| Age | Commit message (Collapse) | Author |
|---|
|
Fixes: #3870
|
|
|
|
Let's make sure that our loopback files remain sparse, hence let's set
"discard" as mount option on file systems that support it if the backing device
is a loopback.
|
|
Make the underlining between the header and the body and between the units of
different types span the whole width of the table.
Let's never make the table wider than necessary (which is relevant due the
above).
When space is limited and we can't show the full ID or description string
prefer showing the full ID over the full description. The ID is after all
something people might want to copy/paste, while the description is mostly just
helpful decoration.
|
|
If we turn on red color for the active column and it is not combined with
underlining, then we need to turn it off explicitly afterwards. Do that.
|
|
Let's place only one ternary operator.
|
|
Let's only check for eof once after the fgets(). There's no point in checking
EOF before the first read, and twice in each loop.
|
|
|
|
This way, we can get rid of a label/goto.
|
|
Let's make missing write access to /proc/sys non-fatal to the sysctl service.
This is a follow-up to 411e869f497c7c7bd0688f1e3500f9043bc56e48 which altered
the condition for running the sysctl service to check for /proc/sys/net being
writable, accepting that /proc/sys might be read-only. In order to ensure the
boot-up stays clean in containers lower the log level for the EROFS errors
generated due to this.
|
|
|
|
Now that have a proper concept of "perpetual" units, let's make the root mount
one too, since it also cannot go away.
|
|
So far "no_gc" was set on -.slice and init.scope, to units that are always
running, cannot be stopped and never exist in an "inactive" state. Since these
units are the only users of this flag, let's remodel it and rename it
"perpetual" and let's derive more funcitonality off it. Specifically, refuse
enqueing stop jobs for these units, and report that they are "unstoppable" in
the CanStop bus property.
|
|
(#4533)
Always initialize the supplementary groups of caller before checking the
unit SupplementaryGroups= option.
Fixes https://github.com/systemd/systemd/issues/4531
|
|
Switch drivers uses phys_port_name attribute to pass front panel port
name to user. Use it to generate netdev names.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
|
"Secondary arch" table for mips is entirely speculative…
|
|
Lustre is also a remote file system that wants the network to be up before it is mounted.
|
|
This introduces a new option, `tcrypt-veracrypt`, that sets the
corresponding VeraCrypt flag in the flags passed to cryptsetup.
|
|
A pendant for #4481.
|
|
seccomp: also block shmat(..., SHM_EXEC) for MemoryDenyWriteExecute
|
|
Document NoNewPrivileges default value
|
|
|
|
Suggested by @keszybz in #4488.
|
|
core: improve mount namespace and working directory setup
|
|
detect-virt: add --private-users switch to check if a userns is active; add Condition=private-users
|
|
|
|
This makes applying groups after applying the working directory, this
may allow some flexibility but at same it is not a big deal since we
don't execute or do anything between applying working directory and
droping groups.
|
|
Improve apply_working_directory() and lets get the current working directory
inside of it.
|
|
|
|
|
|
We updated 'fn' but checked 'v' instead.
From 698c5a17
Spotted with PVS
|
|
Fix some formatting details in the merge.
|
|
Rewrite the function to be slightly simpler. In particular, if a specific
match is found (like ConditionVirtualization=yes), simply return an answer
immediately, instead of relying that "yes" will not be matched by any of
the virtualization names below.
No functional change.
|
|
|
|
This can be useful to silence warnings about units which fail in userns
container.
|
|
Various things don't work when we're running in a user namespace, but it's
pretty hard to reliably detect if that is true.
A function is added which looks at /proc/self/uid_map and returns false
if the default "0 0 UINT32_MAX" is found, and true if it finds anything else.
This misses the case where an 1:1 mapping with the full range was used, but
I don't know how to distinguish this case.
'systemd-detect-virt --private-users' is very similar to
'systemd-detect-virt --chroot', but we check for a user namespace instead.
|
|
Invalid IP addresses would be passed through as-is:
$ networkctl status wlp3s0:
● 2: wlp3s0
Link File: /usr/lib/systemd/network/99-default.link
Network File: /etc/systemd/network/wlp3s0.network
Type: wlan
State: routable (configured)
Path: pci-0000:03:00.0
Driver: iwlwifi
Vendor: Intel Corporation
Model: Centrino Advanced-N 6205 [Taylor Peak] (Centrino Advanced-N 6205 AGN)
HW Address: XXXXXXXXXX (Intel Corporate)
Address: 192.168.2.103
XXXXXXXXXXX
Gateway: 192.168.2.1 (Arcadyan Technology Corporation)
DNS: 127.0.0.5553
Instead verify that DNS= has a valid list of addresses when parsing configuration.
Fixes #4462.
|
|
shmat(..., SHM_EXEC) can be used to create writable and executable
memory, so let's block it when MemoryDenyWriteExecute is set.
|
|
Check if values filled up by KD_FONT_OP_GET ioctl make sense -
dummy driver for example doesn't implement required functionality
at all.
|
|
two minor systemctl memleak fixes
|
|
In case of running test-execute on systems with systemd < v232, several
tests like privatedevices or protectkernelmodules fail because
/run/systemd/inaccessible/ doesn't exist. In these cases, we should skip
tests to avoid unnecessary errors.
See also https://github.com/systemd/systemd/pull/4243#issuecomment-253665566
|
|
(Also, let's not use the binary |= operator on "bool" variables).
Fix-up for 93a0884126146361ca078ec627da2cf766205a1c.
|
|
various nss module/resolved fixes
|
|
Various seccomp fixes and NEWS update.
|
|
Properly synthesize -.slice and init.scope
|
|
|
|
callbacks
Previously, we'd synthesize the root slice unit and the init scope unit in the
enumerator callbacks for the unit type. This is problematic if either of them
is already referenced from a unit that is loaded as result of another unit
type's enumerator logic.
Let's clean this up and simply create the two objects from the enumerator
callbacks, if they are not around yet. Do the actual filling in of the settings
from the unit_load() callbacks, to match how other units are loaded.
Fixes: #4322
|
|
Let's tighten the cases when our module returns NSS_STATUS_NOTFOUND. Let's do
so only if we actually managed to talk to resolved. In all other cases stick to
NSS_STATUS_UNAVAIL as before, as it clearly indicates that our module or the
system is borked, and the "dns" fallback should really take place.
In particular this fixes the 2nd-level fallback from our own dlopen() based
fallback handling. In this case we really should return UNAVAIL so that the
caller can apply its own fallback still.
Fix-up for d7247512a904f1dd74125859d8da66166c2a6933.
Note that our own dlopen() based fallback is pretty much redundant now if
nsswitch.conf is configured like this:
hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
In a future release we should probably drop our internal fallback then, in
favour of this nsswitch.conf-based one.
|
|
Fix-up for #4164
|
|
This validates the system call set table and many of our seccomp-util.c APIs.
|
