1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00
Commit Graph

7074 Commits

Author SHA1 Message Date
Daan De Meyer
4cee83331c repart: Add --split option to generate split artifacts
For use with sysupdate or other systemd tooling, it's useful to be
able to generate split artifacts from disk images, where each
partition is written to a separate file. Let's support this with
a --split switch for repart and a SplitName= configuration option.

--split enables split artifacts generation, and SplitName= configures
for which partition to generate split artifacts, and which suffix to
add to the split artifact name.

For SplitName=, we add support for some extra specifiers, more specifically
the partition Type UUID and the partition UUID.
2022-09-22 15:10:03 +02:00
Joost Heitbrink
63ed97efc3 man: don't mention Socket files in Scope man page 2022-09-22 08:09:05 +09:00
Lennart Poettering
4d0d34b4e7
Merge pull request #24709 from keszybz/partition-table-constants
Expose various GPT UUIDs as public contants and link them up in docs
2022-09-21 20:07:21 +02:00
Lennart Poettering
df4bed3f92
Merge pull request #24753 from DaanDeMeyer/repart-squashfs
repart: Add squashfs support
2022-09-21 19:49:10 +02:00
Daan De Meyer
95bfd3cd50 repart: Add squashfs support
To make this work, we have to set up everything in a temporary
directory tree that we can pass to mksquashfs as a single directory.

To make the most common scenario more efficient, we skip the temporary
setup directory if we only get a single source tree destined to root
in the squashfs filesystem.
2022-09-21 14:16:13 +02:00
наб
2084cbdc2f kernel-install.8: fix -h/-v ordering in SYNOPSIS 2022-09-21 16:40:46 +09:00
Zbigniew Jędrzejewski-Szmek
6d88188249 man/systemd-gpt-auto-generator: reword phrasing about partition location
"located on the same disk as the ESP is located on" is hard to grok. Let's
use more natural phrasing. Also, we shouldn't say that "The first foo partition
… is mounted to …", because this doesn't explain what is happening. The
partition could be empty, and there could be other partitions with the "foo"
content, but what matters is the UUID.
2022-09-20 16:48:50 +02:00
Zbigniew Jędrzejewski-Szmek
c6a173ef3b man/systemd-gpt-auto-generator: export type flags by name, trim table
We listed many of the root-partition type uuids, but not all. I think the
chances of somebody using the discoverable partition magic on an Itanium system
are fairly low at this point. So let's remove all architectures except the two
most popular consumer architectures. People building Longsoon or RISC-V images
are likely to have the online version of the Discoverable Partitions
Specifications handy anyway, and it makes the man page easier to read. It also
reduces the chances that somebody adding new entries to the table has some
select&paste mishap. We've already had this happen in the past and it's fairly
nasty bug. We don't need to expose the information in two places with manual
propagation between them.
2022-09-20 16:48:50 +02:00
Zbigniew Jędrzejewski-Szmek
92e7202812 headers: export partition uuids and flags in new sd-gpt.h file
I think those constants are generally useful. It's quite easy to make a mistake
when copying things from the docs, so let's make them easy and convenient to
access.
2022-09-20 16:48:50 +02:00
Zbigniew Jędrzejewski-Szmek
b66a6e1a58 man: "the initial RAM disk" → "the initrd"
In many places we spelled out the phrase behind "initrd" in full, but this
isn't terribly useful. In fact, no "RAM disk" is used, so emphasizing this
is just confusing to the reader. Let's just say "initrd" everywhere, people
understand what this refers to, and that it's in fact an initramfs image.

Also, s/i.e./e.g./ where appropriate.

Also, don't say "in RAM", when in fact it's virtual memory, whose pages
may or may not be loaded in page frames in RAM, and we have no control over
this.

Also, add <filename></filename> and other minor cleanups.
2022-09-20 16:48:50 +02:00
Luca BRUNO
72ceee435d docs: add a note about selectively overriding default dependencies
This documents that explicit `Before=`/`After=` dependencies can be
used to selectively override implicit ordering coming from default
dependencies. That allows for more granular control compared to the
already documented `DefaultDependencies=no` option.

The alternative approach came up in a discussion around the ordering
of `boot-complete.target`, so this also adds an explicit suggestion
in that direction to the "Automatic Boot Assessment" documentation.

Ref: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048330.html
2022-09-20 13:57:26 +02:00
BerndAdameit
a3e03a3f18 man/systemd-run: Refer to man-pages project (man7.org) when citing bash(1) 2022-09-19 00:32:34 +09:00
Zbigniew Jędrzejewski-Szmek
eb5b6b7310
Merge pull request #24708 from keszybz/not-available-in-tables
various: use "-" instead of "n/a" in tables
2022-09-17 18:16:42 +02:00
Zbigniew Jędrzejewski-Szmek
7f8afa6dc1 coredumpctl: rename table entry
"Disk Size" could be mistaken for "Size of the Disk".
2022-09-17 13:12:49 +02:00
Zbigniew Jędrzejewski-Szmek
483bf5643a man: add missing subject in sentence 2022-09-17 13:12:22 +02:00
Zbigniew Jędrzejewski-Szmek
8a9651088f various: use "-" instead of "n/a" in tables
In the context of a table, both would be generally understood to have the same
meaning. "n/a" is a strange beast. It was useful when tables were produced on
the typewriter with "---------" used to separate rows. It is visually more
pleasing to use "-", and there is no risk of it being mistaken for a row
separator.
2022-09-17 13:05:51 +02:00
Yu Watanabe
cb19517490 man: explicitly document that "reboot -f" is different from "systemctl reboot -f"
Closes #24696.
2022-09-17 05:15:36 +09:00
Yu Watanabe
3e911a0d0e pid1: drop redundant DBus properties
Follow-up for 10f3f4ed01.

We already have RuntimeWatchdogUSec or friends. Let's not introduce
redundant properties.

Also, drop the const qualifier for WatchdogLastPingTimestamp, as they
are actually not constant.
2022-09-16 21:53:28 +09:00
Yu Watanabe
10f3f4ed01 pid1: introduce dbus properties WatchdogDevice and friends
Closes #24665.
2022-09-14 13:13:59 +01:00
Lennart Poettering
6d856e26a7 man: say early what a unified kernel image/UKI is 2022-09-09 11:53:06 +02:00
Lennart Poettering
4889e809be man: be more careful regarding TPM vs. TPM2
We support PCR measurements for both classic TPM1.2 and TPM2, hence just
say "TPM" generically in that context. But the signed policies are
exclusive to TPM2, hence always say TPM2 there.

We mostly got that right, except at one place. Fix that.
2022-09-09 11:53:05 +02:00
Lennart Poettering
2deca517f6 man: document the new .pcrsig/.pcrpkey sections for unified kernel images 2022-09-09 11:53:05 +02:00
Suraj Krishnan
cb456374e0 Implement DNS notifications from resolved via varlink
* The new varlink interface exposes a method to subscribe to DNS
resolutions on the system. The socket permissions are open for owner and
group only.
* Notifications are sent to subscriber(s), if any, after successful
resolution of A and AAAA records.

This feature could be used by applications for auditing/logging services
downstream of the resolver. It could also be used to asynchronously
update the firewall. For example, a system that has a tightly configured
firewall could open up connections selectively to known good hosts based
on a known allow-list of hostnames. Of course, updating the firewall
asynchronously will require other design considerations (such as
queueing packets in the user space while a verdict is made).

See also:
https://lists.freedesktop.org/archives/systemd-devel/2022-August/048202.html
https://lists.freedesktop.org/archives/systemd-devel/2022-February/047441.html
2022-09-09 09:22:57 +01:00
Frantisek Sumsal
8432b0cd20
Merge pull request #24351 from poettering/pcr-sign
support for signed TPM2 PCR policies in cryptsetup/cryptenrolls/credentials
2022-09-08 19:07:04 +00:00
Luca Boccassi
87d1886346 man: add example with one-liner for ssh provisioning via tmpfiles.d + Creds 2022-09-08 16:27:52 +01:00
Lennart Poettering
dc63b2c909 cryptsetup: hook up signed PCR policies 2022-09-08 16:34:27 +02:00
Lennart Poettering
02ef97cde0 repart: hook up new TPM2 signed policies with repart 2022-09-08 16:34:27 +02:00
Lennart Poettering
f0f4fcaeb7 cryptenroll: hook up new TPM2 signed policies with cryptenroll 2022-09-08 16:34:27 +02:00
Lennart Poettering
75ddec9301 creds-tool: expose new signed PCR policies in creds tool, too 2022-09-08 16:34:27 +02:00
Lennart Poettering
cdaaa62ca1 measure: add 'sign' verb 2022-09-08 16:27:07 +02:00
Lennart Poettering
3d83c3eacf
Merge pull request #24572 from DaanDeMeyer/repart-verity
repart: Add support for formatting verity partitions
2022-09-08 12:02:27 +02:00
Daan De Meyer
b5b7879a5d repart: Add support for formatting verity partitions
This commit adds a new Verity= setting to repart definition files
with two possible values: "data" and "hash".

If Verity= is set to "data", repart works as before, and populates
the partition with the content from CopyBlocks= or CopyFiles=.

If Verity= is set to "hash", repart will try to find a matching
data partition with Verity=data and equal values for CopyBlocks=
or CopyFiles=, Format= and MakeDirectories=. If a matching data
partition is found, repart will generate verity hashes for that
data partition in the verity partition. The UUID of the data
partition is set to the first 128 bits of the verity root hash. The
UUID of the hashes partition is set to the final 128 bits of the
verity root hash.

Fixes #24559
2022-09-08 08:43:07 +02:00
Jan Janssen
230f78206a boot: Accept Ctrl+Del for deleting words 2022-09-07 12:55:55 +02:00
Quentin Deslandes
2b2777eda9 nspawn: add support for rootidmap bind option
rootidmap bind option will map the root user from the container to the
owner of the mounted directory on the filesystem. This will ensure files
and directories created by the root user in the container will be owned
by the directory owner on the filesystem. All other user will remain
unmapped.
2022-09-05 17:23:28 +01:00
Daan De Meyer
11749b6108 repart: Add support for setting a partition's UUID to zero
This is useful when we need to fill in the UUID later, such as when
using verity partitions.
2022-09-05 23:19:41 +09:00
Jade Bilkey
bc33789a06 man: fix static bridge example
A NetDev is needed to create the bridge in order to match the example's description "This creates a bridge..."
2022-09-04 11:19:14 +09:00
Lennart Poettering
71a3ff036b condition: change operator logic to use $= instead of =$ for glob comparisons
So this is a bit of a bikeshedding thing. But I think we should do this
nonetheless, before this is released.

Playing around with the glob matches I realized that "=$" is really hard
to grep for, since in shell code it's an often seen construct. Also,
when reading code I often found myself thinking first that the "$"
belongs to the rvalue instead of the operator, in a variable expansion
scheme.

If we move the $ character to the left hand, I think we are on the safer
side, since usually lvalues are much more restricted in character sets
than rvalues (at least most programming languages do enforce limits on
the character set for identifiers).

It makes it much easier to grep for the new operator, and easier to read
too. Example:

before:
    ConditionOSRelease=ID=$fedora-*
after:
    ConditionOSRelease=ID$=fedora-*
2022-09-01 23:16:13 +02:00
Lennart Poettering
06219747f5 condition: change ConditionKernelVersion= so that =/!= mean literal string comparison, and ==/<> version comparison
The only reason to do this is to ensure uniformity with the other
options, that work like this, i.e. ConditionOSRelease= or
ConditionSecurity=.

This is a compatibility break, but a minor one, given that string
comparison and version comparison is mostly the same for equality and
inequality.
2022-09-01 23:16:13 +02:00
Lennart Poettering
c990742523 condition: allow fnmatch() matches in ConditionKernelVersion=
This is mostly to make things systematic, and brings no new
functionality, as not specifying any operator is identical to prefixing
with =$ anyway.
2022-09-01 23:16:13 +02:00
Lennart Poettering
6061c86693 compare: add two new operators "==" and "<>"
These two operators always indicate ordering comparisons, as opposed to
"=" and "!=" which depending on context mean literal string compares.

This is useful for ConditionOSRelease= for example, as this means
there's now always a way to do version compares.
2022-09-01 23:16:13 +02:00
Lennart Poettering
8daa674090 condition: allow fnmatch compares for ConditionOSRelease=
We support this for smbios matches, hence do so for /etc/os-release
matches too.
2022-09-01 23:15:14 +02:00
Antonio Alvarez Feijoo
cf0dc88da6 man: remove reference to mkinitrd 2022-09-01 14:09:30 +01:00
Colin Walters
413e8650b7 tree-wide: Use "unmet" for condition checks, not "failed"
Often I end up debugging a problem on a system, and I
do e.g. `journalctl --grep=failed|error`.  The use of the term
"failed" for condition checks adds a *lot* of unnecessary noise into
this.

Now, I know this regexp search isn't precise, but it has proven
to be useful to me.

I think "failed" is too strong of a term as a baseline, and also
just stands out to e.g. humans watching their servers boot or
whatever.

The term "met condition" is fairly widely used, e.g.
https://stackoverflow.com/questions/63751794/what-does-the-condition-is-met-exactly-mean-in-programming-languages

Use that instead.
2022-09-01 15:03:40 +09:00
Topi Miettinen
4b3590c324 network: NetLabel integration
New directive `NetLabel=` provides a method for integrating static and dynamic
network configuration into Linux NetLabel subsystem rules, used by Linux
Security Modules (LSMs) for network access control. The label, with suitable
LSM rules, can be used to control connectivity of (for example) a service with
peers in the local network. At least with SELinux, only the ingress can be
controlled but not egress. The benefit of using this setting is that it may be
possible to apply interface independent part of NetLabel configuration at very
early stage of system boot sequence, at the time when the network interfaces
are not available yet, with netlabelctl(8), and the per-interface configuration
with systemd-networkd once the interfaces appear later.  Currently this feature
is only implemented for SELinux.

The option expects a single NetLabel label. The label must conform to lexical
restrictions of LSM labels. When an interface is configured with IP addresses,
the addresses and subnetwork masks will be appended to the NetLabel Fallback
Peer Labeling rules. They will be removed when the interface is
deconfigured. Failures to manage the labels will be ignored.

Example:
```
[DHCPv4]
NetLabel=system_u:object_r:localnet_peer_t:s0
```

With the above rules for interface `eth0`, when the interface is configured with
an IPv4 address of 10.0.0.123/8, `systemd-networkd` performs the equivalent of
`netlabelctl` operation

```
$ sudo netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
```

Result:
```
$ sudo netlabelctl -p unlbl list
...
 interface: eth0
   address: 10.0.0.0/8
    label: "system_u:object_r:localnet_peer_t:s0"
...
```
2022-08-29 14:23:17 +09:00
adrian5
b72e5d9d8e man: Minor punctuation and word tweak 2022-08-29 11:29:57 +09:00
Yu Watanabe
6dd3b818bb tree-wide: fix typo 2022-08-28 00:03:36 +09:00
Yu Watanabe
a3dd119b35
Merge pull request #23764 from enr0n/oomd-allow-managed-oom-preference
oomd: allow ManagedOOMPreference on all cgroups
2022-08-27 14:05:10 +09:00
Luca Boccassi
34f166d601
Merge pull request #24456 from yuwata/network-tcp-congctl
network: introduce TCPCongestionControlAlgorithm=
2022-08-26 18:04:51 +01:00
Nick Rosbrook
58b2f0d1f5 man: update ManagedOOMPreference entry to reflect new behavior 2022-08-26 12:40:58 -04:00
Sonali Srivastava
31a07872fa sleep: doc update for multiple battery, acpi_btp support and freeze/thaw user.slice 2022-08-26 17:38:36 +01:00