Age | Commit message (Collapse) | Author |
|
(#4296)
The udev builtin command `net_setup_link` requires AF_INET and AF_INET6.
Fixes #4293.
|
|
Let's make this an excercise in dogfooding: let's turn on more security
features for all our long-running services.
Specifically:
- Turn on RestrictRealtime=yes for all of them
- Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of
them
- Turn on RestrictAddressFamilies= for all of them, but different sets of
address families for each
Also, always order settings in the unit files, that the various sandboxing
features are close together.
Add a couple of missing, older settings for a numbre of unit files.
Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively
turning of networking from udev rule commands. Since this might break stuff
(that is already broken I'd argue) this is documented in NEWS.
|
|
udevd already limits its number of workers/children: the max number is actually
twice the number of CPUs the system is using.
(The limit can also be raised with udev.children-max= kernel command line
option BTW).
On some servers, this limit can easily exceed the maximum number of tasks that
systemd put on all services, which is 512 by default.
Since udevd has already its limitation logic, simply disable the static
limitation done by TasksMax.
|
|
Apparently, disk IO issues are more frequent than we hope, and 1min
waiting for disk IO happens, so let's increase the watchdog timeout a
bit, for all our services.
See #1353 for an example where this triggers.
|
|
We are already sending watchdog notification, this tells PID1 to actually listen for
them and restart udevd in case it gets stuck.
|
|
The daemons should really have the time to kill the workers first,
before systemd does it, hence use KillMode=mixed for these daemons.
https://bugs.freedesktop.org/show_bug.cgi?id=90051
|
|
udev-trigger
Let's move the hwdb regeneration a bit later. Given that hwdb is
non-essential it should be OK to allow udev to run without it until we
do the full trigger.
http://lists.freedesktop.org/archives/systemd-devel/2015-April/030074.html
|
|
|
|
Only when necessary of course, nicely guarded with the new
ConditionNeedsUpdate= condition we added.
|
|
logind needs access to /run/user/, udevd fails during early boot
with these settings
|
|
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.
ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.
This patch also enables these settings for all our long-running services.
Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
|
|
Keep mounts done by udev rules private to udevd. Also, document how
MountFlags= may be used for this.
|
|
As of kmod v14, it is possible to export the static node information from
/lib/modules/`uname -r`/modules.devname in tmpfiles.d(5) format.
Use this functionality to let systemd-tmpfilesd create the static device nodes
at boot, and drop the functionality from systemd-udevd.
As an effect of this we can move from systemd-udevd to systemd-tmpfiles-setup-dev:
* the conditional CAP_MKNOD (replaced by checking if /sys is mounted rw)
* ordering before local-fs-pre.target (see 89d09e1b5c65a2d97840f682e0932c8bb499f166)
|
|
Not that it would matter much, but let's make things a bit more
systematic: early boot services shall order themselves before
sysinit.target, and nothing else.
|
|
static nodes (like /dev/loop-control) are created when systemd-udevd
is started and needed to mount loopback devices. Therefore,
local-fs-pre.target should be only started after systemd-udevd is
started.
|
|
|
|
These services should be restarted as quickly as possible if they fail,
and the extra safety net of the holdoff time is not necessary.
|
|
This naming convention is more inline with other systemd daemon
unit names (systemd-logind.service, systemd-localed.service etc)
The companion .socket units have also been renamed, however the
-trigger and -settle units keep their current name as these are
not directly related to daemon process itself.
|