| Age | Commit message (Collapse) | Author |
|---|
|
Previously, we'd refuse the GetUnitProcesses() bus call if the unit file
couldn't be loaded. Which is wrong, as admins should be able to inspect
services whose unit files was deleted. Change this logic, so that we
permit introspecting the processes of any unit that is loaded,
regardless if it has a unit file or not.
(Note that we won't load unit files in GetUnitProcess(), but only
operate on already loaded ones. That's because only loaded units can
have processes — as that's how our GC logic works — and hence loading
the unit just for the process tree is pointless, as it would be empty).
See: #4995
|
|
Fixes: #5125
|
|
|
|
WorkingDirectory=~ is
Or actually, try to to do the right thing depending on what is
available:
- If we know $HOME from User=, then use that.
- If the UID for the service is 0, hardcode that WorkingDirectory=~ means WorkingDirectory=/root
- In any other case (which will be the unprivileged --user case), use
get_home_dir() to find the $HOME of the user we are running as.
- Otherwise fail.
Fixes: #5246 #5124
|
|
This reverts commit 8b89628a10af3863bfc97872912e9da4076a5929.
This broke #5246
|
|
Add new MountAPIVFS= boolean unit file setting + RootImage=
|
|
Mask individual .wants/.requires symlinks
|
|
Feb 04 22:35:42 systemd[1462]: foo.service: Wants dependency dropin /home/zbyszek/.config/systemd/user/foo.service.wants/diffname.service target ../barbar.service has different name
Feb 04 22:35:42 systemd[1462]: foo.service: Wants dependency dropin /home/zbyszek/.config/systemd/user/foo.service.wants/wrongname is not a valid unit name, ignoring
|
|
Fixes #1169.
Fixes #4830.
Example log errors:
Feb 04 22:13:28 systemd[1462]: foo.service: Wants dependency on empty_file.service is masked by /home/zbyszek/.config/systemd/user/foo.service.wants/empty_file.service, ignoring
Feb 04 22:13:28 systemd[1462]: foo.service: Wants dependency on masked.service is masked by /home/zbyszek/.config/systemd/user/foo.service.wants/masked.service, ignoring
|
|
dropins
Essentially, instead of sequentially adding deps based on all symlinks
encountered in .wants and .requires dirs for each name and each unit file load
path, iteratate over the load paths and unit names gathering symlinks, then
order them based on priority, and then iterate over the final list, adding
dependencies.
This patch doesn't change the logic too much, except that the order in which
dependencies are applied might be different. It wasn't defined before, so that
not really a change. Adding filtering on the symlinks is left for later
patches.
|
|
This makes nspawn's logic of automatically discovering the root hash of
an image file generic, and then reuses it in systemd-dissect and in
PID1's RootImage= logic, so that verity is automatically set up whenever
we can.
|
|
directory for a service
This is similar to RootDirectory= but mounts the root file system from a
block device or loopback file instead of another directory.
This reuses the image dissector code now used by nspawn and
gpt-auto-discovery.
|
|
ReadWritablePaths= work
5327c910d2fc1ae91bd0b891be92b30379c7467b claimed to add support for "+"
for prefixing paths with the configured RootDirectory=. But actually it
only implemented it in the backend, it did not add support for it to the
configuration file parsers. Fix that now.
|
|
conjunction with RootDirectory=
This adds a boolean unit file setting MountAPIVFS=. If set, the three
main API VFS mounts will be mounted for the service. This only has an
effect on RootDirectory=, which it makes a ton times more useful.
(This is basically the /dev + /proc + /sys mounting code posted in the
original #4727, but rebased on current git, and with the automatic logic
replaced by explicit logic controlled by a unit file setting)
|
|
The source_malloc field wants to be freed, too.
|
|
If we can, use a memfd for serializing state during a daemon reload or
reexec. Fall back to a file in /run/systemd or /tmp only if memfds are
not available.
See: #5016
|
|
Let's add an extra safety check: before entering a reload/reexec, let's
verify that there's enough room in /run for it.
Fixes: #5016
|
|
Fix WorkDir=~ with empty User=
|
|
This seems like something that shouldn't be higher then debug level, even
if it does not get emitted too often.
Fixes #5228.
|
|
Before previous commit, username would be NULL for root, and set only
for other users. So the argument passed to utmp_put_init_process()
would be "root" for other users and NULL for root. Seems strange.
Instead, always pass the username if available.
|
|
This changes the environment for services running as root from:
LANG=C.utf8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
INVOCATION_ID=ffbdec203c69499a9b83199333e31555
JOURNAL_STREAM=8:1614518
to
LANG=C.utf8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root
USER=root
SHELL=/bin/sh
INVOCATION_ID=15a077963d7b4ca0b82c91dc6519f87c
JOURNAL_STREAM=8:1616718
Making the environment special for the root user complicates things
unnecessarily. This change simplifies both our logic (by making the setting
of the variables unconditional), and should also simplify the logic in
services (particularly scripts).
Fixes #5124.
|
|
The general rule is:
- code in shared/ should take an "original_root" argument (possibly NULL)
and pass it along down to chase_symlinks
- code in core/ should always use specify original_root==NULL, since we
don't support running the manager from non-root directory
- code in systemctl and other tools should pass arg_root.
For any code that is called from tools which support --root, chase_symlinks
must be used to look up paths.
|
|
|
|
Cleanup of error code mismatch for masked units
|
|
units
The warning "Cannot add dependency job, ignoring" was downgraded to info in one
place, but not in the other.
C.f. #5179.
|
|
|
|
Let's do a merge to preserve all the commit messages.
This reverts commit 785d345145bbd06c8f1c75c6a0b119c4e8f411db.
|
|
* logind: trivial simplification
free_and_strdup() handles NULL arg, so make use of that.
* boot: fix two typos
* pid1: rewrite check in ignore_proc() to not check condition twice
It's harmless, but it seems nicer to evaluate a condition just a single time.
* core/execute: reformat exec_context_named_iofds() for legibility
* core/execute.c: check asprintf return value in the usual fashion
This is unlikely to fail, but we cannot rely on asprintf return value
on failure, so let's just be correct here.
CID #1368227.
* core/timer: use (void)
CID #1368234.
* journal-file: check asprintf return value in the usual fashion
This is unlikely to fail, but we cannot rely on asprintf return value
on failure, so let's just be correct here.
CID #1368236.
* shared/cgroup-show: use (void)
CID #1368243.
* cryptsetup: do not return uninitialized value on error
CID #1368416.
|
|
Fixes for gcc 7 and new µhttpd & glibc warnings
|
|
gcc 7 adds -Wimplicit-fallthrough=3 to -Wextra. There are a few ways
we could deal with that. After we take into account the need to stay compatible
with older versions of the compiler (and other compilers), I don't think adding
__attribute__((fallthrough)), even as a macro, is worth the trouble. It sticks
out too much, a comment is just as good. But gcc has some very specific
requiremnts how the comment should look. Adjust it the specific form that it
likes. I don't think the extra stuff we had in those comments was adding much
value.
(Note: the documentation seems to be wrong, and seems to describe a different
pattern from the one that is actually used. I guess either the docs or the code
will have to change before gcc 7 is finalized.)
|
|
gcc 7 started warning about this.
|
|
```
-bash-4.3# systemd-run --property BindPaths=/etc:tmp/hey sh -c 'ls /tmp/hey'
```
prints
`Destination path tmp/hey is not absolute.`
instead of
`Destination path /etc is not absolute.`
CID #1368239
|
|
CID #1368234.
|
|
This is unlikely to fail, but we cannot rely on asprintf return value
on failure, so let's just be correct here.
CID #1368227.
|
|
|
|
It's harmless, but it seems nicer to evaluate a condition just a single time.
|
|
compile_read_write_paths() returns a normal strv from strv_copy(), and
setup_namespace() uses it read-only, so we should use strv_free to deallocate.
|
|
job_dbus_path and unit_dbus_path both allocate new strings, so we should use
strv_free.
|
|
Fixes:
```sh
systemd-run --property EnvironmentFile=/some/environment/file /bin/sleep 30
```
```
23 bytes in 1 blocks are definitely lost in loss record 1 of 7
at 0x4C2DB9D: malloc (vg_replace_malloc.c:299)
by 0x4E85488: malloc_multiply (alloc-util.h:70)
by 0x4E85F19: strjoin_real (string-util.c:252)
by 0x1AF741: bus_exec_context_set_transient_property (dbus-execute.c:1418)
by 0x1A907C: bus_service_set_property (dbus-service.c:330)
by 0x1A66DD: bus_unit_set_properties (dbus-unit.c:1456)
by 0x19CF93: transient_unit_from_message (dbus-manager.c:892)
by 0x19D388: method_start_transient_unit (dbus-manager.c:980)
by 0x4F60544: method_callbacks_run (bus-objects.c:418)
by 0x4F62D9D: object_find_and_run (bus-objects.c:1255)
by 0x4F633CE: bus_process_object (bus-objects.c:1371)
by 0x4F2CE1D: process_message (sd-bus.c:2563)
```
Closes: #5142
|
|
When an alias is loaded, we resolve this alias to its final unit first to load
the dropin data.
However if the final unit was already loaded, there's no point in reloading the
dropin data a second time.
This patch optimizes this case.
Also this allows the dropin loading code to assume that only units not yet
loaded are passed down. This assumption is not yet used but might be in the
future.
[zj: invert the condition in the if]
|
|
|
|
|
|
unit_add_to_load_queue was present in the code before 03b8cfede9ff3441b1ec8ff5cdf6876294846aa4,
and was inadvertently dropped.
Fixes #5105
|
|
The function mount_setup_new_unit() should return -ENOMEM
if at least one of `strdup` calls are failed.
|
|
|
|
Fixes #5000.
|
|
This substantially reworks the seccomp code, to ensure better
compatibility with some architectures, including i386.
So far we relied on libseccomp's internal handling of the multiple
syscall ABIs supported on Linux. This is problematic however, as it does
not define clear semantics if an ABI is not able to support specific
seccomp rules we install.
This rework hence changes a couple of things:
- We no longer use seccomp_rule_add(), but only
seccomp_rule_add_exact(), and fail the installation of a filter if the
architecture doesn't support it.
- We no longer rely on adding multiple syscall architectures to a single filter,
but instead install a separate filter for each syscall architecture
supported. This way, we can install a strict filter for x86-64, while
permitting a less strict filter for i386.
- All high-level filter additions are now moved from execute.c to
seccomp-util.c, so that we can test them independently of the service
execution logic.
- Tests have been added for all types of our seccomp filters.
- SystemCallFilters= and SystemCallArchitectures= are now implemented in
independent filters and installation logic, as they semantically are
very much independent of each other.
Fixes: #4575
|
|
When a new entry appears in /proc/self/mountinfo, mount_setup_unit()
allocated a new mount unit for it and starts initializing it.
mount_setup_unit() is also used to update a mount unit when a change happens in
/proc/self/mountinfo, for example a mountpoint can be remounted with additional
mount options.
This patch introduces 2 separate functions to deal with those 2 cases instead
of mount_setup_unit() dealing with both of them. The common code is small and
doing the split makes the code easier to read and less error prone if extended
later.
It also makes sure to initialize in both functions the mount parameters of the
mount unit before calling mount_is_extrinsic() since this function relies on
them.
Fixes: #4902
|
|
|
|
Small fixes and enhancements to docs and code
|
