summaryrefslogtreecommitdiff
path: root/units
AgeCommit message (Collapse)Author
2016-06-01./move.shLuke Shumaker
2016-02-11Merge pull request #2581 from evverx/dev-mqueue-condLennart Poettering
units: don't try to mount the mqueue fs if we lack the privileges for it
2016-02-11units: don't try to mount the mqueue fs if we lack the privileges for itEvgeny Vereshchagin
See https://github.com/systemd/systemd/pull/2576#discussion-diff-52592680
2016-02-10units: don't try to mount the FUSE fs if we lack the privileges for itLennart Poettering
See: https://lists.freedesktop.org/archives/systemd-devel/2016-February/035740.html
2016-02-10coredump: rework coredumping logicLennart Poettering
This reworks the coredumping logic so that the coredump handler invoked from the kernel only collects runtime data about the crashed process, and then submits it for processing to a socket-activate coredump service, which extracts a stacktrace and writes the coredump to disk. This has a number of benefits: the disk IO and stack trace generation may take a substantial amount of resources, and hence should better be managed by PID 1, so that resource management applies. This patch uses RuntimeMaxSec=, Nice=, OOMScoreAdjust= and various sandboxing settings to ensure that the coredump handler doesn't take away unbounded resources from normally priorized processes. This logic is also nice since this makes sure the coredump processing and storage is delayed correctly until /var/systemd/coredump is mounted and writable. Fixes: #2286
2016-02-09Merge pull request #2565 from poettering/fix-2315Zbigniew Jędrzejewski-Szmek
2016-02-09units: downgrade dependency on /tmp in basic.target to Wants=Lennart Poettering
Now that requiring of a masked unit results in failure again, downgrade the dependency on /tmp to Wants= again, so that our suggested way to disable /tmp-on-tmpfs by masking doesn't result in a failing boot. References: #2315
2016-02-05Fix typo in rescue shellIndrajit Raychaudhuri
2016-01-22Merge pull request #2331 from yuwata/journal-remote-unit-v2Daniel Mack
journal-remote: add SupplementaryGroups to systemd-journal-upload.service
2016-01-17units: don't fail if /root doesn't exist for shell unitsLennart Poettering
As discussed on the ML: http://lists.freedesktop.org/archives/systemd-devel/2016-January/035594.html
2016-01-15journal-remote: add SupplementaryGroups to systemd-journal-upload.serviceYu Watanabe
2016-01-11kmod-static-nodes: don't run if module list is emptyMartin Pitt
With this kmod commit, modules.devname will be empty by default instead of containing just a comment: https://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/?id=4c30a11d5f Refine the startup condition of kmod-static-nodes.service to not run needlessly if the list is empty.
2015-12-15journal-remote: add documents in the unit filesYu Watanabe
2015-11-22Set user@.service TasksMax=infinityJan Alexander Steffens (heftig)
The user manager is still limited by its parent slice user-UID.slice, which defaults to 4096 tasks. However, it no longer has an additional limit of 512 tasks. Fixes #1955.
2015-11-16nspawn: set TasksMax= for containers to 8192 by defaultLennart Poettering
2015-11-12core: remove SmackFileSystemRootLabel= againLennart Poettering
Apparently, util-linux' mount command implicitly drops the smack-related options anyway before passing them to the kernel, if the kernel doesn't know SMACK, hence there's no point in duplicating this in systemd. Fixes #1696
2015-11-11units: fix system.slice to require -.slice, instead of just want itLennart Poettering
2015-11-03journal: restore watchdog supportLennart Poettering
2015-11-03Merge pull request #1726 from teg/networkd-2Daniel Mack
networkd: (de)serialize more state and support expiring routes
2015-11-01journald: never block when sending messages on NOTIFY_SOCKET socketLennart Poettering
Otherwise we might run into deadlocks, when journald blocks on the notify socket on PID 1, and PID 1 blocks on IPC to dbus-daemon and dbus-daemon blocks on logging to journald. Break this cycle by making sure that journald never ever blocks on PID 1. Note that this change disables support for event loop watchdog support, as these messages are sent in blocking style by sd-event. That should not be a big loss though, as people reported frequent problems with the watchdog hitting journald on excessively slow IO. Fixes: #1505.
2015-10-30networkd: route - track routesTom Gundersen
2015-10-26core: rename SmackFileSystemRoot= to SmackFileSystemRootLabel=Lennart Poettering
That way it's in sync with the other SMACK label settings. https://github.com/systemd/systemd/pull/1664#issuecomment-150891270
2015-10-24units: add 'SmackFileSystemRoot=*' option into tmp.mountSangjung Woo
If SMACK is enabled, 'smackfsroot=*' option should be specified when /tmp is mounted since many non-root processes use /tmp for temporary usage. If not, /tmp is labeled as '_' and smack denial occurs when writing. In order to do that, 'SmackFileSystemRoot=*' is newly added into tmp.mount.
2015-10-22units: also whitelist "blkext" block devices for nspawn serviceLennart Poettering
/dev/loop*p* block devices are of the "blkext" subsystem, not of loop, hence whitelist this too. Fixes #1446
2015-10-18Revert "units: add 'smackfsroot=*' option into tmp.mount when SMACK is enabled"Kay Sievers
This reverts commit 409c2a13fd65692c611b7bcaba12e908ef7cf1e5. It breaks the bootup of systems which enable smack at compile time, but have no smack enabled in the kernel. This needs a different solution.
2015-10-15units: .gitignore: units - ignore tmp.mountTom Gundersen
This is a follow-up to 409c2a13fd656.
2015-10-15Merge pull request #1572 from again4you/devel/tmp-smackLennart Poettering
units: add 'smackfsroot=*' option into tmp.mount when SMACK is enabled
2015-10-15units: add 'smackfsroot=*' option into tmp.mount when SMACK is enabledSangjung Woo
If SMACK is enabled, 'smackfsroot=*' option should be specified in tmp.mount file since many non-root processes use /tmp for temporary usage. If not, /tmp is labeled as '_' and smack denial occurs when writing.
2015-10-14unit: remove [Install] section from the user exit.target unitLennart Poettering
There's no concept of ctrl-alt-del for user systemd instances, hence don't suggest it woud make sense to symlink the unit to it. Fixes #1525.
2015-10-06Merge pull request #1468 from poettering/fdnamesTom Gundersen
Add support for naming fds for socket activation and more
2015-10-06unit: give systemd-networkd.socket a better descriptionLennart Poettering
Usually we try to properly uppercase first characters in the description, do so here, too. Also, keep it close to the string used in systemd-networkd.service.
2015-10-03nspawn: fix --image= when nspawn is run as serviceLennart Poettering
nspawn needs access to /dev/loop to implement --image=, hence grant that in the service file. Fixes #1446.
2015-10-01rfkill: rework and make it listen on /dev/rfkillLennart Poettering
With this rework we introduce systemd-rfkill.service as singleton that is activated via systemd-rfkill.socket that listens on /dev/rfkill. That way, we get notified each time a new rfkill device shows up or changes state, in which case we restore and save its current setting to disk. This is nicer than the previous logic, as this means we save/restore state even of rfkill devices that are around only intermittently, and save/restore the state even if the system is shutdown abruptly instead of cleanly. This implements what I suggested in #1019 and obsoletes it.
2015-09-29machine-id-commit: merge machine-id-commit functionality into machine-id-setupLennart Poettering
And remove machine-id-commit as separate binary. There's really no point in keeping this separate, as the sources are pretty much identical, and have pretty identical interfaces. Let's unify this in one binary. Given that machine-id-commit was a private binary of systemd (shipped in /usr/lib/) removing the tool is not an API break. While we are at it, improve the documentation of the command substantially.
2015-09-29units: increase watchdog timeout to 3min for all our servicesLennart Poettering
Apparently, disk IO issues are more frequent than we hope, and 1min waiting for disk IO happens, so let's increase the watchdog timeout a bit, for all our services. See #1353 for an example where this triggers.
2015-09-23units: run ldconfig also when cache is unpopulatedMichal Sekletar
2015-09-21containers: systemd exits with non-zero codeAlban Crequy
When a systemd service running in a container exits with a non-zero code, it can be useful to terminate the container immediately and get the exit code back to the host, when systemd-nspawn returns. This was not possible to do. This patch adds the following to make it possible: - Add a read-only "ExitCode" property on PID 1's "Manager" bus object. By default, it is 0 so the behaviour stays the same as previously. - Add a method "SetExitCode" on the same object. The method fails when called on baremetal: it is only allowed in containers or in user session. - Add support in systemctl to call "systemctl exit 42". It reuses the existing code for user session. - Add exit.target and systemd-exit.service to the system instance. - Change main() to actually call systemd-shutdown to exit() with the correct value. - Add verb 'exit' in systemd-shutdown with parameter --exit-code - Update systemctl manpage. I used the following to test it: | $ sudo rkt --debug --insecure-skip-verify run \ | --mds-register=false --local docker://busybox \ | --exec=/bin/chroot -- /proc/1/root \ | systemctl --force exit 42 | ... | Container rkt-895a0cba-5c66-4fa5-831c-e3f8ddc5810d failed with error code 42. | $ echo $? | 42 Fixes https://github.com/systemd/systemd/issues/1290
2015-09-06units: make sure that .nspawn files override the default settings in ↵Lennart Poettering
systemd-nspawn@.service
2015-09-04bus-proxy: increase NOFILE limitDavid Herrmann
The bus-proxy manages the kdbus connections of all users on the system (regarding the system bus), hence, it needs an elevated NOFILE. Otherwise, a single user can trigger ENFILE by opening NOFILE connections to the bus-proxy. Note that the bus-proxy still does per-user accounting, indirectly via the proxy/fake API of kdbus. Hence, the effective per-user limit is not raised by this. However, we now prevent one user from consuming the whole FD limit of the shared proxy. Also note that there is no *perfect* way to set this. The proxy is a shared object, so it needs a larger NOFILE limit than the highest limit of all users. This limit can be changed dynamically, though. Hence, we cannot protect against it. However, a raised NOFILE limit is a privilege, so we just treat it as such and basically allow these privileged users to be able to consume more resources than normal users (and, maybe, cause some limits to be exceeded by this). Right now, kdbus hard-codes 1024 max connections per user on each bus. However, we *must not* rely on this. This limits could be easily dropped entirely, as the NOFILE limit is a suitable limit on its on.
2015-08-04bus-proxy: add ExecReload=David Herrmann
Make sure we support ExecReload= for bus-proxyd to reload configuration during runtime. This is *really* handy when hacking on kdbus. Package-managers are still recommended to run `busctl --address=unix:path=` directly.
2015-07-27terminal: drop unfinished codeDavid Herrmann
This drops the libsystemd-terminal and systemd-consoled code for various reasons: * It's been sitting there unfinished for over a year now and won't get finished any time soon. * Since its initial creation, several parts need significant rework: The input handling should be replaced with the now commonly used libinput, the drm accessors should coordinate the handling of mode-object hotplugging (including split connectors) with other DRM users, and the internal library users should be converted to sd-device and friends. * There is still significant kernel work required before sd-console is really useful. This includes, but is not limited to, simpledrm and drmlog. * The authority daemon is needed before all this code can be used for real. And this will definitely take a lot more time to get done as no-one else is currently working on this, but me. * kdbus maintenance has taken up way more time than I thought and it has much higher priority. I don't see me spending much time on the terminal code in the near future. If anyone intends to hack on this, please feel free to contact me. I'll gladly help you out with any issues. Once kdbus and authorityd are finished (whenever that will be..) I'll definitely pick this up again. But until then, lets reduce compile times and maintenance efforts on this code and drop it for now.
2015-07-27units: add more caps to machinedLennart Poettering
Otherwise copying full directory trees between container and host won't work, as we cannot access some fiels and cannot adjust the ownership properly on the destination. Of course, adding these many caps to the daemon kinda defeats the purpose of the caps lock-down... but well... Fixes #433
2015-07-23units: order networkd after sysctlTom Gundersen
This way networkd will correctly and race-freely inherit the default settings applied by sysctl. Suggested in issue #468.
2015-07-10units: emergency.service: wait for plymouth to shut downMartin Pitt
Merely calling "plymouth quit" isn't sufficient, as plymouth needs some time to shut down. This needs plymouth --wait (which is a no-op when it's not running). Fixes invisible emergency shell with plymouth running endlessly. https://launchpad.net/bugs/1471258
2015-06-17turn kdbus support into a runtime optionKay Sievers
./configure --enable/disable-kdbus can be used to set the default behavior regarding kdbus. If no kdbus kernel support is available, dbus-dameon will be used. With --enable-kdbus, the kernel command line option "kdbus=0" can be used to disable kdbus. With --disable-kdbus, the kernel command line option "kdbus=1" is required to enable kdbus support.
2015-06-09Revert "hwdb: actually search /run/udev/hwdb.d"Lennart Poettering
2015-06-09hwdb: actually search /run/udev/hwdb.dPeter Hutterer
The documentation claims hwdb entries may be placed in the volatile /run/udev/hwdb.d directory but nothing actually looked at it.
2015-05-29udevd: hook up watchdog supportTom Gundersen
We are already sending watchdog notification, this tells PID1 to actually listen for them and restart udevd in case it gets stuck.
2015-05-20units: conditionalize audit multicast socket on CAP_AUDIT_READLennart Poettering
The multicast logic can only work if the capability is available, hence require it.
2015-05-19units: make sure systemd-nspawn@.slice instances are actually located in ↵Lennart Poettering
machine.slice https://plus.google.com/112206451048767236518/posts/SYAueyXHeEX