1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00
Commit Graph

7045 Commits

Author SHA1 Message Date
Lennart Poettering
cdaaa62ca1 measure: add 'sign' verb 2022-09-08 16:27:07 +02:00
Lennart Poettering
3d83c3eacf
Merge pull request #24572 from DaanDeMeyer/repart-verity
repart: Add support for formatting verity partitions
2022-09-08 12:02:27 +02:00
Daan De Meyer
b5b7879a5d repart: Add support for formatting verity partitions
This commit adds a new Verity= setting to repart definition files
with two possible values: "data" and "hash".

If Verity= is set to "data", repart works as before, and populates
the partition with the content from CopyBlocks= or CopyFiles=.

If Verity= is set to "hash", repart will try to find a matching
data partition with Verity=data and equal values for CopyBlocks=
or CopyFiles=, Format= and MakeDirectories=. If a matching data
partition is found, repart will generate verity hashes for that
data partition in the verity partition. The UUID of the data
partition is set to the first 128 bits of the verity root hash. The
UUID of the hashes partition is set to the final 128 bits of the
verity root hash.

Fixes #24559
2022-09-08 08:43:07 +02:00
Jan Janssen
230f78206a boot: Accept Ctrl+Del for deleting words 2022-09-07 12:55:55 +02:00
Quentin Deslandes
2b2777eda9 nspawn: add support for rootidmap bind option
rootidmap bind option will map the root user from the container to the
owner of the mounted directory on the filesystem. This will ensure files
and directories created by the root user in the container will be owned
by the directory owner on the filesystem. All other user will remain
unmapped.
2022-09-05 17:23:28 +01:00
Daan De Meyer
11749b6108 repart: Add support for setting a partition's UUID to zero
This is useful when we need to fill in the UUID later, such as when
using verity partitions.
2022-09-05 23:19:41 +09:00
Jade Bilkey
bc33789a06 man: fix static bridge example
A NetDev is needed to create the bridge in order to match the example's description "This creates a bridge..."
2022-09-04 11:19:14 +09:00
Lennart Poettering
71a3ff036b condition: change operator logic to use $= instead of =$ for glob comparisons
So this is a bit of a bikeshedding thing. But I think we should do this
nonetheless, before this is released.

Playing around with the glob matches I realized that "=$" is really hard
to grep for, since in shell code it's an often seen construct. Also,
when reading code I often found myself thinking first that the "$"
belongs to the rvalue instead of the operator, in a variable expansion
scheme.

If we move the $ character to the left hand, I think we are on the safer
side, since usually lvalues are much more restricted in character sets
than rvalues (at least most programming languages do enforce limits on
the character set for identifiers).

It makes it much easier to grep for the new operator, and easier to read
too. Example:

before:
    ConditionOSRelease=ID=$fedora-*
after:
    ConditionOSRelease=ID$=fedora-*
2022-09-01 23:16:13 +02:00
Lennart Poettering
06219747f5 condition: change ConditionKernelVersion= so that =/!= mean literal string comparison, and ==/<> version comparison
The only reason to do this is to ensure uniformity with the other
options, that work like this, i.e. ConditionOSRelease= or
ConditionSecurity=.

This is a compatibility break, but a minor one, given that string
comparison and version comparison is mostly the same for equality and
inequality.
2022-09-01 23:16:13 +02:00
Lennart Poettering
c990742523 condition: allow fnmatch() matches in ConditionKernelVersion=
This is mostly to make things systematic, and brings no new
functionality, as not specifying any operator is identical to prefixing
with =$ anyway.
2022-09-01 23:16:13 +02:00
Lennart Poettering
6061c86693 compare: add two new operators "==" and "<>"
These two operators always indicate ordering comparisons, as opposed to
"=" and "!=" which depending on context mean literal string compares.

This is useful for ConditionOSRelease= for example, as this means
there's now always a way to do version compares.
2022-09-01 23:16:13 +02:00
Lennart Poettering
8daa674090 condition: allow fnmatch compares for ConditionOSRelease=
We support this for smbios matches, hence do so for /etc/os-release
matches too.
2022-09-01 23:15:14 +02:00
Antonio Alvarez Feijoo
cf0dc88da6 man: remove reference to mkinitrd 2022-09-01 14:09:30 +01:00
Colin Walters
413e8650b7 tree-wide: Use "unmet" for condition checks, not "failed"
Often I end up debugging a problem on a system, and I
do e.g. `journalctl --grep=failed|error`.  The use of the term
"failed" for condition checks adds a *lot* of unnecessary noise into
this.

Now, I know this regexp search isn't precise, but it has proven
to be useful to me.

I think "failed" is too strong of a term as a baseline, and also
just stands out to e.g. humans watching their servers boot or
whatever.

The term "met condition" is fairly widely used, e.g.
https://stackoverflow.com/questions/63751794/what-does-the-condition-is-met-exactly-mean-in-programming-languages

Use that instead.
2022-09-01 15:03:40 +09:00
Topi Miettinen
4b3590c324 network: NetLabel integration
New directive `NetLabel=` provides a method for integrating static and dynamic
network configuration into Linux NetLabel subsystem rules, used by Linux
Security Modules (LSMs) for network access control. The label, with suitable
LSM rules, can be used to control connectivity of (for example) a service with
peers in the local network. At least with SELinux, only the ingress can be
controlled but not egress. The benefit of using this setting is that it may be
possible to apply interface independent part of NetLabel configuration at very
early stage of system boot sequence, at the time when the network interfaces
are not available yet, with netlabelctl(8), and the per-interface configuration
with systemd-networkd once the interfaces appear later.  Currently this feature
is only implemented for SELinux.

The option expects a single NetLabel label. The label must conform to lexical
restrictions of LSM labels. When an interface is configured with IP addresses,
the addresses and subnetwork masks will be appended to the NetLabel Fallback
Peer Labeling rules. They will be removed when the interface is
deconfigured. Failures to manage the labels will be ignored.

Example:
```
[DHCPv4]
NetLabel=system_u:object_r:localnet_peer_t:s0
```

With the above rules for interface `eth0`, when the interface is configured with
an IPv4 address of 10.0.0.123/8, `systemd-networkd` performs the equivalent of
`netlabelctl` operation

```
$ sudo netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
```

Result:
```
$ sudo netlabelctl -p unlbl list
...
 interface: eth0
   address: 10.0.0.0/8
    label: "system_u:object_r:localnet_peer_t:s0"
...
```
2022-08-29 14:23:17 +09:00
adrian5
b72e5d9d8e man: Minor punctuation and word tweak 2022-08-29 11:29:57 +09:00
Yu Watanabe
6dd3b818bb tree-wide: fix typo 2022-08-28 00:03:36 +09:00
Yu Watanabe
a3dd119b35
Merge pull request #23764 from enr0n/oomd-allow-managed-oom-preference
oomd: allow ManagedOOMPreference on all cgroups
2022-08-27 14:05:10 +09:00
Luca Boccassi
34f166d601
Merge pull request #24456 from yuwata/network-tcp-congctl
network: introduce TCPCongestionControlAlgorithm=
2022-08-26 18:04:51 +01:00
Nick Rosbrook
58b2f0d1f5 man: update ManagedOOMPreference entry to reflect new behavior 2022-08-26 12:40:58 -04:00
Sonali Srivastava
31a07872fa sleep: doc update for multiple battery, acpi_btp support and freeze/thaw user.slice 2022-08-26 17:38:36 +01:00
Yu Watanabe
dc7c21f001 network: introduce TCPCongestionControlAlgorithm=
Closes #24432.
2022-08-26 19:47:23 +09:00
Zbigniew Jędrzejewski-Szmek
4ccde410a3 tree-wide: change --kill-who to --kill-whom
getopt allows non-ambiguous abbreviations, so backwards-compat is maintained, and
people can use --kill-who (or even shorter abbreviations). English is flexible,
so in common speach people would use both forms, even if "whom" is technically
more correct. The advantage of using the longer form in the code is that we
effectively allow both forms, so we stop punishing people who DTGCT¹, but still
allow people to use the spoken form if they prefer.

1. Do the gramatically correct thing
2022-08-26 11:15:44 +09:00
Lennart Poettering
abd6faae80 journal: rename special journal field _SYSTEM_CONTEXT= → _RUNTIME_SCOPE=
Previously the field "_SYSTEM_CONTEXT" knew he values "initrd" + "main". Let's change
this to "_RUNTIME_SCOPE" and "initrd" + "system".

Why? The sysext logic has a very similar concept of "scopes", declaring
whether a sysext image is intended for the initrd or the main system.
Let's thus use the same naming for both.

sysext's extension-release files hence know SYSEXT_SCOPE=initrd|system,
and the journal messages know _RUNTIME_SCOPE=initrd|system, which makes
this reasonably systematic.

Follow-up for: cae8edd93c

(This is not an API break, since no version with this commit has ever
been released.)
2022-08-25 22:27:26 +01:00
Daniel Braunwarth
bf07a12516 pid1: extend "ConditionFirmware=" for checking SMBIOS system identification information 2022-08-25 21:44:21 +01:00
Lennart Poettering
13be736d1f
Merge pull request #24408 from keszybz/execstart-escape
Properly escape ExecStart= commandlines in transient units
2022-08-25 11:40:57 +02:00
Lennart Poettering
5b9ae04c65
Merge pull request #24242 from msekletar/terminate-idle-sessions
Add option to stop idle sessions after specified timeout
2022-08-25 11:39:42 +02:00
Luca Boccassi
298b3de6d4
Merge pull request #24370 from keszybz/sysusers-equivs
Use /bin/bash for root shell and suppress some warnings from sysusers
2022-08-24 21:35:28 +01:00
Lennart Poettering
771fe73c75
Merge pull request #24072 from poettering/remove-cgroupsv1-docs
decgroupsv1ification: first steps – remove from docs, and generate warnings
2022-08-24 17:00:53 +02:00
Michal Sekletar
82325af3ae logind: add option to stop idle sessions after specified timeout
Thanks to Jan Pazdziora <jpazdziora@redhat.com> for providing a patch
which implemeted a PoC of this feature.
2022-08-24 14:50:48 +02:00
Zbigniew Jędrzejewski-Szmek
8a7adccbdb various: try to use DEFAULT_USER_SHELL for root too
/bin/sh as a shell is punishing. There is no good reason to make
the occasional root login unpleasant.

Since /bin/sh is usually /bin/bash in compat mode, i.e. if one is
available, the other will be too, /bin/bash is almost as good as a default.
But to avoid a regression in the situation where /bin/bash (or
DEFAULT_USER_SHELL) is not installed, we check with access() and fall back
to /bin/sh. This should make this change in behaviour less risky.

(FWIW, e.g. Fedora/RHEL use /bin/bash as default for root.)

This is a follow-up of sorts for 53350c7bba,
which added the default-user-shell option, but most likely with the idea
of using /bin/bash less ;)

Fixes #24369.
2022-08-24 10:02:46 +02:00
Zbigniew Jędrzejewski-Szmek
6a6707ce85 man/run: we accept relative paths for run
I think this is a left-over from before we changed ExecStart= to allow
non-absolute paths, *and* changed systemd-run itself to resolve paths too.
2022-08-24 09:54:45 +02:00
Lennart Poettering
e820ca0193
Merge pull request #24071 from bluca/path_trigger_report
path/timer units: export env vars and D-Bus properties with reason that triggered the job
2022-08-24 09:35:59 +02:00
Zhaofeng Li
f555830674 virt: Support detection of Apple Virtualization.framework guests 2022-08-24 09:34:54 +02:00
David Jaša
ce0a056abc check-os-release.py compatible with Python < 3.8
The ":=" operator was only added in Python 3.8 so splitting the line with it into two makes check-os-release.py actually fulfill its claim of working with any python version.
2022-08-24 12:08:17 +09:00
Luca Boccassi
c8bc7519c8 service: set TRIGGER_UNIT= and TRIGGER_TIMER_REALTIME_USEC/MONOTONIC_USEC on activation by timer unit
Same as path unit, best effort.
2022-08-23 21:19:54 +01:00
Luca Boccassi
4c42032854 service: set TRIGGER_UNIT= and TRIGGER_PATH= on activation by path unit
When a service is triggered by a path unit, pass the
path unit name and the path that triggered it via env vars
to the spawned processes.
Note that this is best-effort, as there might be many triggers
at the same time, but we only get woken up by one.
2022-08-23 20:38:08 +01:00
Luca Boccassi
48b92b37ac core: add basic infrastructure to record unit activation information
Not wired in by any unit type yet, just the basic to allocate,
ref, deref and plug in to other unit types.
Includes recording the trigger unit name and passing it to the
triggered unit as TRIGGER_UNIT= env var.
2022-08-23 20:38:08 +01:00
Daan De Meyer
cae8edd93c journal: Add new _INITRD field
The _INITRD field is a boolean field (0 or 1) that specifies whether
a message was processed by systemd-journald in the initrd or not.
2022-08-23 19:35:04 +01:00
Luca Boccassi
0f74ca8668
Merge pull request #24412 from keszybz/man-similarly
man: grammar cleanups
2022-08-23 13:17:13 +01:00
Zbigniew Jędrzejewski-Szmek
6163dac48f man/crypttab: rework formatting in "key acquisition section"
<example> without <title> was rendered as "Example 1.", which did not
look good. While at it, the text is rewored to be, I hope, a bit easier to
read.
2022-08-23 12:32:17 +02:00
Zbigniew Jędrzejewski-Szmek
15102ced42 man: similar → similarly
Something *is* similar
Something *works* similarly
Something does something, similarly to how something else does something

See https://sites.ulethbridge.ca/roussel/2017/11/29/similar-and-similarly-are-they-similar/
for a clear explanation.
2022-08-23 12:14:58 +02:00
eggfly
6b5e82408d fix typos 2022-08-23 10:53:47 +02:00
Zbigniew Jędrzejewski-Szmek
7a9e0bd031 man: add "History" sections for removed settings
The general idea is that users should be able to figure out if some option
that they see in a config file or on some internet page is something that
systemd knows about. Once users know that, yes, this was an option but has
been deprecated and removed from the documentation, it's much easier for them
to find any docs in old versions if they want to. Or to switch to something
different.
2022-08-23 09:24:44 +02:00
Lennart Poettering
6d48c7cf73 docs: remove documentation about cgroupsv1 settings
it's legacy. We'll continue to support it in code, but let's simplify
the docs a bit, and not mention this legacy stuff anymore.
2022-08-23 09:24:44 +02:00
Lennart Poettering
127b72da2b measure: add --current switch for "systemd-measure calculate"
This allows allows shortcutting measurements of the specified files and
use the information from /sys/ instead.

This is not too useful on its own given that "systemd-measure status"
already exists which displays the current, relevant PCR values. The main
difference is how "complete" the information is. "status" will detect if
the measurements make any sense, and show more than PCR 11. "calculate
--current" otoh only reads PCR 11 and uses that, and that's really it.

This is mainly preparation for later work to add PCR signing to the
tool, where usually it makes most sense to sign prepared kernel images,
but for testing it's really useful to shortcut signing to the current
PCR values instead
2022-08-22 19:17:18 +01:00
Antonio Alvarez Feijoo
782e41ab88 sysext: add missing COMMAND to the help output and man synopsis 2022-08-22 15:41:12 +01:00
Zbigniew Jędrzejewski-Szmek
0336c23e98 man: fix description of the config file argument
It's any relative path, not just "basename", as was stated before.
2022-08-22 12:52:25 +02:00
Lennart Poettering
c06b6d46fd measure: add json output 2022-08-19 23:26:09 +02:00
Rene Hollander
d9bdb29bf5 Add --efi-boot-option-description argument to bootctl to control the name of the boot
entry.

By default an entry named "Linux Boot Manager" is created (which is the
previous behavior). With the flag the name of the entry can be
controlled, which is useful when installing systemd-boot to multiple ESP
partitions and having uniquely named entries.

Fixes #17044.
2022-08-19 14:55:31 +02:00