This makes sure unit_watch_pid() and unit_unwatch_pid() will track
processes by pidfd if supported. Also ports over some related code.
Should not really change behaviour.
Note that this does *not* add support waiting for POLLIN on the pidfds
as additional exit notification. This is left for a later commit (this
commit is already large enough), in particular as that would add new
logic and not just convert existing logic.
This matters once we track processes with pidfds rather than just pid_t,
because made up PIDs likely won't exist.
The essence of the test remains unmodified, we just use a real, existing
PID instead of 4711.
This new helper can be used after reading process info from procfs, to
verify that the data that was just read actually matches the pidfd, and
does not belong to some new process that just reused the numeric PID of
the process we originally pinned.
Usually we want to embed PidRef in other structures, but sometimes it
makes sense to allocate it on the heap in case it should be used
standalone. Add helpers for that.
Primary usecase: use as key in Hashmap objects, that for example map
process to unit objects in PID 1.
This adds pidref_free()/pidref_freep() for freeing such an allocated
struct, as well as pidref_dup() (for duplicating an existing PidRef
on the heap 1:1), and pidref_new_pid() (for allocating a new PidRef from a
PID).
This helper truns a pid_t into a PidRef. It's different from
pidref_set_pid() in being "passive", i.e. it does not attempt to acquire
a pidfd for the pid.
This is useful when using the PidRef as a lookup key that shall also
work after a process is already dead, and hence no conversion to a pidfd
is possible anymore.
From RFC 8880:
Because the 'ipv4only.arpa' zone has to be an insecure delegation,
DNSSEC cannot be used to protect these answers from tampering by
malicious devices on the path.
Consequently, the 'ipv4only.arpa' zone MUST be an insecure delegation to
give DNS64/NAT64 gateways the freedom to synthesize answers to those
queries at will, without the answers being rejected by DNSSEC-capable
resolvers. DNSSEC-capable resolvers that follow this specification MUST
NOT attempt to validate answers received in response to queries for the
IPv6 AAAA address records for 'ipv4only.arpa'. Note that the name
'ipv4only.arpa' has no use outside of being used for this special DNS
pseudo-query used to learn the DNS64/NAT64 address synthesis prefix, so
the lack of DNSSEC security for that name is not a problem.
See: https://datatracker.ietf.org/doc/html/rfc8880#name-security-considerations
There's no way for us to wait for specific virtiofs tags to appear,
so we have to try and make sure that the tags are all available by
the time we try to mount any virtiofs tag. Let's try to do that by
loading the necessary modules as early as we can.
performed
systemctl would issue daemon-reload after unit file operations
(enable/disable/preset/...) succeed. However, such operations
are not atomic, meaning that the unit file state could still change
even if the operation generally fails, and the unit_file_state
cached by manager becomes outdated.
Fixes#29341
Right now we include the private working directory when we say some files
where not found, which is confusing. Strip it from the error string.
For example, with a BindPaths=/var/bar that does not exist on the host:
Before:
foo.service: Failed to set up mount namespacing: /run/systemd/unit-root/var/bar: No such file or directory
After:
foo.service: Failed to set up mount namespacing: /var/bar: No such file or directory
Add a new boolean for units, SurviveFinalKillSignal=yes/no. Units that
set it will not have their process receive the final sigterm/sigkill in
the shutdown phase.
This is implemented by checking if a process is part of a cgroup marked
with a user.survive_final_kill_signal xattr (or a trusted xattr if we
can't set a user one, which were added only in kernel v5.7 and are not
supported in CentOS 8).
kernel-install uses do_execute(). We would log whenever a spawned child
finished, but we would not log anything when the child is launched. When the
children log output without a prefix (as the kernel-install plugins do), it
is hard to see where that output is coming from.
For us, this is a compatibility mode, but most likely it is there to stay: the
kernel Makefile's install target expects to be able to call /bin/installkernel.
We want people who build their own kernels to use this, so that they use
kernel-install and get support for all the functionality provided by it,
including building of UKIs and other new features. So let's actually advertise
that this exists and works.
From RFC 9476:
Because names beneath .alt are in an alternative namespace, they have no
significance in the regular DNS context. DNS stub and recursive
resolvers do not need to look them up in the DNS context.
See: https://datatracker.ietf.org/doc/html/rfc9476#name-the-alt-namespace
`MatchPattern` for regular-file and directory as target can now match
subdirectories This is useful to install files for examples in `.extra.d`
directories:
```
[Target]
Type=regular-file
Path=/EFI/Linux
PathRelativeTo=boot
MatchPattern=gnomeos_@v.efi.extra.d/apparmor.addon.efi
```
The if the directories in the path do not exist, they will be created. Whereas
the part in `Path` is not created.
The benefit of using this setting is that user and group IDs, especially dynamic and random
IDs used by DynamicUser=, can be used in firewall configuration easily.
Example:
```
[Service]
NFTSet=user:inet:filter:serviceuser
```
Corresponding NFT rules:
```
table inet filter {
set serviceuser {
typeof meta skuid
}
chain service_output {
meta skuid @serviceuser accept
drop
}
}
```
```
$ cat /etc/systemd/system/dunft.service
[Service]
DynamicUser=yes
NFTSet=user:inet:filter:serviceuser
ExecStart=/bin/sleep 1000
[Install]
WantedBy=multi-user.target
$ sudo nft list set inet filter serviceuser
table inet filter {
set serviceuser {
typeof meta skuid
elements = { 64864 }
}
}
$ ps -n --format user,group,pid,command -p `systemctl show dunft.service -P MainPID`
USER GROUP PID COMMAND
64864 64864 55158 /bin/sleep 1000
```
New directive `NFTSet=` provides a method for integrating dynamic cgroup IDs
into firewall rules with NFT sets. The benefit of using this setting is to be
able to use control group as a selector in firewall rules easily and this in
turn allows more fine grained filtering. Also, NFT rules for cgroup matching
use numeric cgroup IDs, which change every time a service is restarted, making
them hard to use in systemd environment.
This option expects a whitespace separated list of NFT set definitions. Each
definition consists of a colon-separated tuple of source type (only "cgroup"),
NFT address family (one of "arp", "bridge", "inet", "ip", "ip6", or "netdev"),
table name and set name. The names of tables and sets must conform to lexical
restrictions of NFT table names. The type of the element used in the NFT filter
must be "cgroupsv2". When a control group for a unit is realized, the cgroup ID
will be appended to the NFT sets and it will be be removed when the control
group is removed. systemd only inserts elements to (or removes from) the sets,
so the related NFT rules, tables and sets must be prepared elsewhere in
advance. Failures to manage the sets will be ignored.
If the firewall rules are reinstalled so that the contents of NFT sets are
destroyed, command systemctl daemon-reload can be used to refill the sets.
Example:
```
table inet filter {
...
set timesyncd {
type cgroupsv2
}
chain ntp_output {
socket cgroupv2 != @timesyncd counter drop
accept
}
...
}
```
/etc/systemd/system/systemd-timesyncd.service.d/override.conf
```
[Service]
NFTSet=cgroup:inet:filter:timesyncd
```
```
$ sudo nft list set inet filter timesyncd
table inet filter {
set timesyncd {
type cgroupsv2
elements = { "system.slice/systemd-timesyncd.service" }
}
}
```
