Zbigniew Jędrzejewski-Szmek
1b47cfab7f
Merge pull request #32428 from poettering/sd-notify-reboot-param
...
pid1: send shutdown type and reboot argument to supervisor via sd_notify()
2024-04-23 13:31:40 +02:00
Ludwig Nussel
1df4b21abd
cryptenroll: use root device by default
2024-04-23 12:29:32 +02:00
Lennart Poettering
8c081ae84b
shutdown: send an sd_notify() message on shutdown with the shutdown reason and boot param
...
This is kinda nice in containers, to exfiltrate a string from the
container on shutdown.
2024-04-23 11:04:08 +02:00
Guido Leenders
f445ed3c5f
Document effective owner of stdout/stderr log file upon creation
...
The log files defined using file:, append: or truncate: inherit the owner and other privileges from the effective user running systemd.
The log files are NOT created using the "User", "Group" or "UMask" defined in the service.
2024-04-22 20:46:25 +02:00
Yu Watanabe
c6aadfdd32
ukify: swap the ordering of config search paths
...
Let's follow our usual ordering.
Follow-up for a05fa30f88
.
2024-04-22 20:38:16 +02:00
Yu Watanabe
9e4b40f26a
man: fix typo
...
Follow-up for 403492793a
.
2024-04-23 01:42:11 +09:00
Yu Watanabe
6bd3102e3e
man: fix typo
...
Follow-up for fef46ffb5b
.
2024-04-23 01:42:11 +09:00
Lennart Poettering
29ba6bddc5
Merge pull request #32399 from poettering/doc-fixes-256
...
various documentation fixes (plus minor other work)
2024-04-22 17:41:39 +02:00
Luca Boccassi
edd3d4d7c2
nspawn: ensure single-process container running as --user can access credentials
...
When starting a container with --user, the new uid will be resolved and switched to
only in the inner child, at the end of the setup, by spawning getent. But the
credentials are set up in the outer child, long before the user is resolvable,
and the directories/files are made only readable by root and read-only, which
means they cannot be changed later and made visible to the user.
When this particular combination is specified, it is obvious the caller wants
the single-process container to be able to use credentials, so make them world
readable only in that specific case.
Fixes https://github.com/systemd/systemd/issues/31794
2024-04-22 15:47:44 +02:00
Lennart Poettering
a64411deb4
man: document that IPAccounting= works for system services only
...
Fixes : #20356
2024-04-22 15:16:54 +02:00
Lennart Poettering
ef9262d0d1
man: be explicit that we don't proxy SO_PEER*, SCM_RIGHTS and co.
...
Fixes : #22744
2024-04-22 15:16:54 +02:00
Lennart Poettering
fef46ffb5b
man: document that ReadOnlyPaths= doesn't affect ability to connect to AF_UNIX
...
Fixes : #23470
2024-04-22 15:16:54 +02:00
Lennart Poettering
c104d7a74e
man: document that "systemctl set-environment" cannot be used to unset env vars configured via config file
...
Fixes : #28167
2024-04-22 15:16:54 +02:00
Lennart Poettering
afc194a135
man: say explicitly that $LESS + $LESSCHARSET have no effect on less invocations by systemd tools
...
Fixes : #29479
2024-04-22 15:16:54 +02:00
Lennart Poettering
403492793a
man: document missing resolved D-Bus APIs
...
Fixes : #29598
2024-04-22 15:16:54 +02:00
Lennart Poettering
04366e0693
man: document that StateDirectory= trumps ProtectSystem=strict explicitly
...
Fixes : #29798
2024-04-22 15:16:54 +02:00
Lennart Poettering
552dc4a97c
man: document explicitly that LogExtraFields= and LogFilterPatterns= are for system service only for now
...
Fixes : #29956
2024-04-22 15:16:54 +02:00
Lennart Poettering
6b7a1a3679
man: document explicitly that bind restrictions cannot be escaped by opening a new netns
...
And while we are at it reword the introductary sentence a bit to make it
clearer.
Fixes : #30555
2024-04-22 15:16:54 +02:00
Lennart Poettering
0adce85ebe
man: explicitly document the various systemd.journald.max_level_*= kernel cmdline options
...
Fixes : #31327
2024-04-22 15:16:54 +02:00
Lennart Poettering
db2b499423
journald: bring order of MaxLevelXYZ= setting explanations in sync with listed names
2024-04-22 15:16:54 +02:00
Lennart Poettering
3c7f0d6b44
man: explicitly say that BindPaths=/BindReadOnlyPaths= opens a new mount
...
namespace
Fixes : #32339
2024-04-22 15:16:54 +02:00
Lennart Poettering
3f6551fc82
man: run update-man-rules again
2024-04-22 15:16:54 +02:00
Luca Boccassi
93cb78aee2
core: add ExecMainHandoverTimestamp property recording time-of-execve
...
Enable the exec_fd logic for Type=notify* services too, and change it
to send a timestamp instead of a '1' byte. Record the timestamp in a
new ExecMainHandoverTimestamp property so that users can track accurately
when control is handed over from systemd to the service payload, so
that latency and startup performance can be trivially and accurately
tracked and attributed.
2024-04-22 15:16:05 +02:00
Luca Boccassi
f64222b748
Merge pull request #32347 from yuwata/sd-radv-reachable-time
...
sd-radv: allow to configure reachable time
2024-04-22 14:04:25 +02:00
Yu Watanabe
2fa480592d
sd-event: fix fd leak when fd is owned by IO event source
...
When an IO event source owns relevant fd, replacing with a new fd leaks
the previously assigned fd.
===
sd_event_add_io(event, &s, fd, ...);
sd_event_source_set_io_fd_own(s, true);
sd_event_source_set_io_fd(s, new_fd); <-- The previous fd is not closed.
sd_event_source_unref(s); <-- new_fd is closed as expected.
===
Without the change, valgrind reports the leak:
==998589==
==998589== FILE DESCRIPTORS: 4 open (3 std) at exit.
==998589== Open file descriptor 4:
==998589== at 0x4F119AB: pipe2 (in /usr/lib64/libc.so.6)
==998589== by 0x408830: test_sd_event_source_set_io_fd (test-event.c:862)
==998589== by 0x403302: run_test_table (tests.h:171)
==998589== by 0x408E31: main (test-event.c:935)
==998589==
==998589==
==998589== HEAP SUMMARY:
==998589== in use at exit: 0 bytes in 0 blocks
==998589== total heap usage: 33,305 allocs, 33,305 frees, 1,283,581 bytes allocated
==998589==
==998589== All heap blocks were freed -- no leaks are possible
==998589==
==998589== For lists of detected and suppressed errors, rerun with: -s
==998589== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
2024-04-22 18:30:12 +08:00
Yu Watanabe
4f52944054
man: fix typo
...
Follow-ups for 418f2dc755
.
2024-04-22 18:44:48 +09:00
Yu Watanabe
5d8b72e1e0
man: slightly rephrase RetransmitSec= setting
2024-04-22 18:42:46 +09:00
Yu Watanabe
59d475ba40
network/radv: introduce ReachableTimeSec= setting
...
To make the reachable time in the RA header sent by networkd
configurable.
2024-04-22 18:41:37 +09:00
Luca Boccassi
6e6deacc61
Merge pull request #32359 from poettering/vmspawn-hyperv-enlight
...
some hyperv related enhancement in detect-virt + vmspawn
2024-04-20 14:40:14 +02:00
Luca Boccassi
af46138f39
Merge pull request #32276 from yuwata/network-global-use-domains-setting
...
network: introduce protocol-independent UseDomains= setting
2024-04-20 13:30:00 +02:00
Lennart Poettering
615906cdcf
sd-id128: add an app-specific flavour of the invocation ID too
2024-04-20 12:10:42 +02:00
Yu Watanabe
4a7cd0caad
sd-event: fix sd_event_source_get_inotify_path()
...
Follow-ups for 74c4231ce5
.
Previously, the path is obtained from the fd, but it is closed in
sd_event_loop() to unpin the filesystem.
So, let's save the path when the event source is created, and make
sd_event_source_get_inotify_path() simply read it.
2024-04-20 11:14:32 +02:00
Yu Watanabe
418f2dc755
network: introduce network- and protocol-independent default for UseDomains=
...
Follow-up for fb57300743
.
Prompted by #32273 .
2024-04-20 12:01:53 +09:00
Lennart Poettering
bf49f3bb44
Merge pull request #31872 from tfg13/main
...
stub+ukify: Add support for UKI .ucode section
2024-04-19 23:59:13 +02:00
Luca Boccassi
565f6130b2
Merge pull request #32142 from bluca/portable_vpick
...
portable: support vpick
2024-04-19 20:34:16 +02:00
Luca Boccassi
f5054c2e37
Merge pull request #32251 from CodethinkLabs/vmspawn/docs_improvements
...
vmspawn docs improvements
2024-04-19 20:33:05 +02:00
Zbigniew Jędrzejewski-Szmek
ef40ad963a
Merge pull request #32365 from poettering/gpt-auto-doc-fix
...
man: tweak gpt-auto-generator docs a bit
2024-04-19 18:49:11 +02:00
Lennart Poettering
366af154fa
man: correct where we look for auxiliary partitions
...
We look for the root fs on the device of the booted ESP, and for the
other partitions on the device of the root fs. On EFI systems this
generally boils down to the same, but there are cases where this doesn't
hold, hence document this properly.
Fixes : #31199
2024-04-19 18:36:33 +02:00
Lennart Poettering
1bf7e13c55
man: add explicit column for gpt guid value in table
2024-04-19 18:36:16 +02:00
Lennart Poettering
6cfd19cfd1
man: add separate column for flag value to table
2024-04-19 18:34:43 +02:00
Sam Leonard
2068ef6804
man: vmspawn - clarify behaviour of omitting --linux=/--initrd=
2024-04-19 16:58:37 +01:00
Sam Leonard
9c50fd64b5
man: vmspawn - clarify behaviour of omitting --vsock-cid=
2024-04-19 16:56:13 +01:00
Sam Leonard
dae32b1a2a
man: removely overly verbose wording from the vmspawn man page
2024-04-19 16:42:13 +01:00
Sam Leonard
900d283ae0
man: vmspawn - reference later example to show use of --private-users
2024-04-19 16:42:13 +01:00
Sam Leonard
45ec09ba4b
man: clarify behaviour when omitting both -i/-D in vmspawn
2024-04-19 16:42:13 +01:00
Sam Leonard
e82d12a52f
man: fix entry for vmspawn's --ssh-key-type
2024-04-19 16:38:49 +01:00
Sam Leonard
1490debd62
man: add ssh example for vmspawn
2024-04-19 16:38:49 +01:00
Sam Leonard
b8db8e557b
man: add example --forward-journal= example for vmspawn
2024-04-19 16:38:49 +01:00
Sam Leonard
0f37ff38a8
man: add machinectl import-raw example for vmspawn
2024-04-19 16:38:48 +01:00
Lennart Poettering
fa6ea80958
man: document the last remaining bits of the hostnamed D-Bus interface
2024-04-19 16:02:14 +02:00
Tobias Fleig
d380337dc5
ukify: Add support for .ucode UKI section
...
This commit teaches ukify how to build a .ucode section into UKIs. This
section is functionally an initrd, intended for microcode updates.
2024-04-19 06:28:47 -07:00
Tobias Fleig
590ac4bd27
measure: Add .ucode UKI section support
...
This commit adds support for the new ".ucode" UKI section to
systemd-measure. It is functionally an initrd and is treated as such by
measure.
2024-04-19 05:58:56 -07:00
Tobias Fleig
aea81bc0ff
stub: Add support for .ucode UKI section
...
This commit adds support for loading, measuring and handling a ".ucode"
UKI section. This section is functionally an initrd, intended for
microcode updates. As such it will always be passed to the kernel first.
2024-04-19 05:58:46 -07:00
Luca Boccassi
8257508c58
portable: support vpick
...
Resolve at attach/detach/inspect time, so that the image is pinned and requires
re-attaching on update, given files are extracted from it so just passing
img.v/ to RootImage= is not enough to get a portable image updated
2024-04-19 13:25:32 +01:00
Yu Watanabe
74c4231ce5
sd-event: introduce sd_event_source_get_inotify_path()
...
This may be useful when there are multiple inotify event sources exist.
Without this, users need to manage the event sources and paths.
2024-04-19 14:23:11 +09:00
Yu Watanabe
fc6ec43c02
man: drop spurious version info for error code
...
Follow-up for 87fe0a6960
.
2024-04-19 14:23:08 +09:00
Yu Watanabe
c1ab4458f2
sd-event: rename argument for storing result
2024-04-19 13:59:26 +09:00
Luca Boccassi
e54bf3fe0b
Merge pull request #32299 from yuwata/network-radv-ignore-rs-from-the-same-interface
...
network/radv: ignore RS message from the same interface
2024-04-18 23:45:06 +02:00
Lennart Poettering
dd37963aff
Merge pull request #31790 from poettering/pcrlock-policy-fix
...
Replace PolicyAuthValue by PolicySigned as access policy for pcrlock policy nvindex
2024-04-18 21:11:27 +02:00
Luca Boccassi
b84a0bf3ab
Merge pull request #32144 from bluca/portable_clean
...
portablectl: add --clean parameter for detaching
2024-04-18 18:15:20 +02:00
Lennart Poettering
43a59b8b86
pcrlock: rework --recovery-pin= to take three different arguments
...
This reworkds --recovery-pin= from a parameter that takes a boolean to
an enum supporting one of "hide", "show", "query".
If "hide" (default behaviour) we'll generate a recovery pin
automatically, but never show it, and thus just seal it and good.
If "show" we'll generate a recovery pin automatically, but display it in
the output, so the user can write it down.
If "query" we'll ask the user for a recovery pin, and not automatically
generate any.
For compatibility the old boolean behaviour is kept.
With this you can now do "systemd-pcrlock make-policy
--recovery-pin=show" to set up the first policy, write down the recovery
PIN. Later, if the PCR prediction didn't work out one day you can then
do "systemd-pcrlock make-policy --recovery-pin=query" and enter the
recovery key and write a new policy.
2024-04-18 18:12:24 +02:00
Antonio Alvarez Feijoo
d72835f819
man/systemd-stub: fix typo
2024-04-18 18:10:50 +02:00
Luca Boccassi
82efe05c01
Merge pull request #32326 from jonathan-conder/man_pam_loadkey
...
man: pam_system_loadkey additions and fixes
2024-04-18 14:10:40 +02:00
Luca Boccassi
ef5f7f9437
systemctl: add --clean= values to documentation and shell completion
2024-04-18 14:07:07 +02:00
Luca Boccassi
966d7977c7
portablectl: add --clean parameter for detaching
...
Calls CleanUnit on each portable service being removed, after it has
stopped
2024-04-18 10:47:29 +01:00
Jonathan Conder
08ef6998e3
man: document other keyname options for pam_systemd_loadkey
2024-04-18 20:56:58 +12:00
Lennart Poettering
778abdbfa1
doc: fix .ssh credential examples
...
Let's create the .ssh dir with the right perms first.
Suggested by @gcb.
Fixes : #28172
2024-04-18 10:53:20 +02:00
Yu Watanabe
87fe0a6960
man: fix wrong version info ( #31949 )
...
Fixes #31920 .
2024-04-18 09:45:51 +09:00
Yu Watanabe
769f9744b7
network/ndisc: disable Neighbor discovery client if RADV is enabled
...
Running both sd-ndisc and sd-radv should be mostly a misconfiguration,
but may not. So, let's only disable sd-ndisc by default when sd-radv is
enabled, but allow when both are explicitly requested.
2024-04-18 09:40:23 +09:00
Jonathan Conder
0bf317b620
man: add pam_gnome_keyring to auth section after pam_systemd_loadkey
...
This is required because pam_sm_open_session [1] only looks at
gkr_system_authtok, which is copied from the kernel keyring in
pam_sm_authenticate.
[1] https://gitlab.gnome.org/GNOME/gnome-keyring/-/blob/46.1/pam/gkr-pam-module.c?ref_type=tags
2024-04-18 08:32:15 +12:00
Lennart Poettering
94c5c55e3e
Merge pull request #32320 from bluca/softreboot_serialize
...
Soft reboot timestamp follow-ups
2024-04-17 22:12:49 +02:00
Zbigniew Jędrzejewski-Szmek
aea6787f78
man: mention that sd_journal_test_cursor() needs a positioning call
...
Fixes #30331 .
2024-04-17 22:01:53 +02:00
Luca Boccassi
b3f548615f
core: rename SoftRebootStartTimestamp -> ShutdownStartTimestamp and generalize
...
Follow-up for 54f86b86ba
2024-04-17 18:19:27 +01:00
Yu Watanabe
e27f2ad6be
Merge pull request #32300 from mrc0mmand/assorted-tweaks
...
test: split TEST-50-DISSECT into smaller parts
2024-04-17 11:52:30 +09:00
Luca Boccassi
3721f9620c
Merge pull request #32289 from bluca/counter
...
soft-reboot counter follow-ups
2024-04-16 10:44:25 +02:00
Yu Watanabe
78d5bad2f5
Merge pull request #32294 from yuwata/network-generator-creds
...
network-generator: also load drop-ins for networkd.conf from credentials
2024-04-16 16:42:59 +09:00
Yu Watanabe
78281bd53a
networkctl: allow to call 'networkctl cat' without arguments
...
Then, show networkd.conf and its drop-ins.
2024-04-16 13:31:14 +09:00
Yu Watanabe
38b4eb228a
man: add missing drop-in directory
2024-04-16 13:00:49 +09:00
Yu Watanabe
e12e16e9f7
network-generator: also copy drop-ins for networkd.conf from credential
...
Follow-up for 1a30285590
.
2024-04-16 12:45:08 +09:00
Yu Watanabe
5700e755a9
units: introduce systemd-udev-load-credentials.service
2024-04-16 09:45:43 +09:00
Yu Watanabe
51be364bbb
udevadm-control: add --load-credentials option
...
When specified, credentials udev.conf.* and udev.rules.* are copied to
the corresponding directories.
2024-04-16 09:45:25 +09:00
Luca Boccassi
95a289bfe7
man: mention initial value of SoftRebootsCount
...
Follow-up for 66f35161f6
2024-04-16 00:26:04 +01:00
Frantisek Sumsal
ad444dd8e8
man: slightly reword LogFilterPatterns= description
...
As there was something missing in the existing sentence.
2024-04-15 17:16:18 +02:00
Sam Leonard
9bfabe14e5
man: fix incorrect XML in man page
2024-04-15 10:40:11 +02:00
Yu Watanabe
14f3bdaa73
Merge pull request #32271 from YHNdnzj/arch-man
...
Fixes for links to man projects
2024-04-15 14:35:04 +09:00
Kristian Klausen
254e1aa707
vmspawn: Fix incorrect/broken links in the man page
2024-04-15 14:33:33 +09:00
Mike Yuan
e561037517
man/sd-journal: correct project name for man7
...
Follow-up for 5aa8180392
2024-04-14 23:46:54 +08:00
Mike Yuan
311f4b8f6a
man: switch wireguard man project to man7
2024-04-14 23:41:34 +08:00
Mike Yuan
41fead40e6
man/custom-html: update link to Arch manual
2024-04-14 23:38:38 +08:00
Yu Watanabe
ae9fd433d6
Merge pull request #32194 from henryli001/lihl/add-defaultUseDomains-config
...
network: add mechanism to configure default UseDomains= setting
2024-04-14 13:40:06 +09:00
Henry Li
fb57300743
network: add mechanism to configure default UseDomains= setting, update man page and add test
2024-04-13 16:54:31 -07:00
Ole Peder Brandtzæg
712514416e
man: remove PrivateMounts= from list of other settings in its own description
...
The diff looks bigger, but that's only because it seemed fitting to
reformat the paragraph now that the list is shorter.
2024-04-14 08:04:12 +09:00
Sam Leonard
edd85c8414
vmspawn: add --discard-disk= to control handling of disk discard requests
...
Fixes issue #32024 , using --discard-disk=yes will enable handling of disk
discarding requests, saving space for long running VMs as desired.
2024-04-12 20:32:38 +02:00
Ludwig Nussel
aadbe55925
creds: allow null when decrypting
...
pcrlock writes a credential file using null key. Make sure systemd-creds
can show the file
2024-04-11 12:15:32 +01:00
Pablo Méndez Hernández
ffd0cca34a
man/journald: Add missing configuration files
...
The man page was missing:
- `/run/systemd/journald.conf`
- `/usr/lib/systemd/journald.conf`
as valid configuration files.
Fixes: https://github.com/systemd/systemd/issues/32199
2024-04-10 20:15:17 +08:00
Luca Boccassi
0f0d001254
Merge pull request #32104 from yuwata/network-ndisc-redirect
...
network/ndisc: add support for Redirect message
2024-04-08 20:03:32 +01:00
Luca Boccassi
b1b5d7e4bf
Merge pull request #32140 from YHNdnzj/socket-per-peer-source
...
Minor tweaks to socket manual & shorten the code a bit
2024-04-08 10:38:07 +01:00
Mike Yuan
6b014a2ac4
man/systemd.socket: be explicit that MaxConnectionsPerSource=0 means disabled
2024-04-08 01:49:49 +08:00
Lennart Poettering
0af7e29434
nspawn: make nspawn work without privileges
2024-04-06 16:08:24 +02:00
Lennart Poettering
702a52f4b5
mountfsd: add new systemd-mountfsd component
2024-04-06 16:08:24 +02:00