2021-06-16 19:35:12 +00:00
#compdef systemd-analyze
2020-11-09 04:23:58 +00:00
# SPDX-License-Identifier: LGPL-2.1-or-later
2013-07-29 19:12:55 +00:00
2018-12-24 11:15:38 +00:00
(( $+functions[_systemd-analyze_verify] )) ||
2019-04-05 09:39:14 +00:00
_systemd-analyze_verify() {
_sd_unit_files
}
2014-07-22 01:11:56 +00:00
2020-04-27 06:16:55 +00:00
(( $+functions[_systemd-analyze_cat-config] )) ||
_systemd-analyze_cat-config() {
_files -W '(/run/systemd/ /etc/systemd/ /usr/lib/systemd/)' -P 'systemd/'
}
2021-12-14 08:43:13 +00:00
(( $+functions[_systemd-analyze_critical-chain] )) ||
_systemd-analyze_critical-chain() {
local -a _units
systemctl list-units --no-legend --no-pager --plain --all |
while read -r a b c; do
_units+=($a)
done
compadd -a _units
}
2020-04-27 06:16:55 +00:00
(( $+functions[_systemd-analyze_security] )) ||
_systemd-analyze_security() {
_sd_unit_files
}
2021-11-16 11:23:11 +00:00
(( $+functions[_systemd-analyze_syscall-filter] )) ||
_systemd-analyze_syscall-filter() {
local -a _groups
_groups=( $(systemd-analyze --quiet --no-pager syscall-filter | grep '^@') )
_describe -t groups 'syscall groups' _groups || compadd "$@"
}
(( $+functions[_systemd-analyze_filesystems] )) ||
_systemd-analyze_filesystems() {
local -a _groups
_groups=( $(systemd-analyze --quiet --no-pager filesystems | grep '^@') )
_describe -t groups 'file system groups' _groups || compadd "$@"
}
2022-12-14 12:31:59 +00:00
(( $+functions[_systemd-analyze_plot] )) ||
_systemd-analyze_plot() {
local -a _options
_options=( '--json=off' '--json=pretty' '--json=short' '--table' '--no-legend' )
_describe 'plot options' _options
}
2018-12-24 11:15:38 +00:00
(( $+functions[_systemd-analyze_commands] )) ||
2019-04-05 09:39:14 +00:00
_systemd-analyze_commands(){
local -a _systemd_analyze_cmds
# Descriptions taken from systemd-analyze --help.
_systemd_analyze_cmds=(
'time:Print time spent in the kernel before reaching userspace'
'blame:Print list of running units ordered by time to init'
'critical-chain:Print a tree of the time critical chain of units'
2022-12-14 12:31:59 +00:00
'plot:Output SVG graphic showing service initialization, or raw time data in
JSON or table format'
2019-04-05 09:39:14 +00:00
'dot:Dump dependency graph (in dot(1) format)'
'dump:Dump server status'
2020-04-27 06:16:55 +00:00
'cat-config:Cat systemd config files'
'unit-files:List files and symlinks for units'
2019-04-05 09:39:14 +00:00
'unit-paths:List unit load paths'
2020-04-27 06:16:55 +00:00
'exit-status:List known exit statuses'
2021-11-16 11:23:11 +00:00
'capability:List capability definitions'
'syscall-filter:List syscalls in seccomp filters'
'filesystems:List known filesystems'
2020-04-27 06:16:55 +00:00
'condition:Evaluate Condition*= and Assert*= assignments'
2019-04-05 09:39:14 +00:00
'verify:Check unit files for correctness'
'calendar:Validate repetitive calendar time events'
2020-04-27 06:16:55 +00:00
'timestamp:Parse a systemd syntax timestamp'
'timespan:Parse a systemd syntax timespan'
'security:Analyze security settings of a service'
analyze: add inspect-elf verb to parse package metadata
Parses and prints package metadata from executables, libraries and core files
$ systemd-analyze inspect-elf /tmp/core ../fsverity-utils/fsverityb /bin/bash --json=off --no-pager
__________________________
path: /tmp/core
elfType: coredump
elfArchitecture: AMD x86-64
module name: /tmp/crash
type: deb
name: hello
version: 1.0
architecture: amd64
os: debian
osVersion: 11
buildId: b33541096a09c29a0ba4ec5c69364a2711b7c269
module name: /usr/lib/x86_64-linux-gnu/libc-2.31.so
type: deb
name: hello
version: 1.0
architecture: amd64
os: debian
osVersion: 11
buildId: 54eef5ce96cf37cb175b0d93186836ca1caf470c
module name: /usr/lib/x86_64-linux-gnu/ld-2.31.so
type: deb
name: hello
version: 1.0
architecture: amd64
os: debian
osVersion: 11
buildId: 32438eb3b034da54caf58c7a65446639f7cfe274
__________________________________________________________________
path: /home/luca/git/systemd/../fsverity-utils/fsverity
elfType: executable
elfArchitecture: AMD x86-64
type: deb
name: fsverity-utils
version: 1.3-1
architecture: amd64
os: debian
debugInfoUrl: https://debuginfod.debian.net
buildId: 05b899e6ee0d3653e20458719b202ed3ca8d566f
_________________________
path: /bin/bash
elfType: executable
elfArchitecture: AMD x86-64
buildId: 4fef260f60e257d2dbd4126bf8add83837aea190
$
$ systemd-analyze inspect-elf /tmp/core ../fsverity-utils/fsverity /bin/bash /tmp/core.test-condition.1000.f9b9a84a9fd1482c9702d6afa6f6934b.37640.1637083078000000 --json=pretty --no-pager
{
"elfType" : "coredump",
"elfArchitecture" : "AMD x86-64",
"/home/bluca/git/fsverity-utils/fsverity" : {
"type" : "deb",
"name" : "fsverity-utils",
"version" : "1.3-1",
"buildId" : "7c895ecd2a271f93e96268f479fdc3c64a2ec4ee"
},
"/home/bluca/git/fsverity-utils/libfsverity.so.0" : {
"type" : "deb",
"name" : "fsverity-utils",
"version" : "1.3-1",
"buildId" : "b5e428254abf14237b0ae70ed85fffbb98a78f88"
}
}
{
"elfType" : "executable",
"elfArchitecture" : "AMD x86-64",
"/home/bluca/git/systemd/../fsverity-utils/fsverity" : {
"type" : "deb",
"name" : "fsverity-utils",
"version" : "1.3-1",
"buildId" : "7c895ecd2a271f93e96268f479fdc3c64a2ec4ee"
}
}
{
"elfType" : "executable",
"elfArchitecture" : "AMD x86-64",
"/bin/bash" : {
"buildId" : "3313b4cb119dcce16927a9b6cc61dcd97dfc4d59"
}
}
{
"elfType" : "coredump",
"elfArchitecture" : "AMD x86-64"
}
2021-11-17 01:45:07 +00:00
'inspect-elf:Parse and print ELF package metadata'
2021-11-16 11:24:27 +00:00
# log-level, log-target, service-watchdogs have been deprecated
2019-04-05 09:39:14 +00:00
)
2013-07-29 19:12:55 +00:00
2019-04-05 09:39:14 +00:00
if (( CURRENT == 1 )); then
_describe "options" _systemd_analyze_cmds
else
local curcontext="$curcontext"
cmd="${${_systemd_analyze_cmds[(r)$words[1]:*]%%:*}}"
if (( $#cmd )); then
if (( $+functions[_systemd-analyze_$cmd] )) && (( CURRENT == 2 )); then
_systemd-analyze_$cmd
else
_message "no more options"
fi
2013-08-23 03:25:28 +00:00
else
2019-04-05 09:39:14 +00:00
_message "unknown systemd-analyze command: $words[1]"
2013-08-23 03:25:28 +00:00
fi
fi
2019-04-05 09:39:14 +00:00
}
2013-07-29 19:12:55 +00:00
_arguments \
2024-04-15 08:58:48 +00:00
'(- *)'{-h,--help}'[Show help text]' \
'(- *)--version[Show package version]' \
2015-01-12 20:43:45 +00:00
'--system[Operate on system systemd instance]' \
'--user[Operate on user systemd instance]' \
2018-02-08 11:09:28 +00:00
'--global[Show global user instance config]' \
2021-06-30 16:57:54 +00:00
'--root=[Add support for root argument]:PATH' \
2021-06-30 17:02:51 +00:00
'--image=[Add support for discrete images]:PATH' \
systemd-analyze: option to exit with an error when 'verify' fails
The commit introduces a callback invoked from log_syntax_internal.
Use it from systemd-analyze to gather a list of units that contain
syntax warnings. A new command line option is added to make use of this.
The new option --recursive-errors takes in three possible modes:
1. yes - which is the default. systemd-analyze exits with an error when syntax warnings arise during verification of the
specified units or any of their dependencies.
3. no - systemd-analyze exits with an error when syntax warnings arise during verification of only the selected unit.
Analyzing and loading any dependencies will be skipped.
4. one - systemd-analyze exits with an error when syntax warnings arise during verification
of only the selected units and their direct dependencies.
Below are two service unit files that I created for the purposes of testing:
1. First, we run the commands on a unit that does not have dependencies but has a non-existing key-value setting (i.e. foo = bar).
> cat <<EOF>testcase.service
[Unit]
foo = bar
[Service]
ExecStart = echo hello
EOF
OUTPUT:
maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify testcase.service
/home/maanya-goenka/systemd/testcase.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1
maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=yes testcase.service
/home/maanya-goenka/systemd/testcase.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1
maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=no testcase.service
/home/maanya-goenka/systemd/testcase.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1
maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=one testcase.service
/home/maanya-goenka/systemd/testcase.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1
2. Next, we run the commands on a unit that is syntactically valid but has a non-existing dependency (i.e. foo2.service)
> cat <<EOF>foobar.service
[Unit]
Requires = foo2.service
[Service]
ExecStart = echo hello
EOF
OUTPUT:
maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify foobar.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
foobar.service: Failed to create foobar.service/start: Unit foo2.service not found.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1
maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=yes foobar.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
foobar.service: Failed to create foobar.service/start: Unit foo2.service not found.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1
maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=no foobar.service
maanya-goenka@debian:~/systemd (log-error)$ echo $?
0
maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=one foobar.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
foobar.service: Failed to create foobar.service/start: Unit foo2.service not found.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1
2021-07-26 20:02:17 +00:00
'--recursive-errors=[When verifying a unit, control dependency verification]:MODE' \
2021-11-16 11:23:11 +00:00
'--offline=[Perform a security review of the specified unit files]:BOOL:(yes no)' \
systemd-analyze: add new 'security' option to compare unit's overall exposure level with
--threshold option added to work with security verb and with the --offline option so that
users can determine what qualifies as a security threat. The threshold set by the user is
compared with the overall exposure level assigned to a unit file and if the exposure is
higher than the threshold, 'security' will return a non-zero exit status. The default value
of the --threshold option is 100.
Example Run:
1. testcase.service is a unit file created for testing the --threshold option
maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service
> [Service]
> ExecStart = echo hello
> EOF
For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings.
maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ User=/DynamicUser= Service runs as root user 0.4
→ Overall exposure level for testcase.service: 9.6 UNSAFE 😨
maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0
2. Next, we use the same testcase.service file but add an additional --threshold=60 parameter. We would expect 'security' to exit
with a non-zero status because the overall exposure level (= 96) is higher than the set threshold (= 60).
maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ User=/DynamicUser= Service runs as root user 0.4
→ Overall exposure level for testcase.service: 9.6 UNSAFE 😨
maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1
2021-08-17 17:40:15 +00:00
'--threshold=[Set a value to compare the overall security exposure level with]: NUMBER' \
2022-10-15 14:06:20 +00:00
'--security-policy=[Use customized requirements to compare unit files against]: PATH' \
2022-12-14 12:31:59 +00:00
"--json=[Generate a JSON output of the security analysis table or plot's raw time data]:MODE:(pretty short off)" \
"--table=[Generate a table of plot's raw time data]" \
2022-10-15 14:06:20 +00:00
'--profile=[Include the specified profile in the security review of units]: PATH' \
2015-01-12 20:43:45 +00:00
'--no-pager[Do not pipe output into a pager]' \
2022-12-14 12:31:59 +00:00
"--no-legend[Do not show the headers and footers for plot's raw time data formats]" \
2021-11-16 11:23:11 +00:00
'--man=[Do (not) check for existence of man pages]:BOOL:(yes no)' \
'--generators=[Do (not) run unit generators]:BOOL:(yes no)' \
2013-07-29 19:12:55 +00:00
'--order[When generating graph for dot, show only order]' \
'--require[When generating graph for dot, show only requirement]' \
2015-01-12 20:43:45 +00:00
'--fuzz=[When printing the tree of the critical chain, print also services, which finished TIMESPAN earlier, than the latest in the branch]:TIMESPAN' \
'--from-pattern=[When generating a dependency graph, filter only origins]:GLOB' \
'--to-pattern=[When generating a dependency graph, filter only destinations]:GLOB' \
2024-04-15 08:58:48 +00:00
'(-H --host)'{-H+,--host=}'[Operate on remote host]:userathost:_sd_hosts_or_user_at_host' \
'(-M --machine)'{-M+,--machine=}'[Operate on local container]:machine:_sd_machines' \
2021-11-16 11:19:42 +00:00
'--quiet[Do not show hints]' \
2018-12-24 11:15:38 +00:00
'*::systemd-analyze commands:_systemd-analyze_commands'
