Age | Commit message (Collapse) | Author |
|
|
|
Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that
sets up a private /dev with only the API pseudo-devices like /dev/null,
/dev/zero, /dev/random, but not any physical devices in them.
|
|
|
|
Before, journald would remove journal files until both MaxUse= and
KeepFree= settings would be satisfied. The first one depends (if set
automatically) on the size of the file system and is constant. But
the second one depends on current use of the file system, and a spike
in disk usage would cause journald to delete journal files, trying to
reach usage which would leave 15% of the disk free. This behaviour is
surprising for the user who doesn't expect his logs to be purged when
disk usage goes above 85%, which on a large disk could be some
gigabytes from being full. In addition attempting to keep 15% free
provides an attack vector where filling the disk sufficiently disposes
of almost all logs.
Instead, obey KeepFree= only as a limit on adding additional files.
When replacing old files with new, ignore KeepFree=. This means that
if journal disk usage reached some high point that at some later point
start to violate the KeepFree= constraint, journald will not add files
to go above this point, but it will stay (slightly) below it. When
journald is restarted, it forgets the previous maximum usage value,
and sets the limit based on the current usage, so if disk remains to
be filled, journald might use one journal-file-size less on each
restart, if restarts happen just after rotation. This seems like a
reasonable compromise between implementation complexity and robustness.
|
|
|
|
|
|
- turn strv_merge into strv_extend_strv.
appending strv b to the end of strv a instead of creating a new strv
- strv_append: remove in favor of strv_extend and strv_push.
- strv_remove: write slightly more elegant
- strv_remove_prefix: remove unused function
- strv_overlap: use strv_contains
- strv_printf: STRV_FOREACH handles NULL correctly
|
|
|
|
|
|
when pid is set to 0 use /proc/self
|
|
This reverts commit 4cd1214db6cf4b262e8ce6381bc710091b375c96.
This may still be fixed in the kernel, revert this for now until
we see how it all shakes out.
|
|
When DEVTYPE is not set for a nic, it means it is a wired/ethernet
device.
|
|
Unfortunately a different cleanup function is necessary per type,
because cap_t** and char** are incompatible with void**.
|
|
It is nicer to predefine patterns using configure time check instead of
using casts everywhere.
Since we do not need to use any flags, include "%" in the format instead
of excluding it like PRI* macros.
|
|
|
|
Remove redundant messages, add some debugging ones and make wording more uniform.
|
|
Before 34a3baa4d 'sleep-config: Dereference pointer before check for NULL'
oom conditions would not be detected properly. After that commit, a double
free was performed.
Rework the whole function to be easier to understand, and also replace
strv_split_nulstr with strv_new, since we know the strings anyway.
|
|
This fixes a bug pointed out by http://css.csail.mit.edu/stack/
(Optimization-unstable code)
It is a similar fix as f146f5e159 (2013-12-30, core:
Forgot to dereference pointer when checking for NULL)
To explain this bug consider the following similar, but simpler code:
if (!p)
free(*p)
Assume the if condition evaluates to true, then we will access *p,
which means the compiler can assume p is a valid pointer, so it could
dereference p and use the value *p.
Assuming p as a valid pointer, !p will be false.
But initally we assumed the condition evaluates to true.
By this reasoning the optimizing compiler can deduce, we have dead code.
("The if will never be taken, as *p must be valid, because otherwise
accessing *p inside the if would segfault")
This led to an error message of the static code checker, so I checked the
code in question.
As we access *modes and *states before the check in the changed line of
this patch, I assume the line to be wrong and we actually wanted to check
for *modes and *states being both non null.
|
|
compat parser
|
|
Suggested-by: Russ Allbery <rra@debian.org>
|
|
|
|
Even if the lower-leveld dbus1 protocol calls it "serial", let's expose
the word "cookie" for this instead, as this is what kdbus uses and since
it doesn't imply monotonicity the same way "serial" does.
|
|
|
|
socket-activated services
|
|
Since 0c6f1f4ea49 the check was useless, because the kernel will
ever only write "partition" or "file" there.
OTOH, it is possible that "\\040(deleted)" (escaped " (deleted)")
will be added for removed files. This should not happen, so add
a warning to detect those cases.
|
|
before parsing
|
|
including it in the log strings
|
|
|
|
Introduce new call getpeercred() which internally just uses SO_PEERCRED
but checks if the returned data is actually useful due to namespace
quirks.
|
|
then read message
There's no EOF generated for AF_UNIX/SOCK_DGRAM sockets, hence let's
wait for the child first to see if it succeeded, only then read the socket.
|
|
instead
|
|
|
|
Let's try to standardize on a single non-cryptographic hash algorithm,
and for that SipHash appears to be the best answer.
With this change there are two other hash functions left in systemd: an
older version of MurmurHash embedded into libudev for the bloom filters
in udev messages (which is hard to update, given that the we probably
should stay compatible with older versions of the library). And lookup3
in the journal files (which we could replace for new files, but which is
probably not worth the work).
|
|
|
|
Units from user services underneath user@.service would not be detected
properly.
|
|
SipHash appears to be the new gold standard for hashing smaller strings
for hashtables these days, so let's make use of it.
|
|
|
|
|
|
This fixes rm_rf_children_dangerous to detect errors during directory
reading. Previously, it could dereference an uninitialized pointer.
|
|
The old code incorrectly assumed that readdir_r updates errno.
|
|
|
|
For a user, the timeout of 1 min per message seems equivalent to a hang.
If journald cannot process a message from PID1 for 10 ms then something
is significantly wrong. It's better to lose the message and continue.
|
|
|
|
|
|
This reverts commit e7d43b3cc30764138c90eaaf95d3d8f49e448890.
This broke the console terminal when booting up a container, so let's
not do this.
|
|
|
|
reconnect
|
|
Instead, force reopen it only if we really really have to.
|
|
In some circumstances, for example when start-up times out we
immediately jump into the final state, at which point we still should
try to watch the main pid so that the SIGCHLD allows us to quickly
move into dead state.
|
|
activated
|