Age | Commit message (Collapse) | Author |
|
New exec boolean MemoryDenyWriteExecute, when set, installs
a seccomp filter to reject mmap(2) with PAGE_WRITE|PAGE_EXEC
and mprotect(2) with PAGE_EXEC.
|
|
networkd-dhcp6: DHCPv6 starting fixes
|
|
core: log cgroup legacy and unified hierarchy setting translations
|
|
Recently added cgroup unified hierarchy support uses "max" in configurations
for no upper limit. While consistent with what the kernel uses for no upper
limit, it is inconsistent with what systemd uses for other controllers such as
memory or pids. There's no point in introducing another term. Update cgroup
unified hierarchy support so that "infinity" is the only term that systemd
uses for no upper limit.
|
|
|
|
Write comments about "too many search domains" and "Total length of all search
domains is too long" just once. Also put it on a separate line, as
resolv.conf(5) only specifies comments in a line by themselves.
This is ugly to do if write_resolv_conf_search() gets called once for every
search domain. So change it to receive the complete OrderedSet instead and do
the iteration by itself.
Add test cases to networkd-test.py.
https://launchpad.net/bugs/1588229
|
|
To accommodate changes in kernel interface, cgroup unified hierarchy support
added several configuration items which overlap with the existing resource
control settings and there is simple config translation between the overlapping
settings to ease the transition. As why certain cgroup knobs are being
configured can become confusing, this patch adds a master warning message which
is printed once when such translation is first used and logs each translation
with a debug message.
v2:
- Switched to log_unit*().
|
|
cgroup_context_apply() and friends take CGroupContext and cgroup path as input
and has no way of getting back to the associated Unit and thus uses raw cgroup
path for logging. This makes the log messages difficult to track down.
There's no reason to avoid passing in Unit into these functions. Pass in Unit
and use log_unit*() instead.
While at it, make cgroup_context_apply(), which has no outside users, static.
Also, drop cgroup path from log messages where the path itself isn't too
interesting and can be easily obtained from the unit.
|
|
For it's silly and unnecessary. Although it was apparently mandated by RFC 2462 in [5.5.2. Absence of Router Advertisements], that has been changed in the same section of RFC 4862, which obsoleted the former RFC.
|
|
Implement sets of system calls to help constructing system call
filters. A set starts with '@' to distinguish from a system call.
Closes: #3053, #3157
|
|
dhcp6_request_address() was merely a function to switch the DHCPv6 client from "stateless" mode to "stateful" mode. It was also a one-way switch. Also, to (re)start the client, we would need to repeat separate function calls.
In this patch, dhcp6_request_address() is made a general starter/manager of the DHCPv6 client. It now takes an extra parameter so we will be specifying which mode the DHCPv6 client should be started in. Also it will keep track of the current mode and compare with the newly requested mode, and only restart the client in case there is a difference between them.
This also makes sure that the DHCPv6 client will be (re)started accordingly as per the Router Advertisement flags.
|
|
systemctl --property doesn't validate if a requested property is valid or not,
and always returns with an exit code of 0, regardless of whether the requested
property exists or not.
How reproducible:
This works fine:
Id=multi-user.target
But put in a non-existing property:
Id=default.targets.service
Id=default.targets.service
0
[root@shou18lkvm8 ~]# systemctl show --property Id this.is.rubbish; echo $?
Id=this.is.rubbish.service
0
After:
sus@maximus bz-95593]$ ./systemctl show --property Id this.is.rubbish; echo $?
Can't display property this.is.rubbish. Unit this.is.rubbish.service does not
exist.
4
fixes #2295
|
|
Now we just using constants for the init script exit status codes.
Replace those error codes with enum so that it's more meaningful
and readable.
|
|
Fixes: 9ed8b06c9be4a5efae432d5cf4b1c47d03e6f107
|
|
This patch implements support for IFLA_BR_VLAN_FILTERING configuration.
|
|
Before:
[sus@maximus bz-1256858]$ systemctl status rsyslog.service;echo $?
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor
preset: enabled)
Drop-In: /etc/systemd/system/rsyslog.service.d
└─50-CPUShares.conf
Active: inactive (dead) since Mon 2016-05-30 11:54:25 IST; 2h 26min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Process: 1159 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=exited,
status=0/SUCCESS)
Main PID: 1159 (code=exited, status=0/SUCCESS)
May 30 11:07:50 maximus systemd[1]: Starting System Logging Service...
May 30 11:07:50 maximus systemd[1]: Started System Logging Service.
May 30 11:54:25 maximus systemd[1]: Stopping System Logging Service...
May 30 11:54:25 maximus systemd[1]: Stopped System Logging Service.
3
[sus@maximus bz-1256858]$ systemctl status hello.service;echo $?
● hello.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
3
After:
$ ./systemctl status hello.service;echo $?
Failed to dump process list, ignoring: Access denied
● hello.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
4
[sus@maximus bz-1256858]$ ./systemctl status rsyslog.service;echo $?
Failed to dump process list, ignoring: Access denied
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor
preset: enabled)
Drop-In: /etc/systemd/system/rsyslog.service.d
└─50-CPUShares.conf
Active: inactive (dead) since Mon 2016-05-30 11:54:25 IST; 2h 24min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Process: 1159 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=exited,
status=0/SUCCESS)
Main PID: 1159 (code=exited, status=0/SUCCESS)
May 30 11:07:50 maximus systemd[1]: Starting System Logging Service...
May 30 11:07:50 maximus systemd[1]: Started System Logging Service.
May 30 11:54:25 maximus systemd[1]: Stopping System Logging Service...
May 30 11:54:25 maximus systemd[1]: Stopped System Logging Service.
3
Fixes: 1092
|
|
new worker (#3387)
|
|
The current raw_clone function takes two arguments, the cloning flags and
a pointer to the stack for the cloned child. The raw cloning without
passing a "thread main" function does not make sense if a new stack is
specified, as it returns in both the parent and the child, which will fail
in the child as the stack is virgin. All uses of raw_clone indeed pass NULL
for the stack pointer which indicates that both processes should share the
stack address (so you better don't pass CLONE_VM).
This commit refactors the code to not require the caller to pass the stack
address, as NULL is the only sensible option. It also adds the magic code
needed to make raw_clone work on sparc64, which does not return 0 in %o0
for the child, but indicates the child process by setting %o1 to non-zero.
This refactoring is not plain aesthetic, because non-NULL stack addresses
need to get mangled before being passed to the clone syscall (you have to
apply STACK_BIAS), whereas NULL must not be mangled. Implementing the
conditional mangling of the stack address would needlessly complicate the
code.
raw_clone is moved to a separete header, because the burden of including
the assert machinery and sched.h shouldn't be applied to every user of
missing_syscalls.h
|
|
Remove newlines from drop in format strings + some formatting fixes
|
|
|
|
This reverts part of #3329, but all for a good cause.
|
|
unit_write_drop_in{,_private}{,_format} are all affected.
We already append a header to the file (and section markers), so those functions
can only be used to write a whole file at once. Including the newline at
the end feels natural.
After this commit newlines will be duplicated. They will be removed in
subsequent commit.
Also, rewrap the "autogenerated" header to fit within 80 columns.
|
|
networkd: IPv6 fixes
|
|
Fix multiple unaligned accesses in test-dns-packet and sd-dhcp-server.
|
|
|
|
It's harder to miss the comment without the newline ;)
See https://github.com/systemd/systemd/pull/3336#issuecomment-221749423
for context.
|
|
various sd-Ipv4ll/sd-ipv4acd fixes
|
|
systemctl: return success for set-default, add-wants, add-requires...
|
|
We need to explicitly define authorizations for allow_inactive and
allow_active. Otherwise one is getting "Access denied" when run from a
local console:
$ loginctl enable-linger
Could not enable linger: Access denied
|
|
If an interface is managed as a bridge slave, we don't want any IP configuration for it. Therefore, disable IPv6 in such case.
|
|
When we manage an interface with networkd but not as a slave (i.e. no `Bridge=` or `Bond=` set in its .network), we do not want it to remain slaved.
|
|
|
|
On the unified hierarchy, memory controller implements three control knobs -
low, high and max which enables more useable and versatile control over memory
usage. This patch implements support for the three control knobs.
* MemoryLow, MemoryHigh and MemoryMax are added for memory.low, memory.high and
memory.max, respectively.
* As all absolute limits on the unified hierarchy use "max" for no limit, make
memory limit parse functions accept "max" in addition to "infinity" and
document "max" for the new knobs.
* Implement compatibility translation between MemoryMax and MemoryLimit.
v2:
- Fixed missing else's in config_parse_memory_limit().
- Fixed missing newline when writing out drop-ins.
- Coding style updates to use "val > 0" instead of "val".
- Minor updates to documentation.
|
|
dbus-cgroup fixes
|
|
|
|
|
|
|
|
|
|
|
|
The argument is about capabilities.
|
|
Split seccomp into nspawn-seccomp.[ch]. Currently there are no changes,
but this will make it easy in the future to share or use the seccomp logic
from systemd core.
|
|
Rename is_procfs_sysfs_or_suchlike() to is_fs_fully_userns_compatible()
to give it the real meaning. This may prevent future modifications that
may introduce bugs.
|
|
Add some special filesystems that should not be shifted, most of them
relate to the host and not to containers.
|
|
We have to pass addresses of changes and n_changes to
bus_deserialize_and_dump_unit_file_changes(). Otherwise we are hit by
missing information (subsequent calls to unit_file_changes_add() to
not add anything).
Also prevent null pointer dereference in
bus_deserialize_and_dump_unit_file_changes() by asserting.
Fixes #3339
|
|
As suggested:
https://github.com/systemd/systemd/pull/3328#discussion-diff-64285764
|
|
Let's use usec_t internally always, when dealing with time values.
Let's use uint8_t* pointers if we are dealing with generic byte pointers.
|
|
Whitespace doesn't hurt and helps structuring things.
|
|
|
|
Let's better check the size before we subtract. Also, let's change the size
argument to size_t, as it cannot be signed anyway.
Finally, use EBADMSG for indicating invalid packets, like we do everywhere
else.
|
|
|