diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in index 4c29128f714..8d1812afcf1 100644 --- a/catalog/systemd.catalog.in +++ b/catalog/systemd.catalog.in @@ -533,9 +533,10 @@ Subject: TPM PCR Extended Defined-By: systemd Support: %SUPPORT_URL% -The string '@MEASURING@' has been extended into Trusted Platform Module's (TPM) -Platform Configuration Register (PCR) @PCR@, on banks @BANKS@. +The Trusted Platform Module's (TPM) Platform Configuration Register (PCR) +@PCR@, on banks @BANKS@, has been extended with the string '@MEASURING@'. -Whenever the system transitions to a new runtime phase, a different string is -extended into the specified PCR, to ensure that security policies for TPM-bound -secrets and other resources are limited to specific phases of the runtime. +Whenever the system transitions to a new runtime phase, the specified PCR is +extended with a different string, to ensure that security policies for +TPM-bound secrets and other resources are limited to specific phases of the +runtime. diff --git a/man/bootctl.xml b/man/bootctl.xml index f03f836746f..c9edf77b373 100644 --- a/man/bootctl.xml +++ b/man/bootctl.xml @@ -429,7 +429,7 @@ $ bootctl status System: Firmware: UEFI 2.40 (firmware-version) ← firmware vendor and version - Secure Boot: disabled (setup) ← secure boot status + Secure Boot: disabled (setup) ← Secure Boot status TPM2 Support: yes Boot into FW: supported ← does the firmware support booting into itself diff --git a/man/journalctl.xml b/man/journalctl.xml index d9ee51b302a..109797776e6 100644 --- a/man/journalctl.xml +++ b/man/journalctl.xml @@ -18,7 +18,7 @@ journalctl - Print log entries from the the systemd journal + Print log entries from the systemd journal @@ -664,7 +664,8 @@ Forward Secure Sealing (FSS) Options - The following options make be used together with the command, see below. + The following options may be used together with the command described + below: diff --git a/man/kernel-install.xml b/man/kernel-install.xml index f3fdc961f4d..e50aeee9499 100644 --- a/man/kernel-install.xml +++ b/man/kernel-install.xml @@ -198,8 +198,8 @@ $KERNEL_INSTALL_MACHINE_ID is set for the plugins to the desired machine-id to use. It's always a 128-bit ID. Normally it's read from /etc/machine-id, but it can - also be overridden via $MACHINE_ID (see below). If not specified via these methods a - fallback value will generated by kernel-install, and used only for a single + also be overridden via $MACHINE_ID (see below). If not specified via these methods, + a fallback value will generated by kernel-install and used only for a single invocation. $KERNEL_INSTALL_ENTRY_TOKEN is set for the plugins to the desired entry diff --git a/man/loader.conf.xml b/man/loader.conf.xml index 245f4c45366..80122177e50 100644 --- a/man/loader.conf.xml +++ b/man/loader.conf.xml @@ -228,19 +228,22 @@ Danger: this feature might soft-brick your device if used improperly. Takes one of off, manual or force. - Controls the enrollment of secure boot keys. If set to off, no action whatsoever + Controls the enrollment of Secure Boot keys. If set to off, no action whatsoever is taken. If set to manual (the default) and the UEFI firmware is in setup-mode then entries to manually enroll Secure Boot variables are created in the boot menu. If set to force, in addition, if a directory named /loader/keys/auto/ exists on the ESP then the keys in that directory are enrolled automatically. - The different sets of variables can be set up under /loader/keys/NAME - where NAME is the name that is going to be used as the name of the entry. - This allows one to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime. + The different sets of variables can be set up under + /loader/keys/NAME where + NAME is the name that is going to be used as the name of the entry. This + allows one to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime. + - Supported secure boot variables are one database for authorized images, one key exchange key (KEK) - and one platform key (PK). For more information, refer to the UEFI specification, - under Secure Boot and Driver Signing. Another resource that describe the interplay of the different variables is the + Supported Secure Boot variables are one database for authorized images, one key exchange key + (KEK) and one platform key (PK). For more information, refer to the UEFI specification, under Secure Boot and Driver + Signing. Another resource that describe the interplay of the different variables is the EDK2 documentation. @@ -294,17 +297,17 @@ sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth Work around BitLocker requiring a recovery key when the boot loader was updated (disabled by default). - Try to detect BitLocker encrypted drives along with an active TPM. If both are found - and Windows Boot Manager is selected in the boot menu, set the BootNext - EFI variable and restart the system. The firmware will then start Windows Boot Manager - directly, leaving the TPM PCRs in expected states so that Windows can unseal the encryption - key. This allows systemd-boot to be updated without having to provide the recovery key for - BitLocker drive unlocking. + Try to detect BitLocker encrypted drives along with an active TPM. If both are found and + Windows Boot Manager is selected in the boot menu, set the BootNext EFI variable + and restart the system. The firmware will then start Windows Boot Manager directly, leaving the TPM + PCRs in expected states so that Windows can unseal the encryption key. This allows + systemd-boot7 to + be updated without having to provide the recovery key for BitLocker drive unlocking. Note that the PCRs that Windows uses can be configured with the Configure TPM platform validation profile for native UEFI firmware configurations group policy under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. - When secure boot is enabled, changing this to PCRs 0,2,7,11 should be safe. + When Secure Boot is enabled, changing this to PCRs 0,2,7,11 should be safe. The TPM key protector needs to be removed and then added back for the PCRs on an already encrypted drive to change. If PCR 4 is not measured, this setting can be disabled to speed up booting into Windows. diff --git a/man/nss-myhostname.xml b/man/nss-myhostname.xml index b6544cf65d5..19e7aa237ac 100644 --- a/man/nss-myhostname.xml +++ b/man/nss-myhostname.xml @@ -109,7 +109,9 @@ rpc: db files netgroup: nis - To test, use glibc's getent tool: + To test, use glibc's + getent1 + tool: $ getent ahosts `hostname` ::1 STREAM omega diff --git a/man/os-release.xml b/man/os-release.xml index 7325f840b9c..113ef9fc18a 100644 --- a/man/os-release.xml +++ b/man/os-release.xml @@ -451,12 +451,12 @@ PORTABLE_PREFIXES= Takes a space-separated list of one or more valid prefix match strings for the - Portable Services logic. This field - serves two purposes: it is informational, identifying portable service images as such (and thus - allowing them to be distinguished from other OS images, such as bootable system images). It is also - used when a portable service image is attached: the specified or implied portable service prefix is - checked against the list specified here, to enforce restrictions how images may be attached to a - system. + Portable Services Documentation logic. + This field serves two purposes: it is informational, identifying portable service images as such + (and thus allowing them to be distinguished from other OS images, such as bootable system images). + It is also used when a portable service image is attached: the specified or implied portable + service prefix is checked against the list specified here, to enforce restrictions how images may + be attached to a system. diff --git a/man/pam_systemd_home.xml b/man/pam_systemd_home.xml index 9fa0e0a7e7c..9d07aa96c76 100644 --- a/man/pam_systemd_home.xml +++ b/man/pam_systemd_home.xml @@ -97,13 +97,14 @@ Module Types Provided - The module implements all four PAM operations: (reason: to allow - authentication using the encrypted data), (reason: users with + The module implements all four PAM operations: (to allow authentication using + the encrypted data), (because users with systemd-homed.service user accounts are described in a JSON user record and may be configured in more detail than - in the traditional Linux user database), (user sessions must be tracked in order - to implement automatic release when the last session of the user is gone), (to - change the encryption password — also used for user authentication — through PAM). + in the traditional Linux user database), (because user sessions must be tracked + in order to implement automatic release when the last session of the user is gone), + (to change the encryption password — also used for user authentication — + through PAM). diff --git a/man/portablectl.xml b/man/portablectl.xml index 963361e28cb..162db7658a6 100644 --- a/man/portablectl.xml +++ b/man/portablectl.xml @@ -48,7 +48,7 @@ and transfer them as a whole between systems. When these images are attached the local system the contained units may run in most ways like regular system-provided units, either with full privileges or inside strict sandboxing, depending on the selected configuration. For more details, see - Portable Services. + Portable Services Documentation. Specifically portable service images may be of the following kind: @@ -367,7 +367,7 @@ os-release5. Images can be block images, btrfs subvolumes or directories. For more information on portable services with extensions, see the Extension Images paragraph on - Portable Services. + Portable Services Documentation. Note that the same extensions have to be specified, in the same order, when attaching diff --git a/man/repart.d.xml b/man/repart.d.xml index 1da38a4e91b..846e1984e59 100644 --- a/man/repart.d.xml +++ b/man/repart.d.xml @@ -427,9 +427,11 @@ This option cannot be combined with CopyBlocks=. - When systemd-repart is invoked with the or - command line switches the source paths specified are taken relative to the - specified root directory or disk image root. + When + systemd-repart8 + is invoked with the or command line switches the + source paths specified are taken relative to the specified root directory or disk image root. + @@ -492,7 +494,7 @@ to off or data, the partition is populated with content as specified by CopyBlocks= or CopyFiles=. If set to hash, the partition will be populated with verity hashes from the matching verity - data partition. If set to signature, The partition will be populated with a JSON + data partition. If set to signature, the partition will be populated with a JSON object containing a signature of the verity root hash of the matching verity hash partition. A matching verity partition is a partition with the same verity match key (as configured with diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml index bfc93b3eeb8..64ded052e16 100644 --- a/man/systemd-boot.xml +++ b/man/systemd-boot.xml @@ -56,7 +56,7 @@ A reboot into the UEFI firmware setup option, if supported by the firmware. - Secure boot variables enrollement if the UEFI firmware is in setup-mode and files are provided + Secure Boot variables enrollment if the UEFI firmware is in setup-mode and files are provided on the ESP. @@ -95,7 +95,7 @@ with a 'system token' stored in a persistent EFI variable and derives a random seed to use by the OS as entropy pool initialization, providing a full entropy pool during early boot. - The boot manager allows for secure boot variables to be enrolled if the UEFI firmware is + The boot manager allows for Secure Boot variables to be enrolled if the UEFI firmware is in setup-mode. Additionally, variables can be automatically enrolled if configured. diff --git a/man/systemd-creds.xml b/man/systemd-creds.xml index 003fbcd4635..49d78ee7fcc 100644 --- a/man/systemd-creds.xml +++ b/man/systemd-creds.xml @@ -359,7 +359,7 @@ Takes a path to a TPM2 PCR signature file as generated by the systemd-measure1 tool and that may be used to allow the decrypt command to decrypt credentials that - are bound to specific signed PCR values. If this this is not specified explicitly, and a credential + are bound to specific signed PCR values. If this is not specified explicitly, and a credential with a signed PCR policy is attempted to be decrypted, a suitable signature file tpm2-pcr-signature.json is searched for in /etc/systemd/, /run/systemd/, /usr/lib/systemd/ (in this order) and diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index ad338cdcc5e..e4b03936a60 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -288,7 +288,7 @@ 7 - Secure boot state; changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) changes. The shim project will measure most of its (non-MOK) certificates and SBAT data into this PCR. + Secure Boot state; changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) changes. The shim project will measure most of its (non-MOK) certificates and SBAT data into this PCR. @@ -312,7 +312,7 @@ 12 - systemd-boot7 measures any specified kernel command line into this PCR. systemd-stub7 measures any manually specified kernel command line (i.e. a kernel command line that overrides the one embedded in the unified PE image) and loaded credentials into this PCR. (Note that if systemd-boot and systemd-stub are used in combination the command line might be measured twice!) + systemd-boot7 measures the kernel command line into this PCR. systemd-stub7 measures any manually specified kernel command line (i.e. a kernel command line that overrides the one embedded in the unified PE image) and loaded credentials into this PCR. (Note that if systemd-boot and systemd-stub are used in combination the command line might be measured twice!) @@ -382,7 +382,7 @@ The option takes a path to a TPM2 PCR signature file as generated by the systemd-measure1 - tool. If this this is not specified explicitly a suitable signature file + tool. If this is not specified explicitly a suitable signature file tpm2-pcr-signature.json is searched for in /etc/systemd/, /run/systemd/, /usr/lib/systemd/ (in this order) and used. If a signature file is specified or found it is used to verify if the volume can be unlocked diff --git a/man/systemd-cryptsetup-generator.xml b/man/systemd-cryptsetup-generator.xml index 5ba024a866b..feaf64bf752 100644 --- a/man/systemd-cryptsetup-generator.xml +++ b/man/systemd-cryptsetup-generator.xml @@ -63,7 +63,7 @@ no, causes the generator to ignore any devices configured in /etc/crypttab (luks.uuid= will still work however). rd.luks.crypttab= is honored only in initrd while - luks.crypttab= is honored by both the main system and the initrd. + luks.crypttab= is honored by both the main system and in the initrd. @@ -75,7 +75,7 @@ part of the boot process as if it was listed in /etc/crypttab. This option may be specified more than once in order to set up multiple devices. rd.luks.uuid= is honored only in the initrd, while luks.uuid= is honored by both the main system - and the initrd. + and in the initrd. If /etc/crypttab contains entries with the same UUID, then the name, keyfile and options specified there will be used. Otherwise, the device will have the name @@ -101,7 +101,7 @@ 5 field volume-name. rd.luks.name= is honored only in the initrd, while - luks.name= is honored by both the main system and the initrd. + luks.name= is honored by both the main system and in the initrd. @@ -203,7 +203,7 @@ rd.luks.options= is honored only by initial RAM disk (initrd) while luks.options= is - honored by both the main system and the initrd. + honored by both the main system and in the initrd. diff --git a/man/systemd-integritysetup-generator.xml b/man/systemd-integritysetup-generator.xml index 44248b2e801..3e788f1c986 100644 --- a/man/systemd-integritysetup-generator.xml +++ b/man/systemd-integritysetup-generator.xml @@ -27,8 +27,8 @@ Description - systemd-integritysetup-generator is a generator that translates /etc/integritytab entries into - native systemd units early at boot. This will create + systemd-integritysetup-generator is a generator that translates + /etc/integritytab entries into native systemd units early at boot. This will create systemd-integritysetup@.service8 units as necessary. diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml index 14ce5337729..6c53d61d545 100644 --- a/man/systemd-measure.xml +++ b/man/systemd-measure.xml @@ -78,12 +78,13 @@ seen in TPM2 PCR register 11 after boot-up of a unified kernel image. Then, cryptographically sign the resulting values with the private/public key pair (RSA) configured via and . This will write a JSON object to - standard output that contains signatures for all specified PCR banks (see - ) below, which may be used to unlock encrypted credentials (see + standard output that contains signatures for all specified PCR banks (see the + option below), which may be used to unlock encrypted credentials (see systemd-creds1) or LUKS volumes (see - systemd-cryptsetup@.service8). This - allows binding secrets to a set of kernels for which such PCR 11 signatures can be provided. + systemd-cryptsetup@.service8). + This allows binding secrets to a set of kernels for which such PCR 11 signatures can be + provided. Note that a TPM2 device must be available for this signing to take place, even though the result is not tied to any TPM2 device or its state. @@ -98,13 +99,13 @@ - - - - - - - + + + + + + + When used with the calculate or sign verb, configures the files to read the unified kernel image components from. Each option corresponds with @@ -122,7 +123,7 @@ - + Controls the PCR banks to pre-calculate the PCR values for – in case calculate or sign is invoked –, or the banks to show in the @@ -132,8 +133,8 @@ - - + + These switches take paths to a pair of PEM encoded RSA key files, for use with the sign command. diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index ec308927df6..be2c3882d71 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -1374,7 +1374,7 @@ After=sys-subsystem-net-devices-ens1.device If is used, any user in the range seen from inside of the container is mapped to in the - range on the host. All host users outside of that range are mapped to + range on the host. Other host users are mapped to inside the container. If is used, any user in the UID range as seen from inside the container is mapped to the same diff --git a/man/systemd-oomd.service.xml b/man/systemd-oomd.service.xml index dc02abd307e..45c791b8311 100644 --- a/man/systemd-oomd.service.xml +++ b/man/systemd-oomd.service.xml @@ -36,7 +36,8 @@ You can enable monitoring and actions on units by setting ManagedOOMSwap= and ManagedOOMMemoryPressure= in the unit configuration, see systemd.resource-control5. - systemd-oomd retrieves information about such units from systemd + systemd-oomd retrieves information about such units from + systemd1 when it starts and watches for subsequent changes. Cgroups of units with ManagedOOMSwap= or diff --git a/man/systemd-pcrphase.service.xml b/man/systemd-pcrphase.service.xml index 9b7cc80b3a7..3012d986247 100644 --- a/man/systemd-pcrphase.service.xml +++ b/man/systemd-pcrphase.service.xml @@ -35,75 +35,73 @@ Description systemd-pcrphase.service, - systemd-pcrphase-sysinit.service and + systemd-pcrphase-sysinit.service, and systemd-pcrphase-initrd.service are system services that measure specific strings into TPM2 PCR 11 during boot at various milestones of the boot process. These services require systemd-stub7 to be - used in a unified kernel image (UKI) setup. They execute no operation when invoked when the stub has not - been used to invoke the kernel. The stub will measure the invoked kernel and associated vendor resources - into PCR 11 before handing control to it; once userspace is invoked these services then will extend - certain literal strings indicating various phases of the boot process into TPM2 PCR 11. During a regular - boot process the following strings are extended into PCR 11. + used in a unified kernel image (UKI). They execute no operation when the stub has not been used to invoke + the kernel. The stub will measure the invoked kernel and associated vendor resources into PCR 11 before + handing control to it; once userspace is invoked these services then will extend TPM2 PCR 11 with certain + literal strings indicating phases of the boot process. During a regular boot process the following + strings are used: - enter-initrd is extended into PCR 11 early when the initrd - initializes, before activating system extension images for the initrd. It is supposed to act as barrier - between the time where the kernel initializes, and where the initrd starts operating and enables - system extension images, i.e. code shipped outside of the UKI. (This string is extended at start of - systemd-pcrphase-initrd.service.) + enter-initrd — early when the initrd initializes, before activating + system extension images for the initrd. It acts as a barrier between the time where the kernel + initializes and where the initrd starts operating and enables system extension images, i.e. code + shipped outside of the UKI. (This extension happens when + systemd-pcrphase-initrd.service is started.) - leave-initrd is extended into PCR 11 when the initrd is about to - transition into the host file system, i.e. when it achieved its purpose. It is supposed to act as - barrier between kernel/initrd code and host OS code. (This string is extended at stop of - systemd-pcrphase-initrd.service.) + leave-initrd — when the initrd is about to transition into the host + file system. It acts as barrier between initrd code and host OS code. (This extension happens when + systemd-pcrphase-initrd.service is stopped.) - sysinit is extended into PCR 11 when basic system initialization is - complete (which includes local file systems have been mounted), and the system begins starting regular - system services. (This string is extended at start of - systemd-pcrphase-sysinit.service.) + sysinit — when basic system initialization is complete (which + includes local file systems having been mounted), and the system begins starting regular system + services. (This extension happens when systemd-pcrphase-sysinit.service is + started.) - ready is extended into PCR 11 during later boot-up, after remote - file systems have been activated (i.e. after remote-fs.target), but before users - are permitted to log in (i.e. before systemd-user-sessions.service). It is - supposed to act as barrier between the time where unprivileged regular users are still prohibited to - log in and where they are allowed to log in. (This string is extended at start of - systemd-pcrphase.service.) + ready — during later boot-up, after remote file systems have been + activated (i.e. after remote-fs.target), but before users are permitted to log in + (i.e. before systemd-user-sessions.service). It acts as barrier between the time + where unprivileged regular users are still prohibited to log in and where they are allowed to log in. + (This extension happens when systemd-pcrphase.service is started.) + - shutdown is extended into PCR 11 when system shutdown begins. It is - supposed to act as barrier between the time the system is fully up and running and where it is about to - shut down. (This string is extended at stop of - systemd-pcrphase.service.) - - final is extended into PCR 11 at the end of system shutdown. It is - supposed to act as barrier between the time the service manager still runs and when it transitions into - the final boot phase where service management is not available anymore. (This string is extended at - stop of systemd-pcrphase-sysinit.service.) + shutdown — when the system shutdown begins. It acts as barrier + between the time the system is fully up and running and where it is about to shut down. (This extension + happens when systemd-pcrphase.service is stopped.) + final — at the end of system shutdown. It acts as barrier between + the time the service manager still runs and when it transitions into the final shutdown phase where + service management is not available anymore. (This extension happens when + systemd-pcrphase-sysinit.service is stopped.) - During a regular system lifecycle, the strings enter-initrd → - leave-initrdsysinitready → - shutdownfinal are extended into PCR 11, one after the - other. + During a regular system lifecycle, PCR 11 is extended with the strings + enter-initrd, leave-initrd, sysinit, + ready, shutdown, and final. Specific phases of the boot process may be referenced via the series of strings measured, separated - by colons (the "boot path"). For example, the boot path for the regular system runtime is + by colons (the "phase path"). For example, the phase path for the regular system runtime is enter-initrd:leave-initrd:sysinit:ready, while the one for the initrd is just - enter-initrd. The boot path for the the boot phase before the initrd, is an empty - string; because that's hard to pass around a single colon (:) may be used - instead. Note that the aforementioned six strings are just the default strings and individual systems - might measure other strings at other times, and thus implement different and more fine-grained boot - phases to bind policy to. + enter-initrd. The phase path for the boot phase before the initrd is an empty string; + because that's hard to pass around a single colon (:) may be used instead. Note that + the aforementioned six strings are just the default strings and individual systems might measure other + strings at other times, and thus implement different and more fine-grained boot phases to bind policy + to. - By binding policy of TPM2 objects to a specific boot path it is possible to restrict access to them - to specific phases of the boot process, for example making it impossible to access the root file system's - encryption key after the system transitioned from the initrd into the host root file system. + By binding policy of TPM2 objects to a specific phase path it is possible to restrict access to + them to specific phases of the boot process, for example making it impossible to access the root file + system's encryption key after the system transitioned from the initrd into the host root file system. + Use systemd-measure1 to - pre-calculate expected PCR 11 values for specific boot phases (via the switch). + pre-calculate expected PCR 11 values for specific boot phases (via the switch). + diff --git a/man/systemd-portabled.service.xml b/man/systemd-portabled.service.xml index 61f2c5ca9e5..6dacea5e9b7 100644 --- a/man/systemd-portabled.service.xml +++ b/man/systemd-portabled.service.xml @@ -35,8 +35,8 @@ Most of systemd-portabled's functionality is accessible through the portablectl1 command. - See Portable Services for details about - the concepts this service implements. + See the Portable Services Documentation + for details about the concepts this service implements. diff --git a/man/systemd-sysext.xml b/man/systemd-sysext.xml index 99436ced59d..39a16d8e8fb 100644 --- a/man/systemd-sysext.xml +++ b/man/systemd-sysext.xml @@ -98,16 +98,16 @@ suitable for shipping resources that are processed by subsystems running in earliest boot. Specifically, OS extension images are not suitable for shipping system services or systemd-sysusers8 - definitions. See Portable Services for a simple - mechanism for shipping system services in disk images, in a similar fashion to OS extensions. Note the - different isolation on these two mechanisms: while system extension directly extend the underlying OS - image with additional files that appear in a way very similar to as if they were shipped in the OS image - itself and thus imply no security isolation, portable services imply service level sandboxing in one way - or another. The systemd-sysext.service service is guaranteed to finish start-up - before basic.target is reached; i.e. at the time regular services initialize (those - which do not use DefaultDependencies=no), the files and directories system extensions - provide are available in /usr/ and /opt/ and may be - accessed. + definitions. See the Portable Services Documentation + for a simple mechanism for shipping system services in disk images, in a similar fashion to OS + extensions. Note the different isolation on these two mechanisms: while system extension directly extend + the underlying OS image with additional files that appear in a way very similar to as if they were + shipped in the OS image itself and thus imply no security isolation, portable services imply service + level sandboxing in one way or another. The systemd-sysext.service service is + guaranteed to finish start-up before basic.target is reached; i.e. at the time + regular services initialize (those which do not use DefaultDependencies=no), the files + and directories system extensions provide are available in /usr/ and + /opt/ and may be accessed. Note that there is no concept of enabling/disabling installed system extension images: all installed extension images are automatically activated at boot. However, you can place an empty directory diff --git a/man/systemd-veritysetup-generator.xml b/man/systemd-veritysetup-generator.xml index 331b5c07bc5..37ded91a936 100644 --- a/man/systemd-veritysetup-generator.xml +++ b/man/systemd-veritysetup-generator.xml @@ -27,8 +27,8 @@ Description - systemd-veritysetup-generator is a generator that translates kernel command line options - configuring verity protected block devices into native systemd units early at boot and when + systemd-veritysetup-generator is a generator that translates kernel command line + options configuring verity protected block devices into native systemd units early at boot and when configuration of the system manager is reloaded. This will create systemd-veritysetup@.service8 units as necessary. @@ -36,14 +36,14 @@ Currently, only two verity devices may be set up with this generator, backing the root and /usr file systems of the OS. - systemd-veritysetup-generator implements + systemd-veritysetup-generator implements systemd.generator7. Kernel Command Line - systemd-veritysetup-generator + systemd-veritysetup-generator understands the following kernel command line parameters: @@ -98,7 +98,8 @@ systemd.verity_usr_hash= systemd.verity_usr_options= - Equivalent to their counterparts for the root file system as described above, but apply to the /usr/ file system instead. + Equivalent to their counterparts for the root file system as described above, but + apply to the /usr/ file system instead. diff --git a/man/systemd-volatile-root.service.xml b/man/systemd-volatile-root.service.xml index e55526070cc..0d3b40211aa 100644 --- a/man/systemd-volatile-root.service.xml +++ b/man/systemd-volatile-root.service.xml @@ -37,10 +37,10 @@ stateless systems. This service is only enabled if full volatile mode is selected, for example by specifying - systemd.volatile=yes on the kernel command line. This service runs only in the initrdyes, + systemd.volatile=yes on the kernel command line. This service runs only in the initrd, before the system transitions to the host's root directory. Note that this service is not used if - systemd.volatile=state is used, as in that mode the root directory is - non-volatile. + systemd.volatile=state is used, as in that mode the root directory is non-volatile. + diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index d7480d266cd..3ee0484e946 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -727,9 +727,9 @@ CapabilityBoundingSet=~CAP_B CAP_C Note that this setting only has an effect on the unit's processes themselves (or any processes directly or indirectly forked off them). It has no effect on processes potentially invoked on request of them through tools such as at1p, + project='man-pages'>at1, crontab1p, + project='man-pages'>crontab1, systemd-run1, or arbitrary IPC services. @@ -934,7 +934,7 @@ CapabilityBoundingSet=~CAP_B CAP_C LimitNOFILE= ulimit -n Number of File Descriptors - Don't use. Be careful when raising the soft limit above 1024, since select() cannot function with file descriptors above 1023 on Linux. Nowadays, the hard limit defaults to 524288, a very high value compared to historical defaults. Typically applications should increase their soft limit to the hard limit on their own, if they are OK with working with file descriptors above 1023, i.e. do not use select(). Note that file descriptors are nowadays accounted like any other form of memory, thus there should not be any need to lower the hard limit. Use MemoryMax= to control overall service memory use, including file descriptor memory. + Don't use. Be careful when raising the soft limit above 1024, since select2 cannot function with file descriptors above 1023 on Linux. Nowadays, the hard limit defaults to 524288, a very high value compared to historical defaults. Typically applications should increase their soft limit to the hard limit on their own, if they are OK with working with file descriptors above 1023, i.e. do not use select2. Note that file descriptors are nowadays accounted like any other form of memory, thus there should not be any need to lower the hard limit. Use MemoryMax= to control overall service memory use, including file descriptor memory. LimitAS= @@ -3173,11 +3173,13 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX 11) with a prefix of io.systemd.credential: or io.systemd.credential.binary:. In both cases a key/value pair separated by = is expected, in the latter case the right-hand side is Base64 decoded when - parsed (thus permitting binary data to be passed in). Example qemu switch: -smbios + parsed (thus permitting binary data to be passed in). Example + qemu + switch: -smbios type=11,value=io.systemd.credential:xx=yy, or -smbios type=11,value=io.systemd.credential.binary:rick=TmV2ZXIgR29ubmEgR2l2ZSBZb3UgVXA=. Alternatively, use the qemu fw_cfg node - opt/io.systemd.credentials/. Example qemu switch: -fw_cfg + opt/io.systemd.credentials/. Example qemu switch: -fw_cfg name=opt/io.systemd.credentials/mycred,string=supersecret. They may also be specified on the kernel command line using the systemd.set_credential= switch (see systemd1) and from diff --git a/man/systemd.link.xml b/man/systemd.link.xml index cc55b02b182..c0167b1c86a 100644 --- a/man/systemd.link.xml +++ b/man/systemd.link.xml @@ -1116,7 +1116,7 @@ links. [Link] -NamePolicy=kernel database onboard slot path +NamePolicy=kernel database on-board slot path MACAddressPolicy=persistent diff --git a/man/systemd.network.xml b/man/systemd.network.xml index d83141de110..ccdbc49b1d8 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -2297,7 +2297,7 @@ allow my_server_t localnet_peer_t:peer recv; [DHCPPrefixDelegation] Section Options The [DHCPPrefixDelegation] section configures subnet prefixes of the delegated prefixes - acquired by a DHCPv6 client, or by a DHCPv4 client through the 6RD option on another interface. + acquired by a DHCPv6 client or by a DHCPv4 client through the 6RD option on another interface. The settings in this section are used only when the DHCPPrefixDelegation= setting in the [Network] section is enabled. diff --git a/man/systemd.path.xml b/man/systemd.path.xml index f8748bf700a..834f480b5ce 100644 --- a/man/systemd.path.xml +++ b/man/systemd.path.xml @@ -210,7 +210,7 @@ See Also Environment variables with details on the trigger will be set for triggered units. See the Environment Variables Set on Triggered Units section in - systemd.exec1 + systemd.exec5 for more details. systemd1, diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 1142ad7758f..a74a401ef7e 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -1139,8 +1139,9 @@ DeviceAllow=/dev/loop-control systemd 252 Options for controlling the Legacy Control Group Hierarchy (Control Groups version 1 are - now fully deprecated: CPUShares=weight, + url="https://docs.kernel.org/admin-guide/cgroup-v1/index.html">Control Groups version 1) + are now fully deprecated: + CPUShares=weight, StartupCPUShares=weight, MemoryLimit=bytes, BlockIOAccounting=, @@ -1150,8 +1151,7 @@ DeviceAllow=/dev/loop-control weight, BlockIOReadBandwidth=device bytes, - BlockIOWriteBandwidth=device - bytes. + BlockIOWriteBandwidth=device bytes. Please switch to the unified cgroup hierarchy. diff --git a/man/systemd.timer.xml b/man/systemd.timer.xml index 953faa9b334..a8c8241c94e 100644 --- a/man/systemd.timer.xml +++ b/man/systemd.timer.xml @@ -368,7 +368,7 @@ See Also Environment variables with details on the trigger will be set for triggered units. See the Environment Variables Set on Triggered Units section in - systemd.exec1 + systemd.exec5 for more details. systemd1, diff --git a/man/sysupdate.d.xml b/man/sysupdate.d.xml index 3540b441760..bdf4bcbf7a5 100644 --- a/man/sysupdate.d.xml +++ b/man/sysupdate.d.xml @@ -432,7 +432,7 @@ [Transfer] Section Options - This section defines general properties of this transfer: + This section defines general properties of this transfer. @@ -485,7 +485,7 @@ [Source] Section Options - This section defines properties of the transfer source: + This section defines properties of the transfer source. @@ -535,7 +535,7 @@ [Target] Section Options - This section defines properties of the transfer target: + This section defines properties of the transfer target. @@ -546,7 +546,8 @@ subvolume. For details about the resource types, see above. This option is mandatory. - Note that only some combinations of source and target resource types are supported, see above. + Note that only certain combinations of source and target resource types are supported, see + above. @@ -625,7 +626,7 @@ Discoverable Partitions Specification, similar to the PartitionNoAuto= and PartitionGrowFileSystem= flags described above. If the target type is - regular-file, the writable bit is removed from the access mode. If the the + regular-file, the writable bit is removed from the access mode. If the target type is subvolume, the subvolume will be marked read-only as a whole. Finally, if the target Type= is selected as directory, the "immutable" file attribute is set, see If the target Type= is selected as partition, the number of concurrent versions to keep is additionally restricted by the number of partition slots of the - right type in the partition table. i.e. if there are only 2 partition slots for the selected + right type in the partition table. I.e. if there are only 2 partition slots for the selected partition type, setting this value larger than 2 is without effect, since no more than 2 concurrent versions could be stored in the image anyway. diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml index bd3bc33ab4d..2b4b4f37bcb 100644 --- a/man/tmpfiles.d.xml +++ b/man/tmpfiles.d.xml @@ -88,8 +88,9 @@ A+ /path-or-glob/to/append/acls/recursively - - - - POSIX /sys/ or /proc/, as well as some other directories below /var/). - systemd-tmpfiles uses this configuration to create volatile files and - directories during boot and to do periodic cleanup afterwards. See + systemd-tmpfiles5 + uses this configuration to create volatile files and directories during boot and to do periodic cleanup + afterwards. See systemd-tmpfiles5 for the description of systemd-tmpfiles-setup.service, systemd-tmpfiles-clean.service, and associated units. diff --git a/man/udevadm.xml b/man/udevadm.xml index ee0658dc14c..0298123c65f 100644 --- a/man/udevadm.xml +++ b/man/udevadm.xml @@ -866,7 +866,7 @@ the "whole" block device in case a partition block device is specified. The devices will be sorted by their device node major number as primary ordering key and the minor number as secondary ordering key (i.e. they are shown in the order they'd be locked). Note that the number of lines - printed here can be less than the the number of and + printed here can be less than the number of and switches specified in case these resolve to the same "whole" devices.