Allow signing with an OpenSSL engine/provider, such as PKCS11. A public key is
not enough, a full certificate is needed for PKCS11, so a new parameter is
added for that too.
It turns out it's mostly PKCS11 that supports the URI format,
and other engines just take files. For example the tpm2-tss-openssl
engine just takes a sealed private key file path as the key input,
and the engine needs to be specified separately.
Add --private-key-source=file|engine:foo|provider:bar to
manually specify how to use the private key parameter.
Follow-up for 0a8264080a
These will be used by display managers to pre-select the user's
preferred desktop environment and display server type. On homed, the
display manager will also be able to set these fields to cache the
user's last selection.
`networkctl lldp` and `networkctl status INTERFACE` now use varlink
call to the networkd to query LLDP neighbors.
Then, this allows to dump LLDP neighbors in JSON format.
Co-authored-by: Tomáš Pecka <tomas.pecka@cesnet.cz>
Most of our kernel cmdline options use underscores as word separators in
kernel cmdline options, but there were some exceptions. Let's fix those,
and also use underscores.
Since our /proc/cmdline parsers don't distinguish between the two
characters anyway this should not break anything, but makes sure our own
codebase (and in particular docs and log messages) are internally
consistent.
Specify the delay, in milliseconds, between each peer
notification (gratuitous ARP and unsolicited IPv6
Neighbor Advertisement) when they are issued after
a failover event. This delay should be a multiple of
the MII link monitor interval (miimon).
The valid range is 0 - 300s. The default value is 0,
which means to match the value of the MII link monitor interval.
This effectively reverts 9175002864.
The retrans time field in RA message is for neighbor solicitation,
and the commit d4c8de21a0 makes the value
assigned to the correct sysctl property.
Let's deprecate the option, and drop the redundant functions.
Takes a list of CPU indices or ranges separated by either whitespace or commas. Alternatively,
takes the special value "all" in which will include all available CPUs in the mask.
CPU ranges are specified by the lower and upper CPU indices separated by a dash (e.g. "2-6").
This option may be specified more than once, in which case the specified CPU affinity masks are merged.
If an empty string is assigned, the mask is reset, all assignments prior to this will have no effect.
Defaults to unset and RPS CPU list is unchanged. To disable RPS when it was previously enabled, use the
special value "disable".
Currently, this will set CPU mask to all `rx` queue of matched device (if it has multiple queues).
The `/sys/class/net/<dev>/queues/rx-<n>/rps_cpus` only accept cpu bitmap mask in hexadecimal.
Fix: #30323
Let's make systemd-nspawn use our own ptyfwd logic to handle the TTY by
default.
This adds a new setting --console=, inspired by nspawn's setting of the
same name. If --console=interactive= is used, then we'll do the TTY
dance on our own via ptyfwd, and thus get tinting, our usual hotkey
handling and similar.
Since qemu's own console is useful too, let's keep it around via
--console=native.
FInally, replace the --qemu-gui switch by --console=gui.
This deprecates IPForward= setting, which unconditionally controled
the global setting, even though it is a setting in .network file.
Instead, this introduces new IPv4Forwarding= and IPv6Forwarding=
settings both in .network and networkd.conf.
If these settings are specified in a .network file, then the
per-interface forwarding setting will be configured.
If specified in networkd.conf, then the global IP forwarding setting will
be configured.
Closes#30648.
Allow to set the broadcast queueing threshold
on macvlan devices. This controls which multicast packets will be
processed in a workqueue instead of inline.
This renames a few of the switches vmspawn takes, such as --qemu-mem=
and --qemu-smp= to names without the "qemu" moniker and uses less
cryptic names (i.e. --ram= and --cpus=).
I think it's a bit unsystematic that so far we use the "qemu" prefix for
some options but not for others. At least I could not figure out a
system when we use it and when we don't. Hence let's clean it up and
just use simpler names without suffix.
After all we might want to plug other hypervisors behind vmspawn one
day, hence I think there's value in sticking to generic names for these
switches that allow us to switch out backends easily. In particular for
--ram= and --cpus= which are probably the most fundamental of VM settings
there are.
The old switches are support for compat, but not advertised in man page
or --help text anymore.
I left "--qemu-gui" under its current name, since it fundamentally is a
a qemu concept, exposing a qemu specific graphical UI.
If specified we'll not try to find a free V, but instead just output
directly to the specified TTY. This is particularly useful for
debugging, as it means "systemd-bsod --tty=/dev/tty" just works.
The command will refuse to write to a TTY, so give a strong hint
that redirecting to a file is recommended. This makes the synopsis,
man page text, and --help output consistent.
Also drop the space after the redirection operator everywhere.
Let's bring the credentials into a better order, in order of relevance.
Also, let's clarify what the generic LUKS PIN is about.
Finally, list the credentials in system-credentials(7) too, after all
people might want to unlock a disk with this via SMBIOS Type 11 or so.
Precedence for example in ac63c8df30/rules.d/99-systemd.rules.in (L75).
Add ENV to the list of keys where string substitutions can be used.
While I'm at it, also sort the list in that paragraph alphabetically.
This makes it possible to edit blob directories using homectl. The
following syntax is available:
* `--blob-directory=/path/somewhere`: Replaces the entire blob directory
with the contents of /path/somewhere
* `--blob-directory=foobar=/path/somewhere`: Replaces just the file
foobar in the blob directory with the contents of /path/somewhere
* `--blob-directory=foobar=`: Deletes the file foobar from the blob
directory
* `--blob-directory=`: Resets all previous flags
* `--avatar=`, etc: Shortcuts for `--blob-directory=FILENAME=` for the
known files in the blob directory
Introduces new extended variants of the various incarnations of
Create and Update, which take a map of filenames to FDs. This map is
then used to populate the bulk directory.
FDs are used to prevent the client from abusing homed's blob directory
permissions (everything is made world-readable by homed) to open files
that they normally aren't allowed to open. Passing along an FD ensures
that the client has read access to the file it wants homed to make
world-readable.
Internally, homework uses the map to overwrite the system blob dir.
Later, homework's existing blob dir reconciliation logic will propagate
the new contents from the system blob dir into the embedded blob
dir
This ensures that a user-specific blob directory exists in
/var/cache/systemd/homed for as long as the user exists, and gets
deleted if the user gets deleted.
It also advertises this blob directory via the user record, so that
clients can find and use it.
