summaryrefslogtreecommitdiff
path: root/units
AgeCommit message (Collapse)Author
2015-04-24units: set KillMode=mixed for our daemons that fork worker processesLennart Poettering
The daemons should really have the time to kill the workers first, before systemd does it, hence use KillMode=mixed for these daemons. https://bugs.freedesktop.org/show_bug.cgi?id=90051
2015-04-21importd: add CAP_DAC_OVERRIDE capabilityLubomir Rintel
Fedora's filesystem package ships /usr/bin (and other directories) which are not writable by its owner. machinectl pull-dkr (and possibly others) are not able to extract those: 14182 mkdirat(3, "usr", 0700) = 0 14182 mkdirat(3, "usr/bin", 0500) = 0 14182 openat(3, "usr/bin/[", O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_NONBLOCK|O_CLOEXEC, 0700) = -1 EACCES (Permission denied) ...
2015-04-03units: explicitly require /var, /tmp and /var/tmp to be mounted before ↵Lennart Poettering
basic.target We support /var, /tmp and /var/tmp on NFS. NFS shares however are by default ordered only before remote-fs.target which is a late-boot service. /var, /tmp, /var/tmp need to be around earlier though, hence explicitly order them before basic.target. Note that this change simply makes explicit what was implicit before, since many early-boot services pulled in parts of /var anyway early.
2015-04-03units: explicitly order systemd-user-sessions.service after ↵Lennart Poettering
nss-user-lookup.target We should not allow logins before NIS/LDAP users are available.
2015-04-03units: move After=systemd-hwdb-update.service dependency from udev to ↵Lennart Poettering
udev-trigger Let's move the hwdb regeneration a bit later. Given that hwdb is non-essential it should be OK to allow udev to run without it until we do the full trigger. http://lists.freedesktop.org/archives/systemd-devel/2015-April/030074.html
2015-03-19resolved: Do not add .busname dependencies, when compiling without kdbus.Dimitri John Ledkov
2015-03-17console-getty.service: don't start when /dev/console is missingJan Pazdziora
Create minimal image which runs systemd FROM rhel7.1 RUN yum install -y /usr/bin/ps ENV container docker CMD [ "/usr/sbin/init" ] When you run the container without -t, the process /sbin/agetty --noclear --keep-baud console 115200 38400 9600 is not happy and checking the journal in the container, there is a stream of Mar 13 04:50:15 11bf07f59fff agetty[66]: /dev/console: No such file or directory Mar 13 04:50:25 11bf07f59fff systemd[1]: console-getty.service holdoff time over, scheduling restart. Mar 13 04:50:25 11bf07f59fff systemd[1]: Stopping Console Getty... Mar 13 04:50:25 11bf07f59fff systemd[1]: Starting Console Getty... Mar 13 04:50:25 11bf07f59fff systemd[1]: Started Console Getty. Mar 13 04:50:25 11bf07f59fff agetty[67]: /dev/console: No such file or directory Mar 13 04:50:35 11bf07f59fff systemd[1]: console-getty.service holdoff time over, scheduling restart. Mar 13 04:50:35 11bf07f59fff systemd[1]: Stopping Console Getty... Mar 13 04:50:35 11bf07f59fff systemd[1]: Starting Console Getty... Mar 13 04:50:35 11bf07f59fff systemd[1]: Started Console Getty. Mar 13 04:50:35 11bf07f59fff agetty[74]: /dev/console: No such file or directory Mar 13 04:50:45 11bf07f59fff systemd[1]: console-getty.service holdoff time over, scheduling restart. Mar 13 04:50:45 11bf07f59fff systemd[1]: Stopping Console Getty... Mar 13 04:50:45 11bf07f59fff systemd[1]: Starting Console Getty...
2015-03-15timesyncd: enable timesyncd in virtual machinesKay Sievers
On Fri, Mar 13, 2015 at 8:25 PM, Michael Marineau <michael.marineau@coreos.com> wrote: > Currently systemd-timesyncd.service includes > ConditionVirtualization=no, disabling it in both containers and > virtual machines. Each VM platform tends to deal with or ignore the > time problem in their own special ways, KVM/QEMU has the kernel time > source kvm-clock, Xen has had different schemes over the years, VMware > expects a userspace daemon sync the clock, and other platforms are > content to drift with the wind as far as I can tell. > > I don't know of a robust way to know if a platform needs a little > extra help from userspace to keep the clock sane or not but it seems > generally safer to try than to risk drifting. Does anyone know of a > reason to leave timesyncd off by default? Otherwise switching to > ConditionVirtualization=!container should be reasonable.
2015-03-14units: there is no systemd-udev-hwdb-update.serviceZbigniew Jędrzejewski-Szmek
2015-03-09fsckd: make sure unprivileged clients cannot play games with fsckdLennart Poettering
2015-02-24units: add missing unit fileLennart Poettering
2015-02-24importd: create a loopback btrfs file system for /var/lib/machines, if necessaryLennart Poettering
When manipulating container and VM images we need efficient and atomic directory snapshots and file copies, as well as disk quota. btrfs provides this, legacy file systems do not. Hence, implicitly create a loopback file system in /var/lib/machines.raw and mount it to /var/lib/machines, if that directory is not on btrfs anyway. This is done implicitly and transparently the first time the user invokes "machinectl import-xyz". This allows us to take benefit of btrfs features for container management without actually having the rest of the system use btrfs. The loopback is sized 500M initially. Patches to grow it dynamically are to follow.
2015-02-18Add man page and references to it.Didier Roche
Add man page explaining the plymouth theme protocol, usage of the daemon as well as the socket activation part. Adapt existing fsck man page.
2015-02-18Add fsckd service and socket, retarget systemd-fsckDidier Roche
systemd-fsckd can be socket-activated by systemd-fsck process. Reflect that in the different unit files.
2015-02-17machined: move logic for bind mounting into containers from machinectl to ↵Lennart Poettering
machined This extends the bus interface, adding BindMountMachine() for bind mounting directories from the host into the container.
2015-02-13units: turn on --network-veth by default for systemd-nspawn@.serviceLennart Poettering
Given the recent improvements in networkd, it's probably the better default now.
2015-02-13units: fix systemd-networkd.service in containers lacking CAP_NET_ADMINLennart Poettering
2015-02-11Revert "units: add SecureBits"Lennart Poettering
This reverts commit 6a716208b346b742053cfd01e76f76fb27c4ea47. Apparently this doesn't work. http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
2015-02-11units: add SecureBitsTopi Miettinen
No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.
2015-02-06units: networkd - fix busname to work on kdbusTom Gundersen
2015-02-05networkd: exit on idleTom Gundersen
We will be woken up on rtnl or dbus activity, so let's just quit if some time has passed and that is the only thing that can happen. Note that we will always stay around if we expect network activity (e.g. DHCP is enabled), as we are not restarted on that.
2015-02-05networkd: add basic dbus APITom Gundersen
Only the very basics, more to come. For now: $ busctl tree org.freedesktop.network1 └─/org/freedesktop/network1 └─/org/freedesktop/network1/link ├─/org/freedesktop/network1/link/1 ├─/org/freedesktop/network1/link/2 ├─/org/freedesktop/network1/link/3 ├─/org/freedesktop/network1/link/4 ├─/org/freedesktop/network1/link/5 ├─/org/freedesktop/network1/link/6 ├─/org/freedesktop/network1/link/7 ├─/org/freedesktop/network1/link/8 └─/org/freedesktop/network1/link/9 $ busctl introspect org.freedesktop.network1 /org/freedesktop/network1 NAME TYPE SIGNATURE RESULT/VALUE FLAGS org.freedesktop.network1.Manager interface - - - .OperationalState property s "carrier" emits-change $ busctl introspect org.freedesktop.network1 /org/freedesktop/network1/link/1 NAME TYPE SIGNATURE RESULT/VALUE FLAGS org.freedesktop.network1.Link interface - - - .AdministrativeState property s "unmanaged" emits-change .OperationalState property s "carrier" emits-change
2015-02-02units: so far we defaulted to 90s as default timeout for most things, let's ↵Lennart Poettering
do so for our oneshot services too Fewer surprises, and stuff...
2015-02-02networkd: support socket activationTom Gundersen
Still keep the non-socket activation code around for starting from the commandline, but will likely drop that too in the future.
2015-02-01units: set TimeoutSec on some oneshot servicesZbigniew Jędrzejewski-Szmek
Services which are not crucial to system bootup, and have Type=oneshot can effectively "hang" the system if they fail to complete for whatever reason. To allow the boot to continue, kill them after a timeout. In case of systemd-journal-flush the flush will continue in the background, and in the other two cases the job will be aborted, but this should not result in any permanent problem.
2015-01-27units: turn on watchdog for resolvedLennart Poettering
2015-01-27units: fix all TTY paths for container gettysLennart Poettering
Spotted by Christian Seiler: http://lists.freedesktop.org/archives/systemd-devel/2015-January/027441.html
2015-01-23build-sys: lookup for sulogin, it might not be in /sbinCristian Rodríguez
2015-01-22importd: run daemon at minimal capabilitiesLennart Poettering
2015-01-22import: introduce new mini-daemon systemd-importd, and make machinectl a ↵Lennart Poettering
client to it The old "systemd-import" binary is now an internal tool. We still use it as asynchronous backend for systemd-importd. Since the import tool might require some IO and CPU resources (due to qcow2 explosion, and decompression), and because we might want to run it with more minimal priviliges we still keep it around as the worker binary to execute as child process of importd. machinectl now has verbs for pulling down images, cancelling them and listing them.
2015-01-17bus-proxy: turn into multi-threaded daemonDavid Herrmann
Instead of using Accept=true and running one proxy for each connection, we now run one proxy-daemon with a thread per connection. This will enable us to share resources like policies in the future.
2015-01-08journal: bump RLIMIT_NOFILE when journal files to 16K (if possible)Lennart Poettering
When there are a lot of split out journal files, we might run out of fds quicker then we want. Hence: bump RLIMIT_NOFILE to 16K if possible. Do these even for journalctl. On Fedora the soft RLIMIT_NOFILE is at 1K, the hard at 4K by default for normal user processes, this code hence bumps this up for users to 4K. https://bugzilla.redhat.com/show_bug.cgi?id=1179980
2015-01-07units: make resolved pull in its own .busname unit, but only on kdbus systemsLennart Poettering
The daemon requires the busname unit to operate, since it contains the policy that allows it to acquire its service name.
2015-01-07units: improve Description= for systemd's own busname unitLennart Poettering
2015-01-06journald: allow restarting journald without losing stream connectionsLennart Poettering
Making use of the fd storage capability of the previous commit, allow restarting journald by serilizing stream state to /run, and pushing open fds to PID 1.
2014-12-29units: rework systemd-nspawn@.service unitLennart Poettering
- Unescape instance name so that we can take almost anything as instance name. - Introduce "machines.target" which consists of all enabled nspawns and can be used to start/stop them altogether - Look for container directory using -M instead of harcoding the path in /var/lib/container
2014-12-29units: make graphical.target dependencies more complete and similar to those ↵Lennart Poettering
of multi-user.target
2014-12-19machined/machinectl: add logic to show list of available imagesLennart Poettering
This adds a new bus call to machined that enumerates /var/lib/container and returns all trees stored in it, distuingishing three types: - GPT disk images, which are files suffixed with ".gpt" - directory trees - btrfs subvolumes
2014-12-18systemd-hwdb: introduce new toolTom Gundersen
This pulls out the hwdb managment from udevadm into an independent tool. The old code is left in place for backwards compatibility, and easy of testing, but all documentation is dropped to encourage use of the new tool instead.
2014-12-14build-sys: remove commented-out m4 from user@.serviceMantas Mikulėnas
Otherwise this actually remains in the generated unit in /usr/lib. If you want to keep it commented out, a m4-compatible way would be: m4_ifdef(`HAVE_SMACK', dnl Capabilities=cap_mac_admin=i dnl SecureBits=keep-caps )
2014-12-10build-sys: turn off SMACK capabilities stuff for now, since it is ↵Lennart Poettering
incompatible with nspawn
2014-12-10gitignore: hide some more filesLennart Poettering
2014-12-09bus-proxy: cloning smack labelPrzemyslaw Kedzierski
When dbus client connects to systemd-bus-proxyd through Unix domain socket proxy takes client's smack label and sets for itself. It is done before and independent of dropping privileges. The reason of such soluton is fact that tests of access rights performed by lsm may take place inside kernel, not only in userspace of recipient of message. The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label. In case of systemd running in system mode, CAP_MAC_ADMIN should be added to CapabilityBoundingSet in service file of bus-proxyd. In case of systemd running in user mode ('systemd --user') it can be achieved by addition Capabilities=cap_mac_admin=i and SecureBits=keep-caps to user@.service file and setting cap_mac_admin+ei on bus-proxyd binary.
2014-12-09units: make sure container-getty@.service stops restarting when the pts ↵Lennart Poettering
device it is bound to is gone We only want to restart the getty as long as the pts device is still around. As soon as it is gone, the service should be removed to. http://lists.freedesktop.org/archives/systemd-devel/2014-December/026048.html
2014-12-04gitignore: ignore generated systemd-bootchart.serviceWaLyong Cho
2014-12-04units: skip mounting /dev/hugepages if we don't have CAP_SYS_ADMINMichal Sekletar
Preparation for allowing systemd to run gracefully in containers lacking CAP_SYS_ADMIN.
2014-12-04bootchart: add standalone bootchart serviceWaLyong Cho
2014-12-03machine-id-commit: add unit fileDidier Roche
The unit file only active the machine-id-commit helper if /etc is mounted writable and /etc/machine-id is an independant mount point (should be a tmpfs).
2014-12-02rc-local: drop SysVStartPriority= field which is now obsoleteLennart Poettering
2014-11-28bus-proxy: automatically detect scope of bus and derive which XML snippets ↵Lennart Poettering
to load from that