This adds a new ProtectSystem= setting that mirrors the option of the
same of services, but in a more restrictive way. If enabled will remount
/usr/ to read-only, very early at boot. Takes a special value "auto"
(which is the default) which is equivalent to true in the initrd, and
false otherwise.
Unlike the per-service option we don't support full/strict modes, but
the door is open to eventually support that too if it makes sense. It's
not entirely trivial though as we have very little mounted this early,
and hence the mechanism might not apply 1:1. Hence in this PR is a
conservative first step.
My primary goal with this is to lock down initrds a bit, since they
conceptually are mostly immutable, but they are unpacked into a mutable
tmpfs. let's tighten the screws a bit on that, and at least make /usr/
immutable.
This is particularly nice on USIs (i.e. Unified System Images, that pack
a whole OS into a UKI without transitioning out of it), such as
diskomator.
As pointed out in https://github.com/systemd/systemd/issues/29814, we need to
use phrases are are meaningful on their own, because the man page formatter
creates a list at the bottom. With <ulink>see docs</ulink>, we end up with:
NOTES:
1. see docs
https://some.url/page
2. see docs
https://some.url/page2
which is not very useful :(
Also, the text inside the tag should not include punctuation.
Python helper:
from xml_helper import xml_parse
for p in glob.glob('../man/*.xml'):
t = xml_parse(p)
ulinks = t.iterfind('.//ulink')
for ulink in ulinks:
if ulink.text is None: continue
text = ' '.join(ulink.text.split())
print(f'{p}: {text}')
As I noticed a lot of missing information when trying to implement checking
for missing info. I reimplemented the version information script to be more
robust, and here is the result.
Follow up to ec07c3c80b
This tries to add information about when each option was added. It goes
back to version 183.
The version info is included from a separate file to allow generating it,
which would allow more control on the formatting of the final output.
The order of the description of each item should match the order that they are declared. Un-document effect of deprecated non-unified CGroup hierarchy on
DefaultCPUAccounting=. Mention that the default value for DefaultCPUAccouting= is
affected by the kernel version.
This enables the ManagerEnvironment= settings in the user's user.conf to
reference some user data like $HOME for the purpose of setting
environment variables derived from these values.
This changes the PSI window duration we default to for watching memory
pressure events from 1s to 2s. This is because apparently the kernel
will soon disallow window durations other than 2s for unprivileged
processes.
Hence, we'll bump the threshold from 100m to 200ms, and the window from
1s to 2s.
For any user on a semi-recent kernel, effectively this setting is pointless.
We should deprecate it once not needed anymore for the v1 hierarchy. For
now, adjust the description.
Config options are -Ddefault-timeout-sec= and -Ddefault-user-timeout-sec=.
Existing -Dupdate-helper-user-timeout= is renamed to -Dupdate-helper-user-timeout-sec=
for consistency. All three options take an integer value in seconds. The
renaming and type-change of the option is a small compat break, but it's just
at compile time and result in a clear error message. I also doubt that anyone was
actually using the option.
This commit separates the user manager timeouts, but keeps them unchanged at 90 s.
The timeout for the user manager is set to 4/3*user-timeout, which means that it
is still 120 s.
Fedora wants to experiment with lower timeouts, but doing this via a patch would
be annoying and more work than necessary. Let's make this easy to configure.
Reloading is a heavy-weight operation, and currently it is not
possible to stop an orchestrator from spamming reload requests.
Add configuration options to allow rate-limiting.
The general idea is that users should be able to figure out if some option
that they see in a config file or on some internet page is something that
systemd knows about. Once users know that, yes, this was an option but has
been deprecated and removed from the documentation, it's much easier for them
to find any docs in old versions if they want to. Or to switch to something
different.
DefaultSmackProcessLabel tells systemd what label to assign to its child
process in case SmackProcessLabel is not set in the service file. By
default, when DefaultSmackProcessLabel is not set child processes inherit
label from systemd.
If DefaultSmackProcessLabel is set to "/" (which is an invalid character
for a SMACK label) the DEFAULT_SMACK_PROCESS_LABEL set during compilation
is ignored and systemd act as if the option was unset.
This mirrors a similar check in Linux kernel 5.16
(9dcc38e2813e0cd3b195940c98b181ce6ede8f20) that raised the
RLIMIT_MEMLOCK to 8M.
This change does two things: raise the default limit for nspawn
containers (where we try to mimic closely what the kernel does), and
bump it when running on old kernels which still have the lower setting.
Fixes: #16300
See: https://lwn.net/Articles/876288/
Add support for managing and configuring watchdog pretimeout values if
the watchdog hardware supports it. The ping interval is adjusted to
account for a pretimeout so that it will still ping at half the timeout
interval before a pretimeout event would be triggered. By default the
pretimeout defaults to 0s or disabled.
The RuntimeWatchdogPreSec config option is added to allow the pretimeout
to be specified (similar to RuntimeWatchdogSec). The
RuntimeWatchdogPreUSec dbus property is added to override the pretimeout
value at runtime (similar to RuntimeWatchdogUSec). Setting the
pretimeout to 0s will disable the pretimeout.
The code to print unit status formats had a long history, and became a
hard-to-manage mess of duplicate code parts. We would use sprintf() to
format a string, and then call sprintf() again… The code is reworked
to avoid repeated formattings and to streamline printing to the log
and the console.
The approach used in this patch is a bit more complex then in patches by Colin
Walter and Paweł Marciniak, because an allocation is only done if "combined"
format is used. In other cases we return the existing ->id or ->description
strings. The caller can also control whether a shorter or longer status string
should be used. This way the caller can use a shorter format where it makes
sense, for example in the cylon eye output, where we don't have enough
horizontal space.
Patch is based on Colin Walters' https://github.com/systemd/systemd/pull/15957,
and Paweł Marciniak's patch posted on fedora-devel.
Note: for some reason, the functions for printing of start and stop messages
were sepearated by some unrelated functions. They are moved to be consecutive,
but this makes the much more verbose than it would be otherwise. I found it
useful to view in gitk's "new" mode.
Co-authored-by: Colin Walters <walters@verbum.org>
Co-authored-by: Paweł Marciniak <sunwire+git@gmail.com>
Output from a Fedora Rawhide container boot (w/ some follow-up patches to
tweak Descriptions):
Welcome to Fedora 35 (Rawhide Prerelease)!
Queued start job for default target graphical.target.
[ OK ] Created slice system-getty.slice - Slice /system/getty.
[ OK ] Created slice system-modprobe.slice - Slice /system/modprobe.
[ OK ] Created slice system-sshd\x2dkeygen.slice - Slice /system/sshd-keygen.
[ OK ] Created slice user.slice - User and Session Slice.
[ OK ] Started systemd-ask-password-console.path - Dispatch Password Requests to Console Directory Watch.
[ OK ] Started systemd-ask-password-wall.path - Forward Password Requests to Wall Directory Watch.
[ OK ] Reached target cryptsetup.target - Local Encrypted Volumes.
[ OK ] Reached target paths.target - Path Units.
[ OK ] Reached target remote-cryptsetup.target - Remote Encrypted Volumes.
[ OK ] Reached target remote-fs.target - Remote File Systems.
[ OK ] Reached target slices.target - Slice Units.
[ OK ] Reached target swap.target - Swaps.
[ OK ] Reached target veritysetup.target - Local Verity Integrity Protected Volumes.
[ OK ] Listening on systemd-coredump.socket - Process Core Dump Socket.
[ OK ] Listening on systemd-initctl.socket - initctl Compatibility Named Pipe.
[ OK ] Listening on systemd-journald-dev-log.socket - Journal Socket (/dev/log).
[ OK ] Listening on systemd-journald.socket - Journal Socket.
[ OK ] Listening on systemd-networkd.socket - Network Service Netlink Socket.
[ OK ] Listening on systemd-userdbd.socket - User Database Manager Socket.
Mounting dev-hugepages.mount - Huge Pages File System...
Starting systemd-journald.service - Journal Service...
Starting systemd-remount-fs.service - Remount Root and Kernel File Systems...
Starting systemd-sysctl.service - Apply Kernel Variables...
[ OK ] Mounted dev-hugepages.mount - Huge Pages File System.
[ OK ] Finished systemd-remount-fs.service - Remount Root and Kernel File Systems.
Starting systemd-hwdb-update.service - Rebuild Hardware Database...
Starting systemd-sysusers.service - Create System Users...
[ OK ] Finished systemd-sysctl.service - Apply Kernel Variables.
[ OK ] Started systemd-journald.service - Journal Service.
Starting systemd-journal-flush.service - Flush Journal to Persistent Storage...
[ OK ] Finished systemd-sysusers.service - Create System Users.
Starting systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev...
[ OK ] Finished systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev.
[ OK ] Reached target local-fs-pre.target - Preparation for Local File Systems.
[ OK ] Reached target local-fs.target - Local File Systems.
[ OK ] Reached target machines.target - Containers.
Starting dracut-shutdown.service - Restore /run/initramfs on shutdown...
Starting ldconfig.service - Rebuild Dynamic Linker Cache...
[ OK ] Finished dracut-shutdown.service - Restore /run/initramfs on shutdown.
[ OK ] Finished ldconfig.service - Rebuild Dynamic Linker Cache.
[ OK ] Finished systemd-journal-flush.service - Flush Journal to Persistent Storage.
Starting systemd-tmpfiles-setup.service - Create Volatile Files and Directories...
[ OK ] Finished systemd-tmpfiles-setup.service - Create Volatile Files and Directories.
Starting systemd-journal-catalog-update.service - Rebuild Journal Catalog...
Starting systemd-oomd.service - Userspace Out-Of-Memory (OOM) Killer...
Starting systemd-update-utmp.service - Update UTMP about System Boot/Shutdown...
Starting systemd-userdbd.service - User Database Manager...
[ OK ] Finished systemd-update-utmp.service - Update UTMP about System Boot/Shutdown.
[ OK ] Finished systemd-journal-catalog-update.service - Rebuild Journal Catalog.
[ OK ] Started systemd-userdbd.service - User Database Manager.
[ OK ] Started systemd-oomd.service - Userspace Out-Of-Memory (OOM) Killer.
[ OK ] Finished systemd-hwdb-update.service - Rebuild Hardware Database.
Starting systemd-networkd.service - Network Configuration...
Starting systemd-update-done.service - Update is Completed...
[ OK ] Finished systemd-update-done.service - Update is Completed.
[ OK ] Reached target sysinit.target - System Initialization.
[ OK ] Started dnf-makecache.timer - dnf makecache --timer.
[ OK ] Started logrotate.timer - Daily rotation of log files.
[ OK ] Started systemd-tmpfiles-clean.timer - Daily Cleanup of Temporary Directories.
[ OK ] Reached target timers.target - Timer Units.
[ OK ] Listening on dbus.socket - D-Bus System Message Bus Socket.
[ OK ] Reached target sockets.target - Socket Units.
[ OK ] Reached target basic.target - Basic System.
[ OK ] Reached target sshd-keygen.target.
Starting sysstat.service - Resets System Activity Logs...
Starting systemd-homed.service - Home Area Manager...
Starting systemd-logind.service - User Login Management...
Starting dbus-broker.service - D-Bus System Message Bus...
[FAILED] Failed to start sysstat.service - Resets System Activity Logs.
See 'systemctl status sysstat.service' for details.
[ OK ] Started dbus-broker.service - D-Bus System Message Bus.
[ OK ] Started systemd-homed.service - Home Area Manager.
[ OK ] Finished systemd-homed-activate.service - Home Area Activation.
[ OK ] Started systemd-logind.service - User Login Management.
[ OK ] Started systemd-networkd.service - Network Configuration.
Starting systemd-networkd-wait-online.service - Wait for Network to be Configured...
Starting systemd-resolved.service - Network Name Resolution...
[ OK ] Started systemd-resolved.service - Network Name Resolution.
[ OK ] Reached target network.target - Network.
[ OK ] Reached target nss-lookup.target - Host and Network Name Lookups.
Starting sshd.service - OpenSSH server daemon...
Starting systemd-user-sessions.service - Permit User Sessions...
[ OK ] Finished systemd-user-sessions.service - Permit User Sessions.
[ OK ] Started console-getty.service - Console Getty.
[ OK ] Reached target getty.target - Login Prompts.
[ OK ] Started sshd.service - OpenSSH server daemon.
[ OK ] Reached target multi-user.target - Multi-User System.
[ OK ] Reached target graphical.target - Graphical Interface.
Starting systemd-update-utmp-runlevel.service - Update UTMP about System Runlevel Changes...
[ OK ] Finished systemd-update-utmp-runlevel.service - Update UTMP about System Runlevel Changes.
Fedora 35 (Rawhide Prerelease)
Kernel 5.12.12-300.fc34.x86_64 on an x86_64 (console)
rawhide login: [ OK ] Stopped session-24.scope - Session 24 of User zbyszek.
[ OK ] Removed slice system-getty.slice - Slice /system/getty.
[ OK ] Removed slice system-modprobe.slice - Slice /system/modprobe.
[ OK ] Removed slice system-sshd\x2dkeygen.slice - Slice /system/sshd-keygen.
[ OK ] Stopped target graphical.target - Graphical Interface.
[ OK ] Stopped target multi-user.target - Multi-User System.
[ OK ] Stopped target getty.target - Login Prompts.
[ OK ] Stopped target machines.target - Containers.
[ OK ] Stopped target nss-lookup.target - Host and Network Name Lookups.
[ OK ] Stopped target remote-cryptsetup.target - Remote Encrypted Volumes.
[ OK ] Stopped target timers.target - Timer Units.
[ OK ] Stopped dnf-makecache.timer - dnf makecache --timer.
[ OK ] Stopped logrotate.timer - Daily rotation of log files.
[ OK ] Stopped systemd-tmpfiles-clean.timer - Daily Cleanup of Temporary Directories.
[ OK ] Closed systemd-coredump.socket - Process Core Dump Socket.
Stopping console-getty.service - Console Getty...
Stopping dracut-shutdown.service - Restore /run/initramfs on shutdown...
Stopping sshd.service - OpenSSH server daemon...
Stopping systemd-logind.service - User Login Management...
Stopping systemd-oomd.service - Userspace Out-Of-Memory (OOM) Killer...
Stopping user@1000.service - User Manager for UID 1000...
[ OK ] Stopped systemd-oomd.service - Userspace Out-Of-Memory (OOM) Killer.
[ OK ] Stopped systemd-networkd-wait-online.service - Wait for Network to be Configured.
[ OK ] Stopped sshd.service - OpenSSH server daemon.
[ OK ] Stopped console-getty.service - Console Getty.
[ OK ] Stopped dracut-shutdown.service - Restore /run/initramfs on shutdown.
[ OK ] Stopped target sshd-keygen.target.
[ OK ] Stopped systemd-logind.service - User Login Management.
[ OK ] Stopped user@1000.service - User Manager for UID 1000.
Stopping user-runtime-dir@1000.service - User Runtime Directory /run/user/1000...
[ OK ] Unmounted run-user-1000.mount - /run/user/1000.
[ OK ] Stopped user-runtime-dir@1000.service - User Runtime Directory /run/user/1000.
[ OK ] Removed slice user-1000.slice - User Slice of UID 1000.
Stopping systemd-user-sessions.service - Permit User Sessions...
[ OK ] Stopped systemd-user-sessions.service - Permit User Sessions.
[ OK ] Stopped target network.target - Network.
[ OK ] Stopped target remote-fs.target - Remote File Systems.
Stopping systemd-homed-activate.service - Home Area Activation...
Stopping systemd-resolved.service - Network Name Resolution...
[ OK ] Stopped systemd-resolved.service - Network Name Resolution.
Stopping systemd-networkd.service - Network Configuration...
[ OK ] Stopped systemd-homed-activate.service - Home Area Activation.
Stopping systemd-homed.service - Home Area Manager...
[ OK ] Stopped systemd-homed.service - Home Area Manager.
[ OK ] Stopped target basic.target - Basic System.
[ OK ] Stopped target paths.target - Path Units.
[ OK ] Stopped target slices.target - Slice Units.
[ OK ] Removed slice user.slice - User and Session Slice.
[ OK ] Stopped target sockets.target - Socket Units.
Stopping dbus-broker.service - D-Bus System Message Bus...
[ OK ] Stopped dbus-broker.service - D-Bus System Message Bus.
[ OK ] Closed dbus.socket - D-Bus System Message Bus Socket.
[ OK ] Stopped target sysinit.target - System Initialization.
[ OK ] Stopped target cryptsetup.target - Local Encrypted Volumes.
[ OK ] Stopped systemd-ask-password-console.path - Dispatch Password Requests to Console Directory Watch.
[ OK ] Stopped systemd-ask-password-wall.path - Forward Password Requests to Wall Directory Watch.
[ OK ] Stopped target veritysetup.target - Local Verity Integrity Protected Volumes.
[ OK ] Stopped systemd-update-done.service - Update is Completed.
[ OK ] Stopped ldconfig.service - Rebuild Dynamic Linker Cache.
[ OK ] Stopped systemd-hwdb-update.service - Rebuild Hardware Database.
[ OK ] Stopped systemd-journal-catalog-update.service - Rebuild Journal Catalog.
Stopping systemd-update-utmp.service - Update UTMP about System Boot/Shutdown...
[ OK ] Stopped systemd-networkd.service - Network Configuration.
[ OK ] Closed systemd-networkd.socket - Network Service Netlink Socket.
[ OK ] Stopped systemd-sysctl.service - Apply Kernel Variables.
[ OK ] Stopped systemd-update-utmp.service - Update UTMP about System Boot/Shutdown.
[ OK ] Stopped systemd-tmpfiles-setup.service - Create Volatile Files and Directories.
[ OK ] Stopped target local-fs.target - Local File Systems.
Unmounting home.mount - /home...
Unmounting run-credentials-systemd\x2dsysusers.se…e.mount - /run/credentials/systemd-sysusers.service...
Unmounting tmp.mount - Temporary Directory /tmp...
[ OK ] Unmounted home.mount - /home.
[ OK ] Unmounted tmp.mount - Temporary Directory /tmp.
[ OK ] Unmounted run-credentials-systemd\x2dsysusers.service.mount - /run/credentials/systemd-sysusers.service.
[ OK ] Stopped target local-fs-pre.target - Preparation for Local File Systems.
[ OK ] Stopped target swap.target - Swaps.
[ OK ] Reached target umount.target - Unmount All Filesystems.
[ OK ] Stopped systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev.
[ OK ] Stopped systemd-sysusers.service - Create System Users.
[ OK ] Stopped systemd-remount-fs.service - Remount Root and Kernel File Systems.
[ OK ] Reached target shutdown.target - System Shutdown.
[ OK ] Reached target final.target - Late Boot Services.
[ OK ] Finished systemd-poweroff.service - System Power Off.
[ OK ] Reached target poweroff.target - System Power Off.
Sending SIGTERM to remaining processes...
Sending SIGKILL to remaining processes...
All filesystems, swaps, loop devices, MD devices and DM devices detached.
Powering off.
Strictly speaking adding this is a compatibility break, given that
previously % weren't special. But I'd argue that was simply a bug, as
for the much more prominent Environment= service setting we always
resolved specifiers, and DEfaultEnvironment= is explicitly listed as
being the default for that. Hence, let's fix that.
Replaces: #16787
User managers always pass their environment on to their children.
Make that clear in the description of ManagerEnvironment= which
states that none of those args will get passed to child processes of
service managers.
This is useful for various variables that modify process behaviour. This makes
it easy to set it for pid1 without touching the kernel command line. Even for
the *user manager* this also can be convenient for the unprivileged user, who
cannot modify user@.service definition.
Variables that could be set like this include $SD_EVENT_PROFILE_DELAYS,
$SYSTEMD_FALLBACK_HOSTNAME, $SYSTEMD_MEMPOOL, $SYSTMED_RDRAND, etc.
This changes the paths we read user manager config from in two ways:
- split-usr-root paths are dropped. The user manager is a poster boy for
non-early-boot, so reading dropins only from /usr is appropriate.
- we look at ~/.config/systemd/user.conf. Users should be allowed to override
their own config.
As user managers become more and more used, it becomes more important for users
to customize their own daemon. By reading from ~/.config, this is possible
without privileges.
Actually, systemd takes the minimum of
* a) the maximum tasks value the kernel allows on this architecture
* b) the cgroups pids_max attribute for the system
* c) the kernel's configured maximum PID value
to calculate the DefaultTasksMax. Here, kernel.thread-max should also be methioned.
For users, the square brackets already serve as markup and clearly delineate
the section name from surrounding text. Putting additional markup around that
only adds clutter. Also, we were very inconsistent in using the quotes. Let's
just drop them altogether.
This option is only used on reboot, not on other types of shutdown
modes, so it is misleading.
Keep the old name working for backward compatibility, but remove it
from the documentation.
Rather than always enabling the shutdown WD on kexec, which might be
dangerous in case the kernel driver and/or the hardware implementation
does not reset the wd on kexec, add a new timer, disabled by default,
to let users optionally enable the shutdown WD on kexec separately
from the runtime and reboot ones. Advise in the documentation to
also use the runtime WD in conjunction with it.
Fixes: a637d0f9ec ("core: set shutdown watchdog on kexec too")
