system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-10-14 20:17:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
73864 commits 3 branches 390 tags 584 MiB
Commit graph

8705 commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek 1b47cfab7f
Merge pull request #32428 from poettering/sd-notify-reboot-param 
pid1: send shutdown type and reboot argument to supervisor via sd_notify()
 2024-04-23 13:31:40 +02:00
Ludwig Nussel 1df4b21abd cryptenroll: use root device by default 2024-04-23 12:29:32 +02:00
Lennart Poettering 8c081ae84b shutdown: send an sd_notify() message on shutdown with the shutdown reason and boot param 
This is kinda nice in containers, to exfiltrate a string from the
container on shutdown.
 2024-04-23 11:04:08 +02:00
Guido Leenders f445ed3c5f Document effective owner of stdout/stderr log file upon creation 
The log files defined using file:, append: or truncate: inherit the owner and other privileges from the effective user running systemd.

The log files are NOT created using the "User", "Group" or "UMask" defined in the service.
 2024-04-22 20:46:25 +02:00
Yu Watanabe c6aadfdd32 ukify: swap the ordering of config search paths 
Let's follow our usual ordering.

Follow-up for a05fa30f88.
 2024-04-22 20:38:16 +02:00
Yu Watanabe 9e4b40f26a man: fix typo 
Follow-up for 403492793a.
 2024-04-23 01:42:11 +09:00
Yu Watanabe 6bd3102e3e man: fix typo 
Follow-up for fef46ffb5b.
 2024-04-23 01:42:11 +09:00
Lennart Poettering 29ba6bddc5
Merge pull request #32399 from poettering/doc-fixes-256 
various documentation fixes (plus minor other work)
 2024-04-22 17:41:39 +02:00
Luca Boccassi edd3d4d7c2 nspawn: ensure single-process container running as --user can access credentials 
When starting a container with --user, the new uid will be resolved and switched to
only in the inner child, at the end of the setup, by spawning getent. But the
credentials are set up in the outer child, long before the user is resolvable,
and the directories/files are made only readable by root and read-only, which
means they cannot be changed later and made visible to the user.

When this particular combination is specified, it is obvious the caller wants
the single-process container to be able to use credentials, so make them world
readable only in that specific case.

Fixes https://github.com/systemd/systemd/issues/31794
 2024-04-22 15:47:44 +02:00
Lennart Poettering a64411deb4 man: document that IPAccounting= works for system services only 
Fixes: #20356
 2024-04-22 15:16:54 +02:00
Lennart Poettering ef9262d0d1 man: be explicit that we don't proxy SO_PEER*, SCM_RIGHTS and co. 
Fixes: #22744
 2024-04-22 15:16:54 +02:00
Lennart Poettering fef46ffb5b man: document that ReadOnlyPaths= doesn't affect ability to connect to AF_UNIX 
Fixes: #23470
 2024-04-22 15:16:54 +02:00
Lennart Poettering c104d7a74e man: document that "systemctl set-environment" cannot be used to unset env vars configured via config file 
Fixes: #28167
 2024-04-22 15:16:54 +02:00
Lennart Poettering afc194a135 man: say explicitly that $LESS + $LESSCHARSET have no effect on less invocations by systemd tools 
Fixes: #29479
 2024-04-22 15:16:54 +02:00
Lennart Poettering 403492793a man: document missing resolved D-Bus APIs 
Fixes: #29598
 2024-04-22 15:16:54 +02:00
Lennart Poettering 04366e0693 man: document that StateDirectory= trumps ProtectSystem=strict explicitly 
Fixes: #29798
 2024-04-22 15:16:54 +02:00
Lennart Poettering 552dc4a97c man: document explicitly that LogExtraFields= and LogFilterPatterns= are for system service only for now 
Fixes: #29956
 2024-04-22 15:16:54 +02:00
Lennart Poettering 6b7a1a3679 man: document explicitly that bind restrictions cannot be escaped by opening a new netns 
And while we are at it reword the introductary sentence a bit to make it
clearer.

Fixes: #30555
 2024-04-22 15:16:54 +02:00
Lennart Poettering 0adce85ebe man: explicitly document the various systemd.journald.max_level_*= kernel cmdline options 
Fixes: #31327
 2024-04-22 15:16:54 +02:00
Lennart Poettering db2b499423 journald: bring order of MaxLevelXYZ= setting explanations in sync with listed names 2024-04-22 15:16:54 +02:00
Lennart Poettering 3c7f0d6b44 man: explicitly say that BindPaths=/BindReadOnlyPaths= opens a new mount 
namespace

Fixes: #32339
 2024-04-22 15:16:54 +02:00
Lennart Poettering 3f6551fc82 man: run update-man-rules again 2024-04-22 15:16:54 +02:00
Luca Boccassi 93cb78aee2 core: add ExecMainHandoverTimestamp property recording time-of-execve 
Enable the exec_fd logic for Type=notify* services too, and change it
to send a timestamp instead of a '1' byte. Record the timestamp in a
new ExecMainHandoverTimestamp property so that users can track accurately
when control is handed over from systemd to the service payload, so
that latency and startup performance can be trivially and accurately
tracked and attributed.
 2024-04-22 15:16:05 +02:00
Luca Boccassi f64222b748
Merge pull request #32347 from yuwata/sd-radv-reachable-time 
sd-radv: allow to configure reachable time
 2024-04-22 14:04:25 +02:00
Yu Watanabe 2fa480592d sd-event: fix fd leak when fd is owned by IO event source 
When an IO event source owns relevant fd, replacing with a new fd leaks
the previously assigned fd.
===
sd_event_add_io(event, &s, fd, ...);
sd_event_source_set_io_fd_own(s, true);
sd_event_source_set_io_fd(s, new_fd);  <-- The previous fd is not closed.
sd_event_source_unref(s);  <-- new_fd is closed as expected.
===

Without the change, valgrind reports the leak:
==998589==
==998589== FILE DESCRIPTORS: 4 open (3 std) at exit.
==998589== Open file descriptor 4:
==998589==    at 0x4F119AB: pipe2 (in /usr/lib64/libc.so.6)
==998589==    by 0x408830: test_sd_event_source_set_io_fd (test-event.c:862)
==998589==    by 0x403302: run_test_table (tests.h:171)
==998589==    by 0x408E31: main (test-event.c:935)
==998589==
==998589==
==998589== HEAP SUMMARY:
==998589==     in use at exit: 0 bytes in 0 blocks
==998589==   total heap usage: 33,305 allocs, 33,305 frees, 1,283,581 bytes allocated
==998589==
==998589== All heap blocks were freed -- no leaks are possible
==998589==
==998589== For lists of detected and suppressed errors, rerun with: -s
==998589== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
 2024-04-22 18:30:12 +08:00
Yu Watanabe 4f52944054 man: fix typo 
Follow-ups for 418f2dc755.
 2024-04-22 18:44:48 +09:00
Yu Watanabe 5d8b72e1e0 man: slightly rephrase RetransmitSec= setting 2024-04-22 18:42:46 +09:00
Yu Watanabe 59d475ba40 network/radv: introduce ReachableTimeSec= setting 
To make the reachable time in the RA header sent by networkd
configurable.
 2024-04-22 18:41:37 +09:00
Luca Boccassi 6e6deacc61
Merge pull request #32359 from poettering/vmspawn-hyperv-enlight 
some hyperv related enhancement in detect-virt + vmspawn
 2024-04-20 14:40:14 +02:00
Luca Boccassi af46138f39
Merge pull request #32276 from yuwata/network-global-use-domains-setting 
network: introduce protocol-independent UseDomains= setting
 2024-04-20 13:30:00 +02:00
Lennart Poettering 615906cdcf sd-id128: add an app-specific flavour of the invocation ID too 2024-04-20 12:10:42 +02:00
Yu Watanabe 4a7cd0caad sd-event: fix sd_event_source_get_inotify_path() 
Follow-ups for 74c4231ce5.

Previously, the path is obtained from the fd, but it is closed in
sd_event_loop() to unpin the filesystem.
So, let's save the path when the event source is created, and make
sd_event_source_get_inotify_path() simply read it.
 2024-04-20 11:14:32 +02:00
Yu Watanabe 418f2dc755 network: introduce network- and protocol-independent default for UseDomains= 
Follow-up for fb57300743.

Prompted by #32273.
 2024-04-20 12:01:53 +09:00
Lennart Poettering bf49f3bb44
Merge pull request #31872 from tfg13/main 
stub+ukify: Add support for UKI .ucode section
 2024-04-19 23:59:13 +02:00
Luca Boccassi 565f6130b2
Merge pull request #32142 from bluca/portable_vpick 
portable: support vpick
 2024-04-19 20:34:16 +02:00
Luca Boccassi f5054c2e37
Merge pull request #32251 from CodethinkLabs/vmspawn/docs_improvements 
vmspawn docs improvements
 2024-04-19 20:33:05 +02:00
Zbigniew Jędrzejewski-Szmek ef40ad963a
Merge pull request #32365 from poettering/gpt-auto-doc-fix 
man: tweak gpt-auto-generator docs a bit
 2024-04-19 18:49:11 +02:00
Lennart Poettering 366af154fa man: correct where we look for auxiliary partitions 
We look for the root fs on the device of the booted ESP, and for the
other partitions on the device of the root fs. On EFI systems this
generally boils down to the same, but there are cases where this doesn't
hold, hence document this properly.

Fixes: #31199
 2024-04-19 18:36:33 +02:00
Lennart Poettering 1bf7e13c55 man: add explicit column for gpt guid value in table 2024-04-19 18:36:16 +02:00
Lennart Poettering 6cfd19cfd1 man: add separate column for flag value to table 2024-04-19 18:34:43 +02:00
Sam Leonard 2068ef6804
man: vmspawn - clarify behaviour of omitting --linux=/--initrd= 2024-04-19 16:58:37 +01:00
Sam Leonard 9c50fd64b5
man: vmspawn - clarify behaviour of omitting --vsock-cid= 2024-04-19 16:56:13 +01:00
Sam Leonard dae32b1a2a
man: removely overly verbose wording from the vmspawn man page 2024-04-19 16:42:13 +01:00
Sam Leonard 900d283ae0
man: vmspawn - reference later example to show use of --private-users 2024-04-19 16:42:13 +01:00
Sam Leonard 45ec09ba4b
man: clarify behaviour when omitting both -i/-D in vmspawn 2024-04-19 16:42:13 +01:00
Sam Leonard e82d12a52f
man: fix entry for vmspawn's --ssh-key-type 2024-04-19 16:38:49 +01:00
Sam Leonard 1490debd62
man: add ssh example for vmspawn 2024-04-19 16:38:49 +01:00
Sam Leonard b8db8e557b
man: add example --forward-journal= example for vmspawn 2024-04-19 16:38:49 +01:00
Sam Leonard 0f37ff38a8
man: add machinectl import-raw example for vmspawn 2024-04-19 16:38:48 +01:00
Lennart Poettering fa6ea80958 man: document the last remaining bits of the hostnamed D-Bus interface 2024-04-19 16:02:14 +02:00
Tobias Fleig d380337dc5 ukify: Add support for .ucode UKI section 
This commit teaches ukify how to build a .ucode section into UKIs. This
section is functionally an initrd, intended for microcode updates.
 2024-04-19 06:28:47 -07:00
Tobias Fleig 590ac4bd27 measure: Add .ucode UKI section support 
This commit adds support for the new ".ucode" UKI section to
systemd-measure. It is functionally an initrd and is treated as such by
measure.
 2024-04-19 05:58:56 -07:00
Tobias Fleig aea81bc0ff stub: Add support for .ucode UKI section 
This commit adds support for loading, measuring and handling a ".ucode"
UKI section. This section is functionally an initrd, intended for
microcode updates. As such it will always be passed to the kernel first.
 2024-04-19 05:58:46 -07:00
Luca Boccassi 8257508c58 portable: support vpick 
Resolve at attach/detach/inspect time, so that the image is pinned and requires
re-attaching on update, given files are extracted from it so just passing
img.v/ to RootImage= is not enough to get a portable image updated
 2024-04-19 13:25:32 +01:00
Yu Watanabe 74c4231ce5 sd-event: introduce sd_event_source_get_inotify_path() 
This may be useful when there are multiple inotify event sources exist.
Without this, users need to manage the event sources and paths.
 2024-04-19 14:23:11 +09:00
Yu Watanabe fc6ec43c02 man: drop spurious version info for error code 
Follow-up for 87fe0a6960.
 2024-04-19 14:23:08 +09:00
Yu Watanabe c1ab4458f2 sd-event: rename argument for storing result 2024-04-19 13:59:26 +09:00
Luca Boccassi e54bf3fe0b
Merge pull request #32299 from yuwata/network-radv-ignore-rs-from-the-same-interface 
network/radv: ignore RS message from the same interface
 2024-04-18 23:45:06 +02:00
Lennart Poettering dd37963aff
Merge pull request #31790 from poettering/pcrlock-policy-fix 
Replace PolicyAuthValue by PolicySigned as access policy for pcrlock policy nvindex
 2024-04-18 21:11:27 +02:00
Luca Boccassi b84a0bf3ab
Merge pull request #32144 from bluca/portable_clean 
portablectl: add --clean parameter for detaching
 2024-04-18 18:15:20 +02:00
Lennart Poettering 43a59b8b86 pcrlock: rework --recovery-pin= to take three different arguments 
This reworkds --recovery-pin= from a parameter that takes a boolean to
an enum supporting one of "hide", "show", "query".

If "hide" (default behaviour) we'll generate a recovery pin
automatically, but never show it, and thus just seal it and good.

If "show" we'll generate a recovery pin automatically, but display it in
the output, so the user can write it down.

If "query" we'll ask the user for a recovery pin, and not automatically
generate any.

For compatibility the old boolean behaviour is kept.

With this you can now do "systemd-pcrlock make-policy
--recovery-pin=show" to set up the first policy, write down the recovery
PIN. Later, if the PCR prediction didn't work out one day you can then
do "systemd-pcrlock make-policy --recovery-pin=query" and enter the
recovery key and write a new policy.
 2024-04-18 18:12:24 +02:00
Antonio Alvarez Feijoo d72835f819 man/systemd-stub: fix typo 2024-04-18 18:10:50 +02:00
Luca Boccassi 82efe05c01
Merge pull request #32326 from jonathan-conder/man_pam_loadkey 
man: pam_system_loadkey additions and fixes
 2024-04-18 14:10:40 +02:00
Luca Boccassi ef5f7f9437 systemctl: add --clean= values to documentation and shell completion 2024-04-18 14:07:07 +02:00
Luca Boccassi 966d7977c7 portablectl: add --clean parameter for detaching 
Calls CleanUnit on each portable service being removed, after it has
stopped
 2024-04-18 10:47:29 +01:00
Jonathan Conder 08ef6998e3 man: document other keyname options for pam_systemd_loadkey 2024-04-18 20:56:58 +12:00
Lennart Poettering 778abdbfa1 doc: fix .ssh credential examples 
Let's create the .ssh dir with the right perms first.

Suggested by @gcb.

Fixes: #28172
 2024-04-18 10:53:20 +02:00
Yu Watanabe 87fe0a6960
man: fix wrong version info (#31949) 
Fixes #31920.
 2024-04-18 09:45:51 +09:00
Yu Watanabe 769f9744b7 network/ndisc: disable Neighbor discovery client if RADV is enabled 
Running both sd-ndisc and sd-radv should be mostly a misconfiguration,
but may not. So, let's only disable sd-ndisc by default when sd-radv is
enabled, but allow when both are explicitly requested.
 2024-04-18 09:40:23 +09:00
Jonathan Conder 0bf317b620 man: add pam_gnome_keyring to auth section after pam_systemd_loadkey 
This is required because pam_sm_open_session [1] only looks at
gkr_system_authtok, which is copied from the kernel keyring in
pam_sm_authenticate.

[1] https://gitlab.gnome.org/GNOME/gnome-keyring/-/blob/46.1/pam/gkr-pam-module.c?ref_type=tags
 2024-04-18 08:32:15 +12:00
Lennart Poettering 94c5c55e3e
Merge pull request #32320 from bluca/softreboot_serialize 
Soft reboot timestamp follow-ups
 2024-04-17 22:12:49 +02:00
Zbigniew Jędrzejewski-Szmek aea6787f78 man: mention that sd_journal_test_cursor() needs a positioning call 
Fixes #30331.
 2024-04-17 22:01:53 +02:00
Luca Boccassi b3f548615f core: rename SoftRebootStartTimestamp -> ShutdownStartTimestamp and generalize 
Follow-up for 54f86b86ba
 2024-04-17 18:19:27 +01:00
Yu Watanabe e27f2ad6be
Merge pull request #32300 from mrc0mmand/assorted-tweaks 
test: split TEST-50-DISSECT into smaller parts
 2024-04-17 11:52:30 +09:00
Luca Boccassi 3721f9620c
Merge pull request #32289 from bluca/counter 
soft-reboot counter follow-ups
 2024-04-16 10:44:25 +02:00
Yu Watanabe 78d5bad2f5
Merge pull request #32294 from yuwata/network-generator-creds 
network-generator: also load drop-ins for networkd.conf from credentials
 2024-04-16 16:42:59 +09:00
Yu Watanabe 78281bd53a networkctl: allow to call 'networkctl cat' without arguments 
Then, show networkd.conf and its drop-ins.
 2024-04-16 13:31:14 +09:00
Yu Watanabe 38b4eb228a man: add missing drop-in directory 2024-04-16 13:00:49 +09:00
Yu Watanabe e12e16e9f7 network-generator: also copy drop-ins for networkd.conf from credential 
Follow-up for 1a30285590.
 2024-04-16 12:45:08 +09:00
Yu Watanabe 5700e755a9 units: introduce systemd-udev-load-credentials.service 2024-04-16 09:45:43 +09:00
Yu Watanabe 51be364bbb udevadm-control: add --load-credentials option 
When specified, credentials udev.conf.* and udev.rules.* are copied to
the corresponding directories.
 2024-04-16 09:45:25 +09:00
Luca Boccassi 95a289bfe7 man: mention initial value of SoftRebootsCount 
Follow-up for 66f35161f6
 2024-04-16 00:26:04 +01:00
Frantisek Sumsal ad444dd8e8 man: slightly reword LogFilterPatterns= description 
As there was something missing in the existing sentence.
 2024-04-15 17:16:18 +02:00
Sam Leonard 9bfabe14e5 man: fix incorrect XML in man page 2024-04-15 10:40:11 +02:00
Yu Watanabe 14f3bdaa73
Merge pull request #32271 from YHNdnzj/arch-man 
Fixes for links to man projects
 2024-04-15 14:35:04 +09:00
Kristian Klausen 254e1aa707 vmspawn: Fix incorrect/broken links in the man page 2024-04-15 14:33:33 +09:00
Mike Yuan e561037517
man/sd-journal: correct project name for man7 
Follow-up for 5aa8180392
 2024-04-14 23:46:54 +08:00
Mike Yuan 311f4b8f6a
man: switch wireguard man project to man7 2024-04-14 23:41:34 +08:00
Mike Yuan 41fead40e6
man/custom-html: update link to Arch manual 2024-04-14 23:38:38 +08:00
Yu Watanabe ae9fd433d6
Merge pull request #32194 from henryli001/lihl/add-defaultUseDomains-config 
network: add mechanism to configure default UseDomains= setting
 2024-04-14 13:40:06 +09:00
Henry Li fb57300743 network: add mechanism to configure default UseDomains= setting, update man page and add test 2024-04-13 16:54:31 -07:00
Ole Peder Brandtzæg 712514416e man: remove PrivateMounts= from list of other settings in its own description 
The diff looks bigger, but that's only because it seemed fitting to
reformat the paragraph now that the list is shorter.
 2024-04-14 08:04:12 +09:00
Sam Leonard edd85c8414 vmspawn: add --discard-disk= to control handling of disk discard requests 
Fixes issue #32024, using --discard-disk=yes will enable handling of disk
discarding requests, saving space for long running VMs as desired.
 2024-04-12 20:32:38 +02:00
Ludwig Nussel aadbe55925 creds: allow null when decrypting 
pcrlock writes a credential file using null key. Make sure systemd-creds
can show the file
 2024-04-11 12:15:32 +01:00
Pablo Méndez Hernández ffd0cca34a man/journald: Add missing configuration files 
The man page was missing:

-  `/run/systemd/journald.conf`
-  `/usr/lib/systemd/journald.conf`

as valid configuration files.

Fixes: https://github.com/systemd/systemd/issues/32199
 2024-04-10 20:15:17 +08:00
Luca Boccassi 0f0d001254
Merge pull request #32104 from yuwata/network-ndisc-redirect 
network/ndisc: add support for Redirect message
 2024-04-08 20:03:32 +01:00
Luca Boccassi b1b5d7e4bf
Merge pull request #32140 from YHNdnzj/socket-per-peer-source 
Minor tweaks to socket manual & shorten the code a bit
 2024-04-08 10:38:07 +01:00
Mike Yuan 6b014a2ac4
man/systemd.socket: be explicit that MaxConnectionsPerSource=0 means disabled 2024-04-08 01:49:49 +08:00
Lennart Poettering 0af7e29434 nspawn: make nspawn work without privileges 2024-04-06 16:08:24 +02:00
Lennart Poettering 702a52f4b5 mountfsd: add new systemd-mountfsd component 2024-04-06 16:08:24 +02:00