Age | Commit message (Collapse) | Author |
|
nspawn automatic user namespaces
|
|
Container images from Debian or suchlike contain device nodes in /dev. Let's
make sure we can clone them properly, hence pass CAP_MKNOD to machined.
Fixes: #2867 #465
|
|
Now that user namespacing is supported in a pretty automatic way, actually turn
it on by default if the systemd-nspawn@.service template is used.
|
|
That way we can be sure that local users are logged out before the network is
shut down when the system goes down, so that SSH session should be ending
cleanly before the system goes down.
Fixes: #2390
|
|
fix issue #2930
|
|
With the current "Type=forking", systemd tries to guess the PID it
should wait on at reboot (because we have no "PIDFile="). Depending on
how wrong the guess is, we can end up hanging forever at reboot.
Asking it not to do that eliminates the problem.
|
|
Also drop ConditionNeedsUpdate=|/etc. Regardless if system is updated
online or offline, updating dynamic loader cache should always be
responsibility of packaging tools/scripts.
|
|
When using `%I` for instances of `systemd-nspawn@.service`, the result
will be `systemd-nspawn` trying to launch a container named e.g.
`fedora/23` instead of `fedora-23`.
Using `%i` instead prevents escaping `-` in a container name and uses
the unmodified container name from the machine store.
|
|
Remove systemd-bootchart
|
|
|
|
This commit rips out systemd-bootchart. It will be given a new home, outside
of the systemd repository. The code itself isn't actually specific to
systemd and can be used without systemd even, so let's put it somewhere
else.
|
|
As kdbus won't land in the anticipated way, the bus-proxy is not needed in
its current form. It can be resurrected at any time thanks to the history,
but for now, let's remove it from the sources. If we'll have a similar tool
in the future, it will look quite differently anyway.
Note that stdio-bridge is still available. It was restored from a version
prior to f252ff17, and refactored to make use of the current APIs.
|
|
units: don't try to mount the mqueue fs if we lack the privileges for it
|
|
See https://github.com/systemd/systemd/pull/2576#discussion-diff-52592680
|
|
See:
https://lists.freedesktop.org/archives/systemd-devel/2016-February/035740.html
|
|
This reworks the coredumping logic so that the coredump handler invoked from the kernel only collects runtime data
about the crashed process, and then submits it for processing to a socket-activate coredump service, which extracts a
stacktrace and writes the coredump to disk.
This has a number of benefits: the disk IO and stack trace generation may take a substantial amount of resources, and
hence should better be managed by PID 1, so that resource management applies. This patch uses RuntimeMaxSec=, Nice=, OOMScoreAdjust=
and various sandboxing settings to ensure that the coredump handler doesn't take away unbounded resources from normally
priorized processes.
This logic is also nice since this makes sure the coredump processing and storage is delayed correctly until
/var/systemd/coredump is mounted and writable.
Fixes: #2286
|
|
|
|
Now that requiring of a masked unit results in failure again, downgrade the dependency on /tmp to Wants= again, so that
our suggested way to disable /tmp-on-tmpfs by masking doesn't result in a failing boot.
References: #2315
|
|
|
|
journal-remote: add SupplementaryGroups to systemd-journal-upload.service
|
|
As discussed on the ML:
http://lists.freedesktop.org/archives/systemd-devel/2016-January/035594.html
|
|
|
|
With this kmod commit, modules.devname will be empty by default instead of
containing just a comment:
https://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/?id=4c30a11d5f
Refine the startup condition of kmod-static-nodes.service to not run needlessly
if the list is empty.
|
|
|
|
The user manager is still limited by its parent slice user-UID.slice,
which defaults to 4096 tasks. However, it no longer has an additional
limit of 512 tasks.
Fixes #1955.
|
|
|
|
Apparently, util-linux' mount command implicitly drops the smack-related
options anyway before passing them to the kernel, if the kernel doesn't
know SMACK, hence there's no point in duplicating this in systemd.
Fixes #1696
|
|
|
|
|
|
networkd: (de)serialize more state and support expiring routes
|
|
Otherwise we might run into deadlocks, when journald blocks on the
notify socket on PID 1, and PID 1 blocks on IPC to dbus-daemon and
dbus-daemon blocks on logging to journald. Break this cycle by making
sure that journald never ever blocks on PID 1.
Note that this change disables support for event loop watchdog support,
as these messages are sent in blocking style by sd-event. That should
not be a big loss though, as people reported frequent problems with the
watchdog hitting journald on excessively slow IO.
Fixes: #1505.
|
|
|
|
That way it's in sync with the other SMACK label settings.
https://github.com/systemd/systemd/pull/1664#issuecomment-150891270
|
|
If SMACK is enabled, 'smackfsroot=*' option should be specified when
/tmp is mounted since many non-root processes use /tmp for temporary
usage. If not, /tmp is labeled as '_' and smack denial occurs when
writing.
In order to do that, 'SmackFileSystemRoot=*' is newly added into
tmp.mount.
|
|
/dev/loop*p* block devices are of the "blkext" subsystem, not of loop,
hence whitelist this too.
Fixes #1446
|
|
This reverts commit 409c2a13fd65692c611b7bcaba12e908ef7cf1e5.
It breaks the bootup of systems which enable smack at compile time, but have no
smack enabled in the kernel. This needs a different solution.
|
|
This is a follow-up to 409c2a13fd656.
|
|
units: add 'smackfsroot=*' option into tmp.mount when SMACK is enabled
|
|
If SMACK is enabled, 'smackfsroot=*' option should be specified in
tmp.mount file since many non-root processes use /tmp for temporary
usage. If not, /tmp is labeled as '_' and smack denial occurs when
writing.
|
|
There's no concept of ctrl-alt-del for user systemd instances, hence
don't suggest it woud make sense to symlink the unit to it.
Fixes #1525.
|
|
Add support for naming fds for socket activation and more
|
|
Usually we try to properly uppercase first characters in the
description, do so here, too. Also, keep it close to the string used in
systemd-networkd.service.
|
|
nspawn needs access to /dev/loop to implement --image=, hence grant that
in the service file.
Fixes #1446.
|
|
With this rework we introduce systemd-rfkill.service as singleton that
is activated via systemd-rfkill.socket that listens on /dev/rfkill. That
way, we get notified each time a new rfkill device shows up or changes
state, in which case we restore and save its current setting to disk.
This is nicer than the previous logic, as this means we save/restore
state even of rfkill devices that are around only intermittently, and
save/restore the state even if the system is shutdown abruptly instead
of cleanly.
This implements what I suggested in #1019 and obsoletes it.
|
|
And remove machine-id-commit as separate binary.
There's really no point in keeping this separate, as the sources are
pretty much identical, and have pretty identical interfaces. Let's unify
this in one binary.
Given that machine-id-commit was a private binary of systemd (shipped in
/usr/lib/) removing the tool is not an API break.
While we are at it, improve the documentation of the command substantially.
|
|
Apparently, disk IO issues are more frequent than we hope, and 1min
waiting for disk IO happens, so let's increase the watchdog timeout a
bit, for all our services.
See #1353 for an example where this triggers.
|
|
|
|
When a systemd service running in a container exits with a non-zero
code, it can be useful to terminate the container immediately and get
the exit code back to the host, when systemd-nspawn returns. This was
not possible to do. This patch adds the following to make it possible:
- Add a read-only "ExitCode" property on PID 1's "Manager" bus object.
By default, it is 0 so the behaviour stays the same as previously.
- Add a method "SetExitCode" on the same object. The method fails when
called on baremetal: it is only allowed in containers or in user
session.
- Add support in systemctl to call "systemctl exit 42". It reuses the
existing code for user session.
- Add exit.target and systemd-exit.service to the system instance.
- Change main() to actually call systemd-shutdown to exit() with the
correct value.
- Add verb 'exit' in systemd-shutdown with parameter --exit-code
- Update systemctl manpage.
I used the following to test it:
| $ sudo rkt --debug --insecure-skip-verify run \
| --mds-register=false --local docker://busybox \
| --exec=/bin/chroot -- /proc/1/root \
| systemctl --force exit 42
| ...
| Container rkt-895a0cba-5c66-4fa5-831c-e3f8ddc5810d failed with error code 42.
| $ echo $?
| 42
Fixes https://github.com/systemd/systemd/issues/1290
|
|
systemd-nspawn@.service
|
|
The bus-proxy manages the kdbus connections of all users on the system
(regarding the system bus), hence, it needs an elevated NOFILE.
Otherwise, a single user can trigger ENFILE by opening NOFILE connections
to the bus-proxy.
Note that the bus-proxy still does per-user accounting, indirectly via
the proxy/fake API of kdbus. Hence, the effective per-user limit is not
raised by this. However, we now prevent one user from consuming the whole
FD limit of the shared proxy.
Also note that there is no *perfect* way to set this. The proxy is a
shared object, so it needs a larger NOFILE limit than the highest limit
of all users. This limit can be changed dynamically, though. Hence, we
cannot protect against it. However, a raised NOFILE limit is a privilege,
so we just treat it as such and basically allow these privileged users to
be able to consume more resources than normal users (and, maybe, cause
some limits to be exceeded by this).
Right now, kdbus hard-codes 1024 max connections per user on each bus.
However, we *must not* rely on this. This limits could be easily dropped
entirely, as the NOFILE limit is a suitable limit on its on.
|