Age | Commit message (Collapse) | Author |
|
machined and sd-bus container fixes
|
|
inspired by http://people.redhat.com/~rjones/virt-what/
see:
* http://git.annexia.org/?p=virt-what.git;a=blob;f=virt-what.in;h=a5ed33ef3e4bfa3281c9589eccac4d92dff1babe;hb=HEAD#l200
* http://git.annexia.org/?p=virt-what.git;a=blob;f=virt-what.in;h=a5ed33ef3e4bfa3281c9589eccac4d92dff1babe;hb=HEAD#l253
|
|
Getting rid of FOREACH_WORD_QUOTED and some more cleanup in config_parse_cpu_affinity2
|
|
selinux: always use *_raw API from libselinux
|
|
We should never connect to the host bus as fallback if connecting to a
container failed via one method. Otherwise connecting to a dbus1
container will always result in a connection to the host.
|
|
We rely on the correct error used when opening the kdbus device node,
hence let's make sure we pass it up from the namespaced child process to
the process which actually wants to connect.
|
|
The call is like ptsname() but does not assume the pty path was
accessible in the local namespace. It uses the same internal ioctl
though.
|
|
It makes assumptions about the pty path, hence better call it in the
container namespace rather than the host.
|
|
|
|
More cgroup fixes
|
|
Getting rid of FOREACH_WORD_QUOTED in config_parse_join_controllers
|
|
When the user wants to explicitly send our own PID a signal, then do so.
Don't follow up SIGABRT with a SIGHUP if send_sighup is enabled. At that
point the process should have segfaulted, hence there's no point in
following up with a SIGHUP.
Send only termination signals to ourselves, never KILL or ABRT signals.
|
|
|
|
Always say when we ignore errors. Cast calls whose return value we
knowingly ingore to (void). Use "bool" where we actually mean a boolean,
even if we return it as an int later on.
|
|
It's cheaper that going to cgroupfs, and also usually the better choice
since it's not racy and can map PIDs even if they were moved to a
different unit.
|
|
|
|
|
|
In all cases where the function (or cg_is_empty_recursive()) ignoring
the calling process is actually wrong, as a process keeps a cgroup busy
regardless if its the current one or another. Hence, let's simplify
things and drop the "ignore_self" parameter.
|
|
A number of simplications and adjustments to brings things closer to our
coding style.
|
|
We really should care for all cgroups, and not allow hidden ones.
|
|
It won't work anyway.
|
|
tree-wide: do not shadow the global var timezone
|
|
|
|
The legacy cgroup hierarchy does not support reliable empty
notifications in containers and if there are left-over subgroups in a
cgroup. This makes it hard to correctly wait for them running empty, and
thus we previously disabled this logic entirely.
With this change we explicitly check for the container case, and whether
the unit is a "delegation" unit (i.e. one where programs may create
their own subgroups). If we are neither in a container, nor operating on
a delegation unit cgroup empty notifications become reliable and thus we
start waiting for the empty notifications again.
This doesn't really fix the general problem around cgroup notifications
but reduces the effect around it.
(This also reorders #include lines by their focus, as suggsted in
CODING_STYLE. We have to add "virt.h", so let's do that at the right
place.)
Also see #317.
|
|
|
|
|
|
Rework the "service is good" check, to only check the cgroup state if we
really need to instead of always.
This allows us to suppress going to the cgroupfs for an empty check for
the majority of services.
No functional change.
|
|
Instead, remember that we have already written it.
|
|
let's return ENXIO whenever we don't know something rather than ENOENT.
ENOENT suggests this was really about a file or directory, while ENXIO
is a more generic "not found" indicator.
|
|
|
|
Like we do it pretty much everywhere else.
|
|
When mcstransd* is running non-raw functions will return translated SELinux
context. Problem is that libselinux will cache this information and in the
future it will return same context even though mcstransd maybe not running at
that time. If you then check with such context against SELinux policy then
selinux_check_access may fail depending on whether mcstransd is running or not.
To workaround this problem/bug in libselinux, we should always get raw context
instead. Most users will not notice because result of access check is logged
only in debug mode.
* SELinux context translation service, which will translates labels to human
readable form
|
|
networkd: add support for tunnel encap limit
|
|
On Dell and HP laptops the dock state/events (SW_DOCK) come from the "{Dell,HP}
WMI hotkeys" input devices. Tag them as power-switch so that login actually
considers them. Use a general match in case this affects other vendors, too.
Thanks to Andreas Schultz for debugging this!
https://launchpad.net/bugs/1450009
|
|
Related to the TODO item to replace FOREACH_WORD_QUOTED with it.
Tested by setting `JoinControllers=cpu,cpuacct,memory net_cls,blkio' in
/etc/systemd/system.conf, rebooting the system with the patched binaries
and checking that the desired setup was created by inspecting the
entries under /sys/fs/cgroup.
No regressions observed in test cases.
|
|
Make use of it in config_parse_cpu_affinity2.
Tested by tweaking the `CPUAffinity' setting in /etc/systemd/system.conf
and reloading the daemon to confirm it is working as expected.
No regressions observed in test cases.
|
|
Related to the TODO item to replace FOREACH_WORD_QUOTED with it.
Tested by setting `CPUAfinity=0 1' (and other similar settings) in
/etc/systemd/system.conf, booting the system with the patched binaries
(and also using `systemctl daemon-reload` to reconfigure) and checking
that /proc/1/status indicates only CPUs 0 and 1 are allowed for PID 1.
No regressions observed in test cases.
|
|
dhcp-server: make pool configurable
|
|
The constraints we place on the pool is that it is a contiguous
sequence of addresses in the same subnet as the server address, not
including the subnet nor broadcast addresses, but possibly including
the server address itself. If the server address is included in the
pool it is (obviously) reserved and not handed out to clients.
|
|
Don't restrict yourselves to 32 leases, simply manage the whole subnet by default.
|
|
Merge sd_dhcp_server_set_address() and sd_dhcp_server_set_lease_pool() into
sd_dhcp_server_configure_pool() as the behavior of the two former depends
on the order they are called in. The flexibility is not needed, so let's
just do this in one call.
|
|
dbus-1.10 was just released, including systemd units to run
`dbus-daemon --session` as systemd user unit. This allows using a
user-bus with dbus1, just like we do per default with kdbus.
All the dbus libraries have already been fixed long ago to use the
user-bus as default. Hence, there's no need to set
DBUS_SESSION_BUS_ADDRESS= if we use the user-bus. However, gdm and
friends continue to spawn a session bus if this variable is not set
(instead of checking for the existence of the user-bus). Hence, we force
the user-bus, if it is available, in pam_systemd. Once gdm and friends
are fixed, we can continue to drop this again. However, that might take
a while.
With this in place, all that is needed to make the user-bus work is:
`systemctl --global enable dbus.socket`
If dbus.socket is not enabled, the legacy session-bus is still used.
Based on a patch by: Jan Alexander Steffens <jan.steffens@gmail.com>
|
|
Never report errors twice.
|
|
Let's help users to debug issues with epoll fd removal by printing the
name of the event source.
|
|
Make sure show it as "/" rather than empty string.
|
|
Otherwise we might attempt to remove a non-existing fd from epoll.
|
|
|
|
When showing the number of tasks in a cgroup, recursively count tasks in
child cgroups and include them in the number. This ensures that the
number of tasks is cummulative the same way as memory, cpu and IO
resources are.
Old behaviour can be restored by passing the new --recursive=no switch.
|
|
However, allow them to be counted in by specifying -k
|
|
|