hola.service' for details.
-bash-4.3# journalctl -b | grep -i user_avc | grep reload
USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='
avc: denied { start } for auid=0 uid=0 gid=0 path="/etc/systemd/system/hola.service" cmdline="systemctl reload hola"
scontext=unconfined_u:unconfined_r:systemd_test_reload_t:s0-s0:c0.c1023
tcontext=system_u:object_r:systemd_unit_file_t:s0
tclass=service
See
https://fedoraproject.org/wiki/Features/SELinuxSystemdAccessControl#Documentation
|
|
Otherwise we might end up generating jobs that fail immediately.
This follows the same logic that restart propagation follows.
|
|
When we determine the current system state we check whether units like emergency.target are running or a job that
results in them being run is queued. However, this is not the case for JOB_TRY_RESTART, since that's a NOP if the unit
has not been running before. Hence, don't bother with checking for that job type.
|
|
unit is not running
This makes sure we follow the same basic logic for try-restart if we have a try-reload.
Fixes #688
|
|
transient service
Otherwise we might end resetting /dev/console all the time when a transient service starts or stops.
Fixes #2377
Fixes #2198
Fixes #2061
|
|
[v1] core: resolve specifier in config_parse_exec()
|
|
rootfs as PID1
|
|
Assign errno-style errors to a variable called "r" when they happen, the same way we do this in most other calls. It's
bad enough that the error handling part of the function deals with two different error variables (pam_code and r) now,
but before this fix it was even three!
|
|
Device fixes
|
|
systemd automatically mounts device unless 'noauto' is part of the
mount options. This can happen during boot if the device is plugged at
that time or later when the system is already running (the latter case
is not documented AFAICS).
After the systemd booted, I plugged my USB device which had an entry
in /etc/fstab with the default options and systemd automatically
mounted it.
However I noticed that if I unplugged and re-plugged the device the
automatic mounting of the device didn't work anymore: systemd didn't
notice that the device was re-plugged.
This was due to the device unit which was not recycled by the GC
during the unplug event because in the case of automounting, the mount
unit still referenced it. When the device was re-plugged, the old
device unit was reused but it still had the old sysfs path (amongst
other useful information).
Systemd was confused by the stalled sysfs path and decided to ignore
the plug event.
This patch fixes this issue by simply not doing the sanity checking on
the sysfs path if the device is in unplugged state.
|
|
chaloulo/split-mode-host-remove-port-from-journal-filename
journal-remote: split-mode=host, remove port from journal filename
|
|
core: add valgrind helper for daemon-reexec
|
|
Coverity inspired fixes
|
|
Inspired by https://github.com/systemd/systemd/issues/2187#issuecomment-165587140
|
|
We only go to fail label if pam_pid <= 0.
CID #1306746.
|
|
core: use bus_unit_check_load_state() in transaction_add_job_and_depe…
|
|
Remove gcc warnings v2
|
|
gcc complains that dirs might be unitialized. It cannot, but
we just checked that name has one of three values above, so
no need to check again.
|
|
Fix broken SYSTEMD_USER_WANTS in udev rules.
|
|
How to reproduce
$ systemctl set-default multi-user # https://github.com/systemd/systemd/issues/2298
$ systemctl preset-all
Failed to execute operation: Too many levels of symbolic links
$ systemctl poweroff
Fixes:
==1==
==1== HEAP SUMMARY:
==1== in use at exit: 65,645 bytes in 7 blocks
==1== total heap usage: 40,539 allocs, 40,532 frees, 30,147,547 bytes allocated
==1==
==1== 109 (24 direct, 85 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 7
==1== at 0x4C2BBCF: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4C2DE2F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x23DA71: unit_file_changes_add (install.c:233)
==1== by 0x23E45D: remove_marked_symlinks_fd (install.c:453)
==1== by 0x23E267: remove_marked_symlinks_fd (install.c:405)
==1== by 0x23E641: remove_marked_symlinks (install.c:494)
==1== by 0x243A91: execute_preset (install.c:2190)
==1== by 0x244343: unit_file_preset_all (install.c:2351)
==1== by 0x18AAA2: method_preset_all_unit_files (dbus-manager.c:1846)
==1== by 0x1D8157: method_callbacks_run (bus-objects.c:420)
==1== by 0x1DA9E9: object_find_and_run (bus-objects.c:1257)
==1== by 0x1DB02B: bus_process_object (bus-objects.c:1373)
==1==
==1== LEAK SUMMARY:
==1== definitely lost: 24 bytes in 1 blocks
==1== indirectly lost: 85 bytes in 1 blocks
==1== possibly lost: 0 bytes in 0 blocks
==1== still reachable: 65,536 bytes in 5 blocks
==1== suppressed: 0 bytes in 0 blocks
==1== Reachable blocks (those to which a pointer was found) are not shown.
==1== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==1==
==1== For counts of detected and suppressed errors, rerun with: -v
==1== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
|
|
The functionality of SYSTEMD_USER_WANTS that attaches dependencies to device
units from udev rules was broken since commit b2c23da8. I guess it was due to
a mass replace s/SYSTEMD_USER/MANAGER_USER/.
|
|
Fixes:
==1== by 0x23E44C: remove_marked_symlinks_fd (install.c:453)
==1== by 0x23E256: remove_marked_symlinks_fd (install.c:405)
==1== by 0x23E630: remove_marked_symlinks (install.c:494)
==1== by 0x2427A0: unit_file_disable (install.c:1876)
==1== by 0x18A633: method_disable_unit_files_generic (dbus-manager.c:1760)
==1== by 0x18A6CA: method_disable_unit_files (dbus-manager.c:1768)
==1== by 0x1D8146: method_callbacks_run (bus-objects.c:420)
==1== by 0x1DA9D8: object_find_and_run (bus-objects.c:1257)
==1== by 0x1DB01A: bus_process_object (bus-objects.c:1373)
==1==
==1== 228 (48 direct, 180 indirect) bytes in 2 blocks are definitely lost in loss record 8 of 14
==1== at 0x4C2BBCF: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4C2DE2F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x23DA60: unit_file_changes_add (install.c:233)
==1== by 0x23DDB2: create_symlink (install.c:298)
==1== by 0x240C5C: install_info_symlink_wants (install.c:1328)
==1== by 0x240FC8: install_info_apply (install.c:1384)
==1== by 0x241211: install_context_apply (install.c:1439)
==1== by 0x242563: unit_file_enable (install.c:1830)
==1== by 0x18A06E: method_enable_unit_files_generic (dbus-manager.c:1650)
==1== by 0x18A141: method_enable_unit_files (dbus-manager.c:1660)
==1== by 0x1D8146: method_callbacks_run (bus-objects.c:420)
==1== by 0x1DA9D8: object_find_and_run (bus-objects.c:1257)
==1==
==1== 467 (144 direct, 323 indirect) bytes in 3 blocks are definitely lost in loss record 9 of 14
==1== at 0x4C2DD9F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x23DA60: unit_file_changes_add (install.c:233)
==1== by 0x23DE97: create_symlink (install.c:320)
==1== by 0x242CFC: unit_file_set_default (install.c:1951)
==1== by 0x18A881: method_set_default_target (dbus-manager.c:1802)
==1== by 0x1D8146: method_callbacks_run (bus-objects.c:420)
==1== by 0x1DA9D8: object_find_and_run (bus-objects.c:1257)
==1== by 0x1DB01A: bus_process_object (bus-objects.c:1373)
==1== by 0x259143: process_message (sd-bus.c:2567)
==1== by 0x259326: process_running (sd-bus.c:2609)
==1== by 0x259BDC: bus_process_internal (sd-bus.c:2798)
==1== by 0x259CAD: sd_bus_process (sd-bus.c:2817)
==1==
==1== LEAK SUMMARY:
==1== definitely lost: 216 bytes in 6 blocks
==1== indirectly lost: 560 bytes in 14 blocks
==1== possibly lost: 0 bytes in 0 blocks
==1== still reachable: 65,536 bytes in 5 blocks
==1== suppressed: 0 bytes in 0 blocks
==1== Reachable blocks (those to which a pointer was found) are not shown.
==1== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==1==
|
|
Fix transient units memory leak
|
|
Fixes:
==1== HEAP SUMMARY:
==1== in use at exit: 67,182 bytes in 91 blocks
==1== total heap usage: 70,485 allocs, 70,394 frees, 42,184,635 bytes
allocated
==1==
==1== 5,742 (696 direct, 5,046 indirect) bytes in 29 blocks are
definitely lost in loss record 4 of 7
==1== at 0x4C2DD9F: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x21ADDD: realloc_multiply (alloc-util.h:67)
==1== by 0x21BFB0: strv_push (strv.c:448)
==1== by 0x21C245: strv_consume (strv.c:520)
==1== by 0x21C33C: strv_extend (strv.c:559)
==1== by 0x278AD7: unit_write_drop_in (unit.c:3352)
==1== by 0x278EEB: unit_write_drop_in_private (unit.c:3403)
==1== by 0x190C21: bus_service_set_transient_property
(dbus-service.c:254)
==1== by 0x190DBC: bus_service_set_property (dbus-service.c:284)
==1== by 0x18F00E: bus_unit_set_properties (dbus-unit.c:1226)
==1== by 0x186F6A: transient_unit_from_message (dbus-manager.c:683)
==1== by 0x1872B7: method_start_transient_unit (dbus-manager.c:763)
==1==
==1== LEAK SUMMARY:
==1== definitely lost: 696 bytes in 29 blocks
==1== indirectly lost: 5,046 bytes in 58 blocks
==1== possibly lost: 0 bytes in 0 blocks
==1== still reachable: 61,440 bytes in 4 blocks
==1== suppressed: 0 bytes in 0 blocks
|
|
If a unit was pulled by a Wants= dependency but its unit file was not
present then we logged this as an error.
However Wants= might be used to configure a soft/optional dependency
on another unit, ie. start an optional service only if it's installed
otherwise simply skip it. In this case emitting an error doesn't look
appropriate.
But it's still an error if the optional dependency exists but its
activation fails for any reasons.
|
|
==1== HEAP SUMMARY:
==1== in use at exit: 61,728 bytes in 22 blocks
==1== total heap usage: 258,122 allocs, 258,100 frees, 78,219,628
bytes allocated
==1==
==1== 16 bytes in 1 blocks are definitely lost in loss record 1 of 6
==1== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==1== by 0x1E350E: memdup (alloc-util.c:34)
==1== by 0x135AFB: memdup_multiply (alloc-util.h:74)
==1== by 0x140F97: manager_set_default_rlimits (manager.c:2929)
==1== by 0x1303DA: manager_set_defaults (main.c:737)
==1== by 0x133A02: main (main.c:1718)
==1==
==1== 272 bytes in 17 blocks are definitely lost in loss record 2 of 6
==1== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==1== by 0x1E350E: memdup (alloc-util.c:34)
==1== by 0x135AFB: memdup_multiply (alloc-util.h:74)
==1== by 0x140F97: manager_set_default_rlimits (manager.c:2929)
==1== by 0x1303DA: manager_set_defaults (main.c:737)
==1== by 0x13480D: main (main.c:1828)
==1==
==1== LEAK SUMMARY:
==1== definitely lost: 288 bytes in 18 blocks
==1== indirectly lost: 0 bytes in 0 blocks
==1== possibly lost: 0 bytes in 0 blocks
==1== still reachable: 61,440 bytes in 4 blocks
==1== suppressed: 0 bytes in 0 blocks
==1== Reachable blocks (those to which a pointer was found) are not
shown.
==1== To see them, rerun with: --leak-check=full --show-leak-kinds=all
|
|
Compare errno with zero in a way that tells gcc that
(if the condition is true) errno is positive.
|
|
gcc is confused by the common idiom of
return errno ? -errno : -ESOMETHING
and thinks a positive value may be returned. Replace this condition
with errno > 0 to help gcc and avoid many spurious warnings. I filed
a gcc rfe a long time ago, but it hard to say if it will ever be
implemented [1].
Both conventions were used in the codebase, this change makes things
more consistent. This is a follow up to bcb161b0230f.
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61846
|
|
Add machine-id setting
|
|
Allow for overriding all other machine-ids which may be present on
the system using a kernel command line systemd.machine_id or
--machine-id= option.
This is especially useful for network booted systems where the
machine-id needs to be static, or for containers where a specific
machine-id is wanted.
|
|
Also add a coccinelle receipt to help with such transitions.
|
|
This patch adds support for ambient capabilities in service files. The
idea with ambient capabilities is that the execed processes can run with
non-root user and get some inherited capabilities, without having any
need to add the capabilities to the executable file.
You need at least Linux 4.3 to use ambient capabilities. SecureBit
keep-caps is automatically added when you use ambient capabilities and
wish to change the user.
An example system service file might look like this:
[Unit]
Description=Service for testing caps
[Service]
ExecStart=/usr/bin/sleep 10000
User=nobody
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
After starting the service it has these capabilities:
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000003fffffffff
CapAmb: 0000000000003000
|
|
Change the capability bounding set parser and logic so that the bounding
set is kept as a positive set internally. This means that the set
reflects those capabilities that we want to keep instead of drop.
|