Age | Commit message (Collapse) | Author |
|
a single user so far.
|
|
|
|
|
|
From fd.o bug 88898:
systemd-resolved fails to start:
Failed to drop capabilities: Operation not permitted
Broken in f11943c53ec181829a821c6b27acf828bab71caa.
Drop all capabilities:
1. prctl(PR_SET_KEEPCAPS, keep_capabilities != 0) // 0 when we drop all
capabilities
2. setresuid() // bye bye capabilities
3. Add CAP_SETPCAP // fails because we have no capabilities
4. Reduce capability bounding set
5. Drop capabilities
6. prctl(PR_SET_KEEPCAPS, 0)
Capabilites should always be kept after setresuid() so that the capability
bounding set can be reduced.
Based-on-a-patch-by: mustrumr97@gmail.com
https://bugs.freedesktop.org/show_bug.cgi?id=88898
We must be careful not to leave PR_SET_KEEPCAPS on. We could use the
setresuid() call to drop capabilities, but the rules when capabilities
are dropped are fairly complex, since a transition to non-zero uid must
happen. Let's instead keep the capabilities during setresuid(), and drop
them later.
|
|
If we scale our buffer to be wide enough for the format string, we
should expect that the calculation was correct.
char_array_0() invocations are removed, since snprintf nul-terminates
the output in any case.
A similar wrapper is used for strftime calls, but only in timedatectl.c.
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=87354
|
|
|
|
|
|
|
|
on aarch64
|
|
Both plain opendir() and glob() will bump access time. Privileged
option O_NOATIME can be used to prevent the access time from being
updated. We already used it for subdirectories of the directories
which we were cleaning up. But for the directories specified directly
in the config files, we wouldn't do that. This means that,
paradoxically, our own temporary directories for PrivateTmp would stay
around forever, as long as one let systemd-tmpfiles-clean.service run
regularly, because they had their own glob patterns specified.
https://bugzilla.redhat.com/show_bug.cgi?id=1183684
|
|
|
|
Build would fail when assert was used on the same line in
different files #included together.
https://bugs.freedesktop.org/show_bug.cgi?id=87339
|
|
This is exposed the memory.usage_in_bytes cgroup property on the bus,
and makes "systemctl status" show it in its default output.
|
|
After 3637713a20 it is not necessary anymore.
|
|
With this change the pull protocol implementation processes will pass
progress data to importd which then passes this information on via the
bus. We use sd_notify() as generic transport for this communication,
making importd listen to them, while matching the incoming messages to
the right transfer.
|
|
|
|
shut up
|
|
This is how we call it internally, and also a bit more descriptive.
|
|
For ACLs to be valid, a set of entries for user, group, and other
must be always present. Always add those entries.
While at it, only add the mask ACL if it is actually required, i.e.
when at least on ACL for non-owner group or user exists.
|
|
This is much more useful in practice (equivalent to setfacl -m).
|
|
|
|
int[] should not be used as pid_t[], even if happens to be same thing.
Also deduplicating in a quadratic loop right before sorting is unnecessary.
Remove custom greedy_realloc implementation.
|
|
Types used for pids and uids in various interfaces are unpredictable.
Too bad.
|
|
|
|
gcc 5 started warning about this.
|
|
client to it
The old "systemd-import" binary is now an internal tool. We still use it
as asynchronous backend for systemd-importd. Since the import tool might
require some IO and CPU resources (due to qcow2 explosion, and
decompression), and because we might want to run it with more minimal
priviliges we still keep it around as the worker binary to execute as
child process of importd.
machinectl now has verbs for pulling down images, cancelling them and
listing them.
|
|
syslog priority
This is useful when we execute our own programs, reading output from its
STDERR, and want to retain priority information.
|
|
dpkg itself also uses *.dpkg-dist, while .dpkg-{bak,backup,remove} are being
used by dpkg-maintscript-helper.
|
|
This also adds an initial keyring for the verification, that contains
Ubuntu's and Fedora's key. We should probably add more entries sooner or
later.
|
|
This allows us to reuse a lot more code, and simplify pull-raw
drastically.
|
|
|
|
|
|
linux partition
This should allow running Ubuntu UEFI GPT Images with nspawn,
unmodified.
|
|
than "size"
After all, it's closer to the "du"-reported value than to the file
sizes...
|
|
to target
|
|
|
|
This remove the need for various header files to include the
(relatively heavyweight) util.h.
|
|
|
|
There were two callers, one can use strtod_l() and the other strptime_l().
(David: fix up commit-msg and coding-style)
|
|
|
|
/var/lib/container to /var/lib/machines
Given that this is also the place to store raw disk images which are
very much bootable with qemu/kvm it sounds like a misnomer to call the
directory "container". Hence, let's change this sooner rather than
later, and use the generic name, in particular since we otherwise try to
use the generic "machine" preferably over the more specific "container"
or "vm".
|
|
After all, nspawn can now dissect MBR partition levels, too, hence
".gpt" appears a misnomer. Moreover, the the .raw suffix for these files
is already pretty popular (the Fedora disk images use it for example),
hence sounds like an OK scheme to adopt.
|
|
This adds three kinds of file system locks for container images:
a) a file system lock next to the actual image, in a .lck file in the
same directory the image is located. This lock has the benefit of
usually being located on the same NFS share as the image itself, and
thus allows locking container images across NFS shares.
b) a file system lock in /run, named after st_dev and st_ino of the
root of the image. This lock has the advantage that it is unique even
if the same image is bind mounted to two different places at the same
time, as the ino/dev stays constant for them.
c) a file system lock that is only taken when a new disk image is about
to be created, that ensures that checking whether the name is already
used across the search path, and actually placing the image is not
interrupted by other code taking the name.
a + b are read-write locks. When a container is booted in read-only mode
a read lock is taken, otherwise a write lock.
Lock b is always taken after a, to avoid ABBA problems.
Lock c is mostly relevant when renaming or cloning images.
|
|
We initialize structs during declartion if possible
|
|
"read-only" concept for raw disk images, too
|
|
Unlike some client code suggests...
|
|
|
|
|
|
|