Age | Commit message (Collapse) | Author |
|
Instead of accessing /proc/1/environ directly, trying to read the
$container variable from it, let's make PID 1 save the contents of that
variable to /run/systemd/container. This allows us to detect containers
without the need for CAP_SYS_PTRACE, which allows us to drop it from a
number of daemons and from the file capabilities of systemd-detect-virt.
Also, don't consider chroot a container technology anymore. After all,
we don't consider file system namespaces container technology anymore,
and hence chroot() should be considered a container even less.
|
|
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=49316
|
|
nspawn and the container child use eventfd to wait and notify each other
that they are ready so the container setup can be completed.
However in its current form the wait/notify event ignore errors that
may especially affect the child (container).
On errors the child will jump to the "child_fail" label and terminate
with _exit(EXIT_FAILURE) without notifying the parent. Since the eventfd
is created without the "EFD_NONBLOCK" flag, this leaves the parent
blocking on the eventfd_read() call. The container can also be killed
at any moment before execv() and the parent will not receive
notifications.
We can fix this by using cheap mechanisms, the new high level eventfd
API and handle SIGCHLD signals:
* Keep the cheap eventfd and EFD_NONBLOCK flag.
* Introduce eventfd states for parent and child to sync.
Child notifies parent with EVENTFD_CHILD_SUCCEEDED on success or
EVENTFD_CHILD_FAILED on failure and before _exit(). This prevents the
parent from waiting on an event that will never come.
* If the child is killed before execv() or before notifying the parent,
we install a NOP handler for SIGCHLD which will interrupt blocking calls
with EINTR. This gives a chance to the parent to call wait() and
terminate in main().
* If there are no errors, parent will block SIGCHLD, restore default
handler and notify child which will do execv(), then parent will pass
control to process_pty() to do its magic.
This was exposed in part by:
https://bugs.freedesktop.org/show_bug.cgi?id=76193
Reported-by: Tobias Hunger tobias.hunger@gmail.com
|
|
There was this code:
if (to_path_len > 0)
memcpy(p, to_path, to_path_len);
That didn't add the terminating zero, so the resulting string was
corrupt if this code path was taken.
Using strcpy() instead of memcpy() solves this issue, and also
simplifies the code.
Previously there was special handling for shortening "../../" to
"../..", but that has now been replaced by a path_kill_slashes() call,
which also makes the result prettier in case the input contains
redundant slashes that would otherwise be copied to the result.
|
|
|
|
vendor string array.
The string "Microsoft Corporation" is used in the Surface Tablet's DMI vendor ID.
https://bugs.freedesktop.org/show_bug.cgi?id=78312
|
|
|
|
|
|
|
|
Create initial stamp file with compiled-in time to prevent bootups
with clocks in the future from storing invalid timestamps.
At shutdown, only update the timestamp if we got an authoritative
time to store.
|
|
|
|
|
|
because it is missing
After all, we want to be able to boot with /etc empty one day...
|
|
|
|
|
|
We shouldn't destroy IPC objects of system users on logout.
http://lists.freedesktop.org/archives/systemd-devel/2014-April/018373.html
This introduces SYSTEM_UID_MAX defined to the maximum UID of system
users. This value is determined compile-time, either as configure switch
or from /etc/login.defs. (We don't read that file at runtime, since this
is really a choice for a system builder, not the end user.)
While we are at it we then also update journald to use SYSTEM_UID_MAX
when we decide whether to split out log data for a specific client.
|
|
|
|
with CAP_SYS_TIME)
|
|
This allows external tools to keep additional unit information in a
separate section without scaring users with a big warning.
|
|
If XDG_CONFIG_HOME is set, then we should respect that.
|
|
In user_dirs() in path-lookup.c, I want to replace this:
symlink("../../../.config/systemd/user", data_home);
with
symlink(config_home, data_home);
to avoid hardcoding .config when XDG_CONFIG_HOME is set.
The problem is that config_home is an absolute path, and it's better
to make the symlink relative. path_make_relative() is an utility
function that converts an absolute path into a relative one.
|
|
No functional change expected :)
|
|
Running systemctl enable/disable/set-default/... with the --root
option under strace reveals that it accessed various files and
directories in the main fs, and not underneath the specified root.
This can lead to correct results only when the layout and
configuration in the container are identical, which often is not the
case. Fix this by adding the specified root to all file access
operations.
This patch does not handle some corner cases: symlinks which point
outside of the specified root might be interpreted differently than
they would be by the kernel if the specified root was the real root.
But systemctl does not create such symlinks by itself, and I think
this is enough of a corner case not to be worth the additional
complexity of reimplementing link chasing in systemd.
Also, simplify the code in a few places and remove an hypothetical
memory leak on error.
|
|
Before: /var/tmp/inst1//etc/systemd/system/default.target -> /var/tmp/inst1//usr/lib/systemd/system/graphical.target
After: /var/tmp/inst1/etc/systemd/system/default.target -> /usr/lib/systemd/system/graphical.target
|
|
value and key
|
|
New "struct ring" object that implements a basic ring buffer for arbitrary
byte-streams. A new basic runtime test is also added.
This will be needed for our pty helpers for systemd-console and friends.
|
|
Sounds easy, turns out to be horrible to implement: ALIGN_POWER2 returns
the next higher power of 2. clz(0) is undefined, same is true for
left-shift-overflows, yey, C rocks!
|
|
|
|
|
|
|
|
SIGINT/SITERM
|
|
So that we can use it at multiple places.
|
|
Fix minor typo in conf parser
|
|
Add an (optional) "Id" key in the password agent .ask files. The Id is
supposed to be a simple string in "<subsystem>:<target>" form which
is used to provide more information on what the requested passphrase
is to be used for (which e.g. allows an agent to only react to cryptsetup
requests).
(v2: rebased, fixed indentation, escape name, use strappenda)
|
|
|
|
Let's unify generation of unicode chars at one place.
Also, don't add an extra space into chars we print, except for the tree
chars where this is really necessary.
|
|
|
|
|
|
And move it to sperate function.
|
|
Cases where name_to_handle_at is used allocated the full struct to be
MAX_HANDLE_SZ, and assigned this size to handle_bytes. This is wrong
since handle_bytes should describe the length of the flexible array
member and not the whole struct.
Define a union type which includes sufficient padding to allow
assignment of MAX_HANDLE_SZ to be correct.
|
|
|
|
|
|
create_symlink() do not check the return value of unlink(), this may
confuse the user.
Before the unlink() call we check the 'force' argument. If it is not set
we fail with -EEXIST, otherwise we unlink() the file, therefore the next
symlink() should not fail with -EEXIST (do not count races...).
However since callers may not have appropriate privileges to unlink()
the file we lose the -EPERM or any other errno code of unlink(), and
return the -EEXIST of the next symlink(). Fix this by checking unlink()
results.
Before:
$ systemctl --force --root=~/container-03 set-default multi-user.target
Failed to set default target: File exists
After:
$ systemctl --force --root=~/container-03 set-default multi-user.target
Failed to set default target: Permission denied
|
|
The kernel can return pretty much anything there, even though the fd is
closed. Let's not get confused by that.
|
|
The way the kernel namespaces have been implemented breaks assumptions
udev made regarding uevent sequence numbers. Creating devices in a
namespace "steals" uevents and its sequence numbers from the host. It
confuses the "udevadmin settle" logic, which might block until util a
timeout is reached, even when no uevent is pending.
Remove any assumptions about sequence numbers and deprecate libudev's
API exposing these numbers; none of that can reliably be used anymore
when namespaces are involved.
|
|
In contrast to a filename-only argument, find_binary() did not
actually check if an path exists, allowing the code to fail later on.
This was OK, but it seems nicer to treat both paths identically.
Also take advantage of path_make_absolute_cwd doing strdup() by itself
if necessary to simplify.
|
|
Modifies find_binary() to accept NULL in the second argument.
fsck.type lookup logic moved to new fsck_exists() function, with a test.
|
|
greedy_realloc() and greedy_realloc0() now store the allocated
size as the count, not bytes.
Replace GREEDY_REALLOC uses with GREEDY_REALLOC_T everywhere,
and then rename GREEDY_REALLOC_T to GREEDY_REALLOC. It is just
too error-prone to have two slightly different macros which do the
same thing.
|
|
Reported-by: Arnaud Gaboury <arnaud.gaboury@gmail.com>
|