summaryrefslogtreecommitdiff
path: root/units
AgeCommit message (Collapse)Author
2016-11-29units: add system-update-cleanup.service to guard against offline-update loopsZbigniew Jędrzejewski-Szmek
Note: the name is "system-update-cleanup.service" rather than "system-update-done.service", because it should not run normally, and also because there's already "systemd-update-done.service", and having them named so similarly would be confusing. In https://bugzilla.redhat.com/show_bug.cgi?id=1395686 the system repeatedly entered system-update.target on boot. Because of a packaging issue, the tool that created the /system-update symlink could be installed without the service unit that was supposed to perform the upgrade (and remove the symlink). In fact, if there are no units in system-update.target, and /system-update symlink is created, systemd always "hangs" in system-update.target. This is confusing for users, because there's no feedback what is happening, and fixing this requires starting an emergency shell somehow, and also knowing that the symlink must be removed. We should be more resilient in this case, and remove the symlink automatically ourselves, if there are no upgrade service to handle it. This adds a service which is started after system-update.target is reached and the symlink still exists. It nukes the symlink and reboots the machine. It should subsequently boot into the default default.target. This is a more general fix for https://bugzilla.redhat.com/show_bug.cgi?id=1395686 (the packaging issue was already fixed).
2016-11-29man: update the description of offline updatesZbigniew Jędrzejewski-Szmek
- use "service" instead of "script", because various offline updaters that we have aren't really scripts, e.g. dnf-plugin-system-upgrade, packagekit-offline-update, fwupd-offline-update. - strongly recommend After=sysinit.target, Wants=sysinit.target - clarify a bit what should happen when multiple update services are started - replace links to the wiki with refs to the man page that replaced it.
2016-11-24core: make sure initrd-switch-root command survives PID1's killing spree (#4730)Franck Bui
This is a different way to implement the fix proposed by commit a4021390fef27f4136497328f suggested by Lennart Poettering. In this patch we instruct PID1 to not kill "systemctl switch-root" command started by initrd-switch-root service using the "argv[0][0]='@'" trick. See: https://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/ for more details. We had to backup argv[0] because argv is modified by dispatch_verb().
2016-11-24Merge pull request #4710 from martinpitt/networkd-dbusLennart Poettering
networkd: allow networkd to start in early boot
2016-11-23networkd: allow networkd to start in early bootMartin Pitt
With the previous improvements, networkd.service's "After=dbus.service" can now be dropped. That ordering effectively forced networkd.service to run in late boot only (dbus.service was rejected to run in early boot in https://bugs.freedesktop.org/show_bug.cgi?id=98254). Fixes #4504
2016-11-23core: consider SIGTERM as a clean exit status for initrd-switch-root.service ↵Franck Bui
(#4713) Since commit 1f0958f640b8717, systemd considers SIGTERM for short-running services (aka Type=oneshot) as a failure. This can be an issue with initrd-switch-root.service as the command run by this service (in order to switch to the new rootfs) may still be running when systemd does the switch. However PID1 sends SIGTERM to all remaining processes right before switching and initrd-switch-root.service can be one of those. After systemd is reexecuted and its previous state is deserialized, systemd notices that initrd-switch-root.service was killed with SIGTERM and considers this as a failure which leads to the emergency shell. To prevent this, this patch teaches systemd to consider a SIGTERM exit as a clean one for this service. It also removes "KillMode=none" since this is pretty useless as the service is never stopped by systemd but it either exits normally or it's killed by a SIGTERM as described previously.
2016-11-11units: disable /sys/fs/fuse/connections in private user namespaces (#4592)Zbigniew Jędrzejewski-Szmek
The mount fails, even though CAP_SYS_ADMIN is granted. Only file systems with FU_USERNS_MOUNT in .fs_flags may be mounted in userns, and the patch to add that fusectl was rejected [1]. It would be nice if we could check if the kernel has FU_USERNS_MOUNT for a given fs type, since this could change over time, but this information doesn't seem to be exported. So let's just skip this mount in userns to avoid an error during boot. [1] https://patchwork.kernel.org/patch/2828269/
2016-10-27Merge pull request #4442 from keszybz/detect-virt-usernsEvgeny Vereshchagin
detect-virt: add --private-users switch to check if a userns is active; add Condition=private-users
2016-10-26units: disable /dev/hugepages in private user namespacesZbigniew Jędrzejewski-Szmek
The mount fails, even though CAP_SYS_ADMIN is granted.
2016-10-24core: drop -.slice from shipped unitsLennart Poettering
Since this unit is synthesized anyway there's no point in actually shipping it on disk. This also has the benefit that "cd /usr/lib/systemd/system ; ls *" won't be confused by the leading dash of the file name anymore.
2016-10-20sysctl: run sysctl service if /proc/sys/net is writable (#4425)Lennart Poettering
This simply changes this line: ConditionPathIsReadWrite=/proc/sys/ to this: ConditionPathIsReadWrite=/proc/sys/net/ The background for this is that the latter is namespaced through network namespacing usually and hence frequently set as writable in containers, even though the former is kept read-only. If /proc/sys is read-only but /proc/sys/net is writable we should run the sysctl service, as useful settings may be made in this case. Fixes: #4370
2016-10-20units: extend stop timeout for user@.service to 120s (#4426)Lennart Poettering
By default all user and all system services get stop timeouts for 90s. This is problematic as the user manager of course is run as system service. Thus, if the default time-out is hit for any user service, then it will also be hit for user@.service as a whole, thus making the whole concept useless for user services. This patch extends the stop timeout to 120s for user@.service hence, so that that the user service manager has ample time to process user services timing out. (The other option would have been to shorten the default user service timeout, but I think a user service should get the same timeout by default as a system service) Fixes: #4206
2016-10-12units: journal-upload Wants= and After=network-online.target (#4354)Yu Watanabe
To upload journal entries to a remote server, it is required that the network is online.
2016-10-11units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345)Yu Watanabe
`systemctl isolate initrd-switch-root.target` called by initrd-cleanup.service kills initrd-cleanup.service itself. Then, initrd-cleanup.service failed and system goes to emergency shell. To prevent this problem, this commit adds `Wants=initrd-cleanup.service` to initrd-switch-root.target. fixes: #4343.
2016-10-10unit: drop console-shell.service (#4298) (#4325)Franck Bui
console-shell.service was supposed to be useful for normal clean boots (i.e. multi-user.target or so), as a replacement for logind/getty@.service for simpler use cases. But due to the lack of documentation and sanity check one can easily be confused and enable this service in // with getty@.service. In this case we end up with both services sharing the same tty which ends up in strange results. Even worse, console-shell.service might be failing while getty@.service tries to acquire the terminal which ends up in the system to poweroff since console-shell.service uses: "ExecStopPost=-/usr/bin/systemctl poweroff". Another issue: this service doesn't work well if plymouth is also used since it lets the splash screen program run and mess the tty (at least a "plymouth quit" is missing). So let's kill it for now.
2016-10-06units: systemd-udevd: add AF_INET and AF_INET6 to RestrictAddressFamilies= ↵Yu Watanabe
(#4296) The udev builtin command `net_setup_link` requires AF_INET and AF_INET6. Fixes #4293.
2016-09-25units: further lock down our long-running servicesLennart Poettering
Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS.
2016-09-25units: permit importd to mount stuffLennart Poettering
Fixes #3996
2016-08-26units: remove udev control socket when systemd stops the socket unit (#4039)Michal Sekletar
Mere presence of the socket in the filesystem makes udev_queue_get_udev_is_active() return that udev is running. Note that, udev on exit doesn't unlink control socket nor does systemd. Thus socket stays around even when both daemon and socket are stopped. This causes problems for cryptsetup because when it detects running udev it launches synchronous operations that *really* require udev. This in turn may cause blocking and subsequent timeout in systemd-cryptsetup on reboot while machine is in a state that udev and its control socket units are stopped, e.g. emergency mode. Fixes #2477
2016-08-19Merge pull request #3955 from keszybz/fix-preset-allLennart Poettering
Fix preset-all
2016-08-19units: install user units as real files, not symlinks to ../system/Zbigniew Jędrzejewski-Szmek
This was causing preset-all --global to create symlinks: $ systemctl preset-all --global --root=/var/tmp/inst1 Created symlink /var/tmp/inst1/etc/systemd/user/shutdown.target → /usr/lib/systemd/user/../system/shutdown.target. Created symlink /var/tmp/inst1/etc/systemd/user/sockets.target → /usr/lib/systemd/user/../system/sockets.target. Created symlink /var/tmp/inst1/etc/systemd/user/timers.target → /usr/lib/systemd/user/../system/timers.target. Created symlink /var/tmp/inst1/etc/systemd/user/paths.target → /usr/lib/systemd/user/../system/paths.target. Created symlink /var/tmp/inst1/etc/systemd/user/bluetooth.target → /usr/lib/systemd/user/../system/bluetooth.target. Created symlink /var/tmp/inst1/etc/systemd/user/printer.target → /usr/lib/systemd/user/../system/printer.target. Created symlink /var/tmp/inst1/etc/systemd/user/sound.target → /usr/lib/systemd/user/../system/sound.target. Created symlink /var/tmp/inst1/etc/systemd/user/smartcard.target → /usr/lib/systemd/user/../system/smartcard.target. Created symlink /var/tmp/inst1/etc/systemd/user/busnames.target → /usr/lib/systemd/user/../system/busnames.target. It is better to create units in a state that completely matches the presets, i.e. preset-all should do nothing when invoked immediately after installation. I'm sure it was confusing to users too, suggesting that system and user units may somehow alias each other.
2016-08-13units: do not start load-random-seed in containers (#3941)Zbigniew Jędrzejewski-Szmek
Random numbers are provided by the host kernel, we don't need to do anything. https://bugzilla.redhat.com/show_bug.cgi?id=1329124
2016-08-02units: add graphical-session-pre.target user unit (#3848)Martin Pitt
This complements graphical-session.target for services which set up the environment (e. g. dbus-update-activation-environment) and need to run before the actual graphical session.
2016-08-02systemd-ask-password: make sure directory watch is started before cryptsetup ↵tblume
(#3850) The password directory watch should get ordered before cryptsetup to make sure that the password for unlocking the crypt device gets prompted.
2016-07-28Merge pull request #3742 from msoltyspl/vconfix2Zbigniew Jędrzejewski-Szmek
vconsole-setup: updates & fixes V2
2016-07-27vconsole: Don't do static installation under sysinit.targetMichal Soltys
Udev rules cover all the necessary initializations. As the service now is neither installed, nor installable - we can remove explicit dependencies and RemainAfterExit=yes option.
2016-07-25units: add graphical-session.target user unit (#3678)Martin Pitt
This unit acts as a dynamic "alias" target for any concrete graphical user session like gnome-session.target; these should declare "BindsTo=graphical-session.target" so that both targets stop and start at the same time. This allows services that run in a particular graphical user session (e. g. gnome-settings-daemon.service) to declare "PartOf=graphical-session.target" without having to know or get updated for all/new session types. This will ensure that stopping the graphical session will stop all services which are associated to it.
2016-07-25getty@.service.m4: add Conflicts=/Before= against rescue.service (#3792)Michal Soltys
If user isolates rescue target from multi-user or graphical target (or just starts the service), IgnoreOnIsolate will cause issues with sulogin which is directly started on current virtual console. This patch adds necessary Conflicts= and Before= against rescue.service. Note that this is not needed for emergency target, as implicit Requires= and After= against sysinit.target is in effect for this service (DefaultDependencies=yes).
2016-07-22nspawn: set DevicesPolicy closed and clean up duplicated devicesAlessandro Puccetti
2016-07-22Merge pull request #3764 from poettering/assorted-stuff-2Martin Pitt
Assorted fixes
2016-07-21nspawn: enable major=0/minor=0 devices inside the container (#3773)Alessandro Puccetti
https://github.com/systemd/systemd/pull/3685 introduced /run/systemd/inaccessible/{chr,blk} to map inacessible devices, this patch allows systemd running inside a nspawn container to create /run/systemd/inaccessible/{chr,blk}.
2016-07-20units: fix TasksMax=16384 for systemd-nspawn@.serviceLennart Poettering
When a container scope is allocated via machined it gets 16K set already since cf7d1a30e44bf380027a2e73f9bf13f423a33cc1. Make sure when a container is run as system service it gets the same values.
2016-06-26Merge pull request #3572 from poettering/machinectl-shell-fixMartin Pitt
machinectl: interpret options placed between "shell" verb and machine name
2016-06-24Merge pull request #3549 from poettering/resolved-moreTom Gundersen
resolved: more fixes, among them "systemctl-resolve --status" to see DNS configuration in effect, and a local DNS stub listener on 127.0.0.53
2016-06-23udev: bump TasksMax to inifinity (#3593)Franck Bui
udevd already limits its number of workers/children: the max number is actually twice the number of CPUs the system is using. (The limit can also be raised with udev.children-max= kernel command line option BTW). On some servers, this limit can easily exceed the maximum number of tasks that systemd put on all services, which is 512 by default. Since udevd has already its limitation logic, simply disable the static limitation done by TasksMax.
2016-06-22units: add nosuid and nodev options to tmp.mount (#3575)Martin Pitt
This makes privilege escalation attacks harder by putting traps and exploits into /tmp. https://bugs.debian.org/826377
2016-06-21units: machined needs mount-related syscalls for its namespacing operationsLennart Poettering
Specifically "machinectl shell" (or its OpenShell() bus call) is implemented by entering the file system namespace of the container and opening a TTY there. In order to enter the file system namespace, chroot() is required, which is filtered by SystemCallFilter='s @mount group. Hence, let's make this work again and drop @mount from the filter list.
2016-06-21emergency.service: Don't say "Welcome" when it's an emergency (#3569)Lennart Poettering
Quoting @cgwalters: Just uploading this as an RFC. Now I know reading the code that systemd says `Welcome to $OS` as a generic thing, but my initial impression on seeing this was that it was almost sarcastic =) Let's say "You are in emergency mode" as a more neutral/less excited phrase. This patch is based on #3556, but makes the same change for rescue mode.
2016-06-21resolved: respond to local resolver requests on 127.0.0.53:53Lennart Poettering
In order to improve compatibility with local clients that speak DNS directly (and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process any queries made that way. Note that resolved does not implement a full DNS server on this port, but simply enough to allow normal, local clients to resolve RRs through resolved. Specifically it does not implement queries without the RD bit set (these are requests where recursive lookups are explicitly disabled), and neither queries with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with validation turned off). It also refuses zone transfers and obsolete RR types. All lookups done this way will be rejected with a clean error code, so that the client side can repeat the query with a reduced feature set. The code will set the DNSSEC AD flag however, depending on whether the data resolved has been validated (or comes from a local, trusted source). Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary, but this is only partially useful as DNS packets cannot carry IP scope data (i.e. the ifindex), and hence link-local addresses returned cannot be used properly (and given that LLMNR/mDNS are mostly about link-local communication this is quite a limitation). Also, given that DNS tends to use IDNA for non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1. In general this should improve compatibility with clients bypassing NSS but it is highly recommended for clients to instead use NSS or our native bus API. This patch also beefs up the DnsStream logic, as it reuses the code for local TCP listening. DnsStream now provides proper reference counting for its objects. In order to avoid feedback loops resolved will no silently ignore 127.0.0.53 specified as DNS server when reading configuration. resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave the latter free for local, external DNS servers or forwarders. This also changes the "etc.conf" tmpfiles snippet to create a symlink from /etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this stub the default mode of operation if /etc is not populated.
2016-06-13units: tighten system call filters a bitLennart Poettering
Take away kernel keyring access, CPU emulation system calls and various debug system calls from the various daemons we have.
2016-06-09units: add a basic SystemCallFilter (#3471)Topi Miettinen
Add a line SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace for daemons shipped by systemd. As an exception, systemd-timesyncd needs @clock system calls and systemd-localed is not privileged. ptrace(2) is blocked to prevent seccomp escapes.
2016-06-08units: enable MemoryDenyWriteExecute (#3459)Topi Miettinen
Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute. Closes: #3459
2016-06-01units: wait for plymouth to shut down in rescue.sevice (#3367)Franck Bui
In the same vein as commit ac59f0c12c117b9bb5b7e17f33987b0107791239 which added the --wait option to the emergency service, this patch makes sure that plymouth has exited before entering into the rescue mode.
2016-05-21units: restore ConditionNeesUpdate=/etc in ldconfig.service (#3311)Lennart Poettering
In order to support stateless systems that support offline /usr updates properly, let's restore the ConditionNeesUpdate=/etc line that makes sure we are run when /usr is updated and this update needs to be propagated to the /etc/ld.so.conf file stored in /etc. This reverts part of #2859, which snuck this change in, but really shouldn't have.
2016-05-12Create initrd-root-device.target synchronization point (#3239)Daniel Drake
Add a synchronization point so that custom initramfs units can run after the root device becomes available, before it is fsck'd and mounted. This is useful for custom initramfs units that may modify the root disk partition table, where the root device is not known in advance (it's dynamically selected by the generators).
2016-05-10units: make sure that fsck is executed before quotachecktblume
fsck determines wheter an automatic quotacheck should be executed. Hence fsck service needs to run before quotacheck service.
2016-04-27Stop syslog.socket when entering emergency mode (#3130)Martin Pitt
When enabling ForwardToSyslog=yes, the syslog.socket is active when entering emergency mode. Any log message then triggers the start of rsyslog.service (or other implementation) along with its dependencies such as local-fs.target and sysinit.target. As these might fail themselves (e. g. faulty /etc/fstab), this breaks the emergency mode. This causes syslog.socket to fail with "Failed to queue service startup job: Transition is destructive". Add Conflicts=syslog.socket to emergency.service to make sure the socket is stopped when emergency.service is started. Fixes #266
2016-04-26Merge pull request #3093 from poettering/nspawn-userns-magicLennart Poettering
nspawn automatic user namespaces
2016-04-25machined: add CAP_MKNOD to capabilities to run with (#3116)Lennart Poettering
Container images from Debian or suchlike contain device nodes in /dev. Let's make sure we can clone them properly, hence pass CAP_MKNOD to machined. Fixes: #2867 #465
2016-04-25units: turn on user namespace by default in systemd-nspawn@.serviceLennart Poettering
Now that user namespacing is supported in a pretty automatic way, actually turn it on by default if the systemd-nspawn@.service template is used.