1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00
Commit Graph

6197 Commits

Author SHA1 Message Date
Lennart Poettering
ff0771bfc8 repart: make No-Auto GPT partition flag configurable too
This is useful for provisioning initially empty secondary A/B root file
systems. We don't want those to ever be considered for automatic
mounting, for example in "systemd-nspawn --image=", hence we should
create them with the No-Auto flag turned on. Once a file system image is
dropped into the partition the flag may be turned off by the updater
tool, so that it is considered from then on.

Thew new option for this is called NoAuto. I dislike negated options
like this, but this is taken from the naming in the spec, which in turn
inherited the name from the same flag for Microsoft Data Partitions. To
minimize confusion, let's stick to the name hence.
2021-06-18 14:34:01 +09:00
plattrap
e83580bfc6 Update systemd-resolved.service.8 help
Text currently refers to `/etc/nsswitch.conf` where it should refer to `/etc/resolv.conf`.
This is in the context of defining a nameserver IP and search domains.
2021-06-18 13:43:13 +09:00
Yu Watanabe
f4c48492fe man: fix RFC number and its title 2021-06-16 10:32:28 +09:00
Lennart Poettering
ad64e3e8d6
Merge pull request #19942 from wat-ze-hex/socket-bind-ip-proto-2021-06-10
dbus: extend SocktBind{Allow|Deny}= with ip proto
2021-06-16 00:24:54 +02:00
Julia Kartseva
a5f19be8b1 dbus: update SocketBind{Allow|Deny}= doc 2021-06-15 13:51:33 -07:00
Zbigniew Jędrzejewski-Szmek
7c7683f36c sd-id128: add SD_ID128_MAKE_UUID_STR
It's like SD_ID128_MAKE_STR, but with hyphens.
2021-06-15 22:01:39 +02:00
Lennart Poettering
39d02a175f sd-id128: document everywhere that we treat all UUIDs as Variant 1
So in theory UUID Variant 2 (i.e. microsoft GUIDs) are supposed to be
displayed in native endian. That is of course a bad idea, and Linux
userspace generally didn't implement that, i.e. uuidd and similar.
Hence, let's not bother either, but let's document that we treat
everything the same as Variant 1, even if it declares something else.
2021-06-15 20:58:56 +02:00
Matt Johnston
e65357b658 man: fix sd_bus_add_node_enumerator() ret_nodes
ret_nodes is NULL terminated, the return value isn't a count.
2021-06-15 11:29:44 +01:00
Yu Watanabe
21d03e6c63 man: add an example to configure default route on device with table
Prompted by #19911.
2021-06-15 11:29:20 +01:00
Yu Watanabe
a3f5f4a5c0 fix typo 2021-06-15 14:19:30 +09:00
Topi Miettinen
1753d30215 Revert "Mount all fs nosuid when NoNewPrivileges=yes"
This reverts commit d8e3c31bd8.

A poorly documented fact is that SELinux unfortunately uses nosuid mount flag
to specify that also a fundamental feature of SELinux, domain transitions, must
not be allowed either. While this could be mitigated case by case by changing
the SELinux policy to use `nosuid_transition`, such mitigations would probably
have to be added everywhere if systemd used automatic nosuid mount flags when
`NoNewPrivileges=yes` would be implied. This isn't very desirable from SELinux
policy point of view since also untrusted mounts in service's mount namespaces
could start triggering domain transitions.

Alternatively there could be directives to override this behavior globally or
for each service (for example, new directives `SUIDPaths=`/`NoSUIDPaths=` or
more generic mount flag applicators), but since there's little value of the
commit by itself (setting NNP already disables most setuid functionality), it's
simpler to revert the commit. Such new directives could be used to implement
the original goal.
2021-06-15 00:33:22 +09:00
Jayanth Ananthapadmanaban
279082ed49 Add a network timeout option to journal-upload 2021-06-14 11:16:38 +02:00
Zbigniew Jędrzejewski-Szmek
dbb3b26f1b man: clarify that global search domains apply to global servers, not all interfaces
Fixes #19257.
2021-06-11 10:32:42 +01:00
Anita Zhang
c48bc311a5 man: add note about operation without swap in systemd-oomd 2021-06-10 07:24:18 +02:00
Zbigniew Jędrzejewski-Szmek
998571a7f4
Merge pull request #19871 from yuwata/man-network-missing-settings
man: add missing settings
2021-06-09 22:15:38 +02:00
Yu Watanabe
c3006a485c man: add missing settings
Fixes #19869.
2021-06-10 04:47:13 +09:00
Yu Watanabe
85bc4c080d man: merge several settings about netdev 2021-06-10 04:46:40 +09:00
Peter Morrow
dbb8b5bcf7 man: fix missing markdown & minor errors
In #19771 there were a few missing markdown tags a few style issue.

Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
2021-06-09 19:18:11 +01:00
Yu Watanabe
9e1432d5cc network: introduce IPv6StableSecretAddress= setting
Previously, IPv6LinkLocalAddressGenerationMode= is not set, then we
define the address generation mode based on the result of reading
stable_secret sysctl value. This makes the mode is determined by whether
a secret address is specified in the new setting.

Closes #19622.
2021-06-09 04:56:48 +09:00
Srinidhi Kaushik
7f7a50dd15 tmpfiles: extend "Age" to accept an "age-by" argument
For "systemd-tmpfiles --cleanup", when the "Age" parameter
is specified, the criteria for deletion is determined from
the path's last modification timestamp ("mtime"), its last
access timestamp ("atime") and its last status change
timestamp ("ctime").

For instance, if one of those paths to be cleaned up are
opened, it results in the modification of "atime", which
results file system entry to not be removed because the
default aging algorithm would skip the entry.

Add an optional "age-by" argument by extending the "Age"
parameter to restrict the clean-up for a particular type
of file timestamp, which can be specified in "tmpfiles.d"
as follows:

  [age-by:]cleanup-age, where age-by is "[abcmACBM]+"

For example:

  d /foo/bar - - - abM:1m -

Would clean-up any files that were not accessed and created,
or directories that were not modified less than a minute ago
in "/foo/bar".

Fixes: #17002
2021-06-08 18:24:58 +02:00
Lennart Poettering
66973219c0
Merge pull request #19166 from bluca/coredump_compress_on_the_fly
coredump: compress on the fly
2021-06-08 18:24:34 +02:00
Yu Watanabe
c50404aecc udev: make WakeOnLan= take multiple features
WAKE_XXX are flag, not enum.
2021-06-08 18:24:11 +02:00
Allen Webb
c46c323385 tmpfiles: add '=' action modifier.
Add the '=' action modifier that instructs tmpfiles.d to check the file
type of a path and remove objects that do not match before trying to
open or create the path.

BUG=chromium:1186405
TEST=./test/test-systemd-tmpfiles.py "$(which systemd-tmpfiles)"

Change-Id: If807dc0db427393e9e0047aba640d0d114897c26
2021-06-08 17:23:26 +02:00
Peter Morrow
90a404f5d4 man: add details on overriding top level drop-ins
When using top level drop-ins it isn't immediately obvious that one can
make use of symlinking to disable a top-level drop in for a specific
unit.

Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
2021-06-08 17:03:03 +02:00
Luca Boccassi
587f2a5e56 coredump: check cgroups memory limit if storing on tmpfs
When /var/lib/systemd/coredump/ is backed by a tmpfs, all disk usage
will be accounted under the systemd-coredump process cgroup memory
limit.
If MemoryMax is set, this might cause systemd-coredump to be terminated
by the kernel oom handler when writing large uncompressed core files,
even if the compressed core would fit within the limits.

Detect if a tmpfs is used, and if so check MemoryMax from the process
and slice cgroups, and do not write uncompressed core files that are
greater than half the available memory. If the limit is breached,
stop writing and compress the written chunk immediately, then delete
the uncompressed chunk to free more memory, and resume compressing
directly from STDIN.

Example debug log when this situation happens:

systemd-coredump[737455]: Setting max_size to limit writes to 51344896 bytes.
systemd-coredump[737455]: ZSTD compression finished (51344896 -> 3260 bytes, 0.0%)
systemd-coredump[737455]: ZSTD compression finished (1022786048 -> 47245 bytes, 0.0%)
systemd-coredump[737455]: Process 737445 (a.out) of user 1000 dumped core.
2021-06-08 14:05:56 +01:00
Luca Boccassi
93ff34e44a core: add MemoryAvailable unit property
Try to infer the unused memory that a unit can claim before the
memory.max limit is reached, including any limit set on any parent
slice above the unit itself.
2021-06-08 14:05:56 +01:00
Zbigniew Jędrzejewski-Szmek
f75420a43a man: explain ConditionNeedsUpdate a bit more
We were effectively doing all post-upgrade scripts twice in Fedora. We got this
wrong, so it's likely other people will get it wrong too. So let's explain
what is actually needed to make this work, but also when it's not useful.
2021-06-08 10:47:11 +02:00
alexlzhu
9f40351f77
man: update docs on systemd-system.conf logging (LogTime=) (#19846)
Updating documentation for systemd to reflect that logging is done in the console.
2021-06-08 15:54:07 +09:00
Yu Watanabe
165d7c5c42 network: introduce UplinkInterface= setting for DHCP server 2021-06-08 06:33:27 +09:00
Lennart Poettering
d27e6aee50 udevadm: fix --tag-match help + description 2021-06-08 01:47:01 +09:00
Sebastian Blunt
2cbca51a71 Rename crypttab opt silent to password-echo
Use the option name 'password-echo' instead of the generic term
'silent'.

Make the option take an argument for better control over echoing
behavior.

Related discussion in https://github.com/systemd/systemd/pull/19619
2021-06-07 10:35:28 +02:00
adrian5
d0fd114929 man: fix typo 2021-06-03 22:10:36 +02:00
Lennart Poettering
49365d1c6d ask-password: make password echo fully configurable
This adds --visible=yes|no|asterisk which allow controlling the echo of
the password prompt in detail. The existing --echo switch is then made
an alias for --visible=yes (and a shortcut -e added for it too).
2021-06-03 11:16:48 +02:00
Lennart Poettering
17e7561a97 homectl: store FIDO2 up/uv/clientPin fields in user records too
This catches up homed's FIDO2 support with cryptsetup's: we'll now store
the uv/up/clientPin configuration at enrollment in the user record JSON
data, and use it when authenticating with it.

This also adds explicit "uv" support: we'll only allow it to happen when
the client explicity said it's OK. This is then used by clients to print
a nice message suggesting "uv" has to take place before retrying
allowing it this time. This is modelled after the existing handling for
"up".
2021-06-01 13:31:53 +02:00
Lennart Poettering
7dba77a67e
Merge pull request #17096 from eworm-de/ask-password
ask-password: allow to control emoji
2021-06-01 11:44:00 +02:00
Luca Boccassi
6c498f6d89
Merge pull request #19765 from keszybz/early-boot-logging-improvements
Early boot logging improvements
2021-05-31 22:59:51 +01:00
Christian Hesse
e390c34d00 ask-password: allow to control lock and key emoji
Giving --echo to systemd-ask-password allows to echo the user input.
There's nothing secret, so do not show a lock and key emoji by default.

The behavior can be controlled with --emoji=yes|no|auto. The default is
auto, which defaults to yes, unless --echo is given.
2021-05-31 21:13:31 +02:00
Zbigniew Jędrzejewski-Szmek
af88c399c0 tty-ask-password-agent: mention optional argument in help
0cf8469387 added --console.
6af621248f added an optional argument, but didn't
update the help texts.

Note that there is no ambiguity with the optional argument because no positional
arguments are allowed.
2021-05-31 19:22:51 +02:00
Sebastian Blunt
4858bc0d84 Respect option 'silent' on cryptsetup FIDO2 pin entry
Makes the silent flags behavior consistent between regular password
entry and FIDO2 pin entry.
2021-05-31 17:57:44 +02:00
Lennart Poettering
72c1542267 man: document that FIDO2 uv/up/clientPin feature support is now handled gracefully 2021-05-28 16:45:12 +02:00
Yu Watanabe
48008c1cbf tree-wide: fix typo 2021-05-28 19:52:12 +09:00
borna-blazevic
c517a49bf7 network: dhcp-server: introduce [DHCPServerStaticLease] section 2021-05-27 15:51:26 +09:00
Yu Watanabe
e954939b9e
Merge pull request #19736 from poettering/udev-trigger-uuid
sd-device: add support for triggering devices with UUID support
2021-05-27 13:05:00 +09:00
Christian Hesse
9fff026d60 man: fix tag type
This is an option, not a command.
2021-05-27 12:50:57 +09:00
Lennart Poettering
730b9c1e14 udevadm: make use of the new uuid-enabled triggering for "udevadm trigger"
This adds two things:

- A new switch --uuid is added to "udevadm trigger". If specified a
  random UUID is associated with the synthettic uevent and it is printed
  to stdout. It may then be used manually to match up uevents as they
  propagate through the system.

- The UUID logic is now implicitly enabled if "udevadm trigger --settle"
  is used, in order to wait for precisely the uevents we actually
  trigger. Fallback support is kept for pre-4.13 kernels (where the
  requests for trigger uevents with uuids results in EINVAL).
2021-05-26 21:44:36 +02:00
Lennart Poettering
6f75309295 man: document that it is guaranteed that generated ID128 are never all-zero or all-one
This is the case because the ID128 we generate are all marked as v4 UUID
which requires that some bits are zero and others are one. Let's
document this so that people can rely on SD_ID128_NULL being a special
value for "uninitialized" that is always distinguishable from generated
UUIDs.
2021-05-26 21:44:15 +02:00
Lennart Poettering
83aab043d3
Merge pull request #19737 from poettering/default-specifiers-env
pid1: add specifier expansion for DefaultEnvironment=
2021-05-26 21:38:38 +02:00
Topi Miettinen
d8e3c31bd8 Mount all fs nosuid when NoNewPrivileges=yes
When `NoNewPrivileges=yes`, the service shouldn't have a need for any
setuid/setgid programs, so in case there will be a new mount namespace anyway,
mount the file systems with MS_NOSUID.
2021-05-26 17:42:39 +02:00
Lennart Poettering
aa6dc3ec33 man: fix list of escaped characters in unit names
The code works differently than the docs, and the code is right here.
Fix the doc hence.

See VALID_CHARS in unit-name.c for details about allowed chars in unit
names, but keep in mind that "-" and "\" are special, since generated by
the escaping logic: they are OK to show up in unit names, but need to be
escaped when converting foreign strings to unit names to make sure
things remain reversible.

Fixes: #19623
2021-05-26 17:27:24 +02:00
Lennart Poettering
46a9ee5d9b core: support specifier expansion in DefaultEnvironment= and ManagerEnvironment=
Strictly speaking adding this is a compatibility break, given that
previously % weren't special. But I'd argue that was simply a bug, as
for the much more prominent Environment= service setting we always
resolved specifiers, and DEfaultEnvironment= is explicitly listed as
being the default for that. Hence, let's fix that.

Replaces: #16787
2021-05-26 17:20:36 +02:00