1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-25 23:21:33 +03:00
Commit Graph

6413 Commits

Author SHA1 Message Date
Raul Tambre
d3a047b9d1 man: Don't link to a manpage that's within our documentation
For example on systemd.network this results in the link taking one to another site with the manpage instead of the document that's on the same site.
2021-06-28 18:49:27 +09:00
Zbigniew Jędrzejewski-Szmek
0b497bc46f man/dnssec-trust-anchors: update comment syntax description
Let's just use the same phrase as in systemd.syntax(7).
Fixes #20045.
2021-06-27 15:50:04 +02:00
dgcampea
e8f4bf33d8 man: fix incorrect description regarding DynamicUser= and StateDirectory= 2021-06-27 14:08:05 +01:00
Yu Watanabe
c8de9b0ec5 man: document about NAMING_REPLACE_STRICTLY network interface naming policy
Follow-up for b4d885f0e8 and
068b0f7728.
2021-06-25 14:51:24 +01:00
Zbigniew Jędrzejewski-Szmek
a768492a33
Merge pull request #20023 from yuwata/re-enable-nosuid-mount-flag
core: reenable nosuid mount flag when NoNewPrivileges=yes
2021-06-25 14:21:05 +02:00
Zbigniew Jędrzejewski-Szmek
157306439e
Merge pull request #19312 from yuwata/udev-escape-slash-nvme
udev: make OPTIONS="string_escape=replace" take effect on ENV{key}= assiginment
2021-06-25 10:11:04 +02:00
Zbigniew Jędrzejewski-Szmek
07b1d28a16
Merge pull request #19883 from ddstreet/activation-policy-down-required-for-online-no
Activation policy down required for online no
2021-06-25 09:26:25 +02:00
Zbigniew Jędrzejewski-Szmek
a2e2917162
Merge pull request #19941 from bluca/condition_os_release
core: add ConditionOSRelease= directive
2021-06-25 09:22:50 +02:00
Yu Watanabe
5181630f26 core: do not set nosuid mount option when SELinux is enabled
The mount option has special meaning when SELinux is enabled. To make
NoNewPrivileges=yes not break SELinux enabled systems, let's not set the
mount flag on such systems.
2021-06-25 15:37:35 +09:00
Yu Watanabe
6720e356c1 Revert "Revert "Mount all fs nosuid when NoNewPrivileges=yes""
This reverts commit 1753d30215.

Let's re-enable that feature now. As reported when the original commit
was merged, this causes some trouble on SELinux enabled systems. So,
in the subsequent commit, the feature will be disabled when SELinux is enabled.
But, anyway, this commit just re-enable that feature unconditionally.
2021-06-25 15:16:34 +09:00
Lennart Poettering
86e24d608a
Merge pull request #20001 from keszybz/test-path-simplify-less
Do not call path_simplify() when not needed
2021-06-24 15:33:09 +02:00
Luca Boccassi
1e26f8a60b core: add ConditionOSRelease= directive 2021-06-24 13:57:48 +01:00
Dan Streetman
7c644a6966 network: default RequiredForOnline=false if ActivactionPolicy= not set to up
If ActivationPolicy= is set to down, always-down, or manual, then any
matching link will delay boot (due to delaying network-online.target).

If RequiredForOnline= wasn't explicitly set, then default it to false
if ActivationPolicy= is down or manual. If ActivationPolicy=always-down,
then force RequiredForOnline=no.
2021-06-24 08:32:21 -04:00
Lennart Poettering
b80ef40caf ask-password: add "-n" switch for disabling trailing newline
This is similar to the "-n" switch of the "echo" command.
2021-06-24 13:25:39 +02:00
Zbigniew Jędrzejewski-Szmek
aa45911b79 man/50-xdg-data-dirs: add quotes as suggested by shellcheck 2021-06-23 18:11:49 +02:00
Yu Watanabe
91c27ac686 man: update description of "string_escape=" udev option 2021-06-23 17:11:23 +09:00
Lennart Poettering
ff0771bfc8 repart: make No-Auto GPT partition flag configurable too
This is useful for provisioning initially empty secondary A/B root file
systems. We don't want those to ever be considered for automatic
mounting, for example in "systemd-nspawn --image=", hence we should
create them with the No-Auto flag turned on. Once a file system image is
dropped into the partition the flag may be turned off by the updater
tool, so that it is considered from then on.

Thew new option for this is called NoAuto. I dislike negated options
like this, but this is taken from the naming in the spec, which in turn
inherited the name from the same flag for Microsoft Data Partitions. To
minimize confusion, let's stick to the name hence.
2021-06-18 14:34:01 +09:00
plattrap
e83580bfc6 Update systemd-resolved.service.8 help
Text currently refers to `/etc/nsswitch.conf` where it should refer to `/etc/resolv.conf`.
This is in the context of defining a nameserver IP and search domains.
2021-06-18 13:43:13 +09:00
Yu Watanabe
f4c48492fe man: fix RFC number and its title 2021-06-16 10:32:28 +09:00
Lennart Poettering
ad64e3e8d6
Merge pull request #19942 from wat-ze-hex/socket-bind-ip-proto-2021-06-10
dbus: extend SocktBind{Allow|Deny}= with ip proto
2021-06-16 00:24:54 +02:00
Julia Kartseva
a5f19be8b1 dbus: update SocketBind{Allow|Deny}= doc 2021-06-15 13:51:33 -07:00
Zbigniew Jędrzejewski-Szmek
7c7683f36c sd-id128: add SD_ID128_MAKE_UUID_STR
It's like SD_ID128_MAKE_STR, but with hyphens.
2021-06-15 22:01:39 +02:00
Lennart Poettering
39d02a175f sd-id128: document everywhere that we treat all UUIDs as Variant 1
So in theory UUID Variant 2 (i.e. microsoft GUIDs) are supposed to be
displayed in native endian. That is of course a bad idea, and Linux
userspace generally didn't implement that, i.e. uuidd and similar.
Hence, let's not bother either, but let's document that we treat
everything the same as Variant 1, even if it declares something else.
2021-06-15 20:58:56 +02:00
Matt Johnston
e65357b658 man: fix sd_bus_add_node_enumerator() ret_nodes
ret_nodes is NULL terminated, the return value isn't a count.
2021-06-15 11:29:44 +01:00
Yu Watanabe
21d03e6c63 man: add an example to configure default route on device with table
Prompted by #19911.
2021-06-15 11:29:20 +01:00
Yu Watanabe
a3f5f4a5c0 fix typo 2021-06-15 14:19:30 +09:00
Topi Miettinen
1753d30215 Revert "Mount all fs nosuid when NoNewPrivileges=yes"
This reverts commit d8e3c31bd8.

A poorly documented fact is that SELinux unfortunately uses nosuid mount flag
to specify that also a fundamental feature of SELinux, domain transitions, must
not be allowed either. While this could be mitigated case by case by changing
the SELinux policy to use `nosuid_transition`, such mitigations would probably
have to be added everywhere if systemd used automatic nosuid mount flags when
`NoNewPrivileges=yes` would be implied. This isn't very desirable from SELinux
policy point of view since also untrusted mounts in service's mount namespaces
could start triggering domain transitions.

Alternatively there could be directives to override this behavior globally or
for each service (for example, new directives `SUIDPaths=`/`NoSUIDPaths=` or
more generic mount flag applicators), but since there's little value of the
commit by itself (setting NNP already disables most setuid functionality), it's
simpler to revert the commit. Such new directives could be used to implement
the original goal.
2021-06-15 00:33:22 +09:00
Jayanth Ananthapadmanaban
279082ed49 Add a network timeout option to journal-upload 2021-06-14 11:16:38 +02:00
Zbigniew Jędrzejewski-Szmek
dbb3b26f1b man: clarify that global search domains apply to global servers, not all interfaces
Fixes #19257.
2021-06-11 10:32:42 +01:00
Anita Zhang
c48bc311a5 man: add note about operation without swap in systemd-oomd 2021-06-10 07:24:18 +02:00
Zbigniew Jędrzejewski-Szmek
998571a7f4
Merge pull request #19871 from yuwata/man-network-missing-settings
man: add missing settings
2021-06-09 22:15:38 +02:00
Yu Watanabe
c3006a485c man: add missing settings
Fixes #19869.
2021-06-10 04:47:13 +09:00
Yu Watanabe
85bc4c080d man: merge several settings about netdev 2021-06-10 04:46:40 +09:00
Peter Morrow
dbb8b5bcf7 man: fix missing markdown & minor errors
In #19771 there were a few missing markdown tags a few style issue.

Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
2021-06-09 19:18:11 +01:00
Yu Watanabe
9e1432d5cc network: introduce IPv6StableSecretAddress= setting
Previously, IPv6LinkLocalAddressGenerationMode= is not set, then we
define the address generation mode based on the result of reading
stable_secret sysctl value. This makes the mode is determined by whether
a secret address is specified in the new setting.

Closes #19622.
2021-06-09 04:56:48 +09:00
Srinidhi Kaushik
7f7a50dd15 tmpfiles: extend "Age" to accept an "age-by" argument
For "systemd-tmpfiles --cleanup", when the "Age" parameter
is specified, the criteria for deletion is determined from
the path's last modification timestamp ("mtime"), its last
access timestamp ("atime") and its last status change
timestamp ("ctime").

For instance, if one of those paths to be cleaned up are
opened, it results in the modification of "atime", which
results file system entry to not be removed because the
default aging algorithm would skip the entry.

Add an optional "age-by" argument by extending the "Age"
parameter to restrict the clean-up for a particular type
of file timestamp, which can be specified in "tmpfiles.d"
as follows:

  [age-by:]cleanup-age, where age-by is "[abcmACBM]+"

For example:

  d /foo/bar - - - abM:1m -

Would clean-up any files that were not accessed and created,
or directories that were not modified less than a minute ago
in "/foo/bar".

Fixes: #17002
2021-06-08 18:24:58 +02:00
Lennart Poettering
66973219c0
Merge pull request #19166 from bluca/coredump_compress_on_the_fly
coredump: compress on the fly
2021-06-08 18:24:34 +02:00
Yu Watanabe
c50404aecc udev: make WakeOnLan= take multiple features
WAKE_XXX are flag, not enum.
2021-06-08 18:24:11 +02:00
Allen Webb
c46c323385 tmpfiles: add '=' action modifier.
Add the '=' action modifier that instructs tmpfiles.d to check the file
type of a path and remove objects that do not match before trying to
open or create the path.

BUG=chromium:1186405
TEST=./test/test-systemd-tmpfiles.py "$(which systemd-tmpfiles)"

Change-Id: If807dc0db427393e9e0047aba640d0d114897c26
2021-06-08 17:23:26 +02:00
Peter Morrow
90a404f5d4 man: add details on overriding top level drop-ins
When using top level drop-ins it isn't immediately obvious that one can
make use of symlinking to disable a top-level drop in for a specific
unit.

Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
2021-06-08 17:03:03 +02:00
Luca Boccassi
587f2a5e56 coredump: check cgroups memory limit if storing on tmpfs
When /var/lib/systemd/coredump/ is backed by a tmpfs, all disk usage
will be accounted under the systemd-coredump process cgroup memory
limit.
If MemoryMax is set, this might cause systemd-coredump to be terminated
by the kernel oom handler when writing large uncompressed core files,
even if the compressed core would fit within the limits.

Detect if a tmpfs is used, and if so check MemoryMax from the process
and slice cgroups, and do not write uncompressed core files that are
greater than half the available memory. If the limit is breached,
stop writing and compress the written chunk immediately, then delete
the uncompressed chunk to free more memory, and resume compressing
directly from STDIN.

Example debug log when this situation happens:

systemd-coredump[737455]: Setting max_size to limit writes to 51344896 bytes.
systemd-coredump[737455]: ZSTD compression finished (51344896 -> 3260 bytes, 0.0%)
systemd-coredump[737455]: ZSTD compression finished (1022786048 -> 47245 bytes, 0.0%)
systemd-coredump[737455]: Process 737445 (a.out) of user 1000 dumped core.
2021-06-08 14:05:56 +01:00
Luca Boccassi
93ff34e44a core: add MemoryAvailable unit property
Try to infer the unused memory that a unit can claim before the
memory.max limit is reached, including any limit set on any parent
slice above the unit itself.
2021-06-08 14:05:56 +01:00
Zbigniew Jędrzejewski-Szmek
f75420a43a man: explain ConditionNeedsUpdate a bit more
We were effectively doing all post-upgrade scripts twice in Fedora. We got this
wrong, so it's likely other people will get it wrong too. So let's explain
what is actually needed to make this work, but also when it's not useful.
2021-06-08 10:47:11 +02:00
alexlzhu
9f40351f77
man: update docs on systemd-system.conf logging (LogTime=) (#19846)
Updating documentation for systemd to reflect that logging is done in the console.
2021-06-08 15:54:07 +09:00
Yu Watanabe
165d7c5c42 network: introduce UplinkInterface= setting for DHCP server 2021-06-08 06:33:27 +09:00
Lennart Poettering
d27e6aee50 udevadm: fix --tag-match help + description 2021-06-08 01:47:01 +09:00
Sebastian Blunt
2cbca51a71 Rename crypttab opt silent to password-echo
Use the option name 'password-echo' instead of the generic term
'silent'.

Make the option take an argument for better control over echoing
behavior.

Related discussion in https://github.com/systemd/systemd/pull/19619
2021-06-07 10:35:28 +02:00
adrian5
d0fd114929 man: fix typo 2021-06-03 22:10:36 +02:00
Lennart Poettering
49365d1c6d ask-password: make password echo fully configurable
This adds --visible=yes|no|asterisk which allow controlling the echo of
the password prompt in detail. The existing --echo switch is then made
an alias for --visible=yes (and a shortcut -e added for it too).
2021-06-03 11:16:48 +02:00
Lennart Poettering
17e7561a97 homectl: store FIDO2 up/uv/clientPin fields in user records too
This catches up homed's FIDO2 support with cryptsetup's: we'll now store
the uv/up/clientPin configuration at enrollment in the user record JSON
data, and use it when authenticating with it.

This also adds explicit "uv" support: we'll only allow it to happen when
the client explicity said it's OK. This is then used by clients to print
a nice message suggesting "uv" has to take place before retrying
allowing it this time. This is modelled after the existing handling for
"up".
2021-06-01 13:31:53 +02:00
Lennart Poettering
7dba77a67e
Merge pull request #17096 from eworm-de/ask-password
ask-password: allow to control emoji
2021-06-01 11:44:00 +02:00
Luca Boccassi
6c498f6d89
Merge pull request #19765 from keszybz/early-boot-logging-improvements
Early boot logging improvements
2021-05-31 22:59:51 +01:00
Christian Hesse
e390c34d00 ask-password: allow to control lock and key emoji
Giving --echo to systemd-ask-password allows to echo the user input.
There's nothing secret, so do not show a lock and key emoji by default.

The behavior can be controlled with --emoji=yes|no|auto. The default is
auto, which defaults to yes, unless --echo is given.
2021-05-31 21:13:31 +02:00
Zbigniew Jędrzejewski-Szmek
af88c399c0 tty-ask-password-agent: mention optional argument in help
0cf8469387 added --console.
6af621248f added an optional argument, but didn't
update the help texts.

Note that there is no ambiguity with the optional argument because no positional
arguments are allowed.
2021-05-31 19:22:51 +02:00
Sebastian Blunt
4858bc0d84 Respect option 'silent' on cryptsetup FIDO2 pin entry
Makes the silent flags behavior consistent between regular password
entry and FIDO2 pin entry.
2021-05-31 17:57:44 +02:00
Lennart Poettering
72c1542267 man: document that FIDO2 uv/up/clientPin feature support is now handled gracefully 2021-05-28 16:45:12 +02:00
Yu Watanabe
48008c1cbf tree-wide: fix typo 2021-05-28 19:52:12 +09:00
borna-blazevic
c517a49bf7 network: dhcp-server: introduce [DHCPServerStaticLease] section 2021-05-27 15:51:26 +09:00
Yu Watanabe
e954939b9e
Merge pull request #19736 from poettering/udev-trigger-uuid
sd-device: add support for triggering devices with UUID support
2021-05-27 13:05:00 +09:00
Christian Hesse
9fff026d60 man: fix tag type
This is an option, not a command.
2021-05-27 12:50:57 +09:00
Lennart Poettering
730b9c1e14 udevadm: make use of the new uuid-enabled triggering for "udevadm trigger"
This adds two things:

- A new switch --uuid is added to "udevadm trigger". If specified a
  random UUID is associated with the synthettic uevent and it is printed
  to stdout. It may then be used manually to match up uevents as they
  propagate through the system.

- The UUID logic is now implicitly enabled if "udevadm trigger --settle"
  is used, in order to wait for precisely the uevents we actually
  trigger. Fallback support is kept for pre-4.13 kernels (where the
  requests for trigger uevents with uuids results in EINVAL).
2021-05-26 21:44:36 +02:00
Lennart Poettering
6f75309295 man: document that it is guaranteed that generated ID128 are never all-zero or all-one
This is the case because the ID128 we generate are all marked as v4 UUID
which requires that some bits are zero and others are one. Let's
document this so that people can rely on SD_ID128_NULL being a special
value for "uninitialized" that is always distinguishable from generated
UUIDs.
2021-05-26 21:44:15 +02:00
Lennart Poettering
83aab043d3
Merge pull request #19737 from poettering/default-specifiers-env
pid1: add specifier expansion for DefaultEnvironment=
2021-05-26 21:38:38 +02:00
Topi Miettinen
d8e3c31bd8 Mount all fs nosuid when NoNewPrivileges=yes
When `NoNewPrivileges=yes`, the service shouldn't have a need for any
setuid/setgid programs, so in case there will be a new mount namespace anyway,
mount the file systems with MS_NOSUID.
2021-05-26 17:42:39 +02:00
Lennart Poettering
aa6dc3ec33 man: fix list of escaped characters in unit names
The code works differently than the docs, and the code is right here.
Fix the doc hence.

See VALID_CHARS in unit-name.c for details about allowed chars in unit
names, but keep in mind that "-" and "\" are special, since generated by
the escaping logic: they are OK to show up in unit names, but need to be
escaped when converting foreign strings to unit names to make sure
things remain reversible.

Fixes: #19623
2021-05-26 17:27:24 +02:00
Lennart Poettering
46a9ee5d9b core: support specifier expansion in DefaultEnvironment= and ManagerEnvironment=
Strictly speaking adding this is a compatibility break, given that
previously % weren't special. But I'd argue that was simply a bug, as
for the much more prominent Environment= service setting we always
resolved specifiers, and DEfaultEnvironment= is explicitly listed as
being the default for that. Hence, let's fix that.

Replaces: #16787
2021-05-26 17:20:36 +02:00
Lennart Poettering
b3e22322b6 repart: resolve $TMP specifiers too
This might be useful for CopyFiles=, to reference some subdir of $TMP in
a generic way. This allows us to use the new common
system_and_tmp_specifier_table[].
2021-05-26 17:20:36 +02:00
Lennart Poettering
205013c800 man: document udevadm info output prefixes
Fixes: #19663
2021-05-26 12:46:51 +01:00
Lennart Poettering
74c88a2520 man: try to clarify that nss-mymachines does not provide name resolution outside its own scope
Fixes: #18229
2021-05-26 12:45:20 +01:00
Lennart Poettering
7dbc38db50 man: explicit say for priority/weight values whether more is more or less
Fixes: #17523
2021-05-26 12:42:13 +01:00
Yu Watanabe
b69855e645
Merge pull request #19727 from poettering/pcr-comma
Allow PCRs to be separated by "+" instead of ","
2021-05-26 10:37:24 +09:00
Luca Boccassi
93f235e8d8
Merge pull request #19722 from poettering/empty-string-loginctl-man
document that "loginctl kill-session" takes an empty string + add the same for per-user stuff
2021-05-25 23:23:42 +01:00
Lennart Poettering
a1788a69b2 tpm2: support "+" as separator for TPM PCR lists
Previously, we supported only "," as separator. This adds support for
"+" and makes it the documented choice.

This is to make specifying PCRs in crypttab easier, since commas are
already used there for separating volume options, and needless escaping
sucks.

"," continues to be supported, but in order to keep things minimal not
documented.

Fixe: #19205
2021-05-25 23:28:54 +02:00
Lennart Poettering
9f48b4e40e man: documet that loginctl {terminate|kill}-{session|user} take the empty string, optionally
Fixes: #19711
2021-05-25 17:42:34 +02:00
Lennart Poettering
0bc488c99a core: implement Uphold= dependency type
This is like a really strong version of Wants=, that keeps starting the
specified unit if it is ever found inactive.

This is an alternative to Restart= inside a unit, acknowledging the fact
that whether to keep restarting the unit is sometimes not a property of
the unit itself but the state of the system.

This implements a part of what #4263 requests. i.e. there's no
distinction between "always" and "opportunistic". We just dumbly
implement "always" and become active whenever we see no job queued for
an inactive unit that is supposed to be upheld.
2021-05-25 16:03:03 +02:00
Lennart Poettering
294446dcb9 core: add new OnSuccess= dependency type
This is similar to OnFailure= but is activated whenever a unit returns
into inactive state successfully.

I was always afraid of adding this, since it effectively allows building
loops and makes our engine Turing complete, but it pretty much already
was it was just hidden.

Given that we have per-unit ratelimits as well as an event loop global
ratelimit I feel safe to add this finally, given it actually is useful.

Fixes: #13386
2021-05-25 16:03:03 +02:00
Lennart Poettering
ffec78c05b core: add new PropagateStopTo= dependency (and inverse)
This takes inspiration from PropagatesReloadTo=, but propagates
stop jobs instead of restart jobs.

This is defined based on exactly two atoms: UNIT_ATOM_PROPAGATE_STOP +
UNIT_ATOM_RETROACTIVE_STOP_ON_STOP. The former ensures that when the
unit the dependency is originating from is stopped based on user
request, we'll propagate the stop job to the target unit, too. In
addition, when the originating unit suddenly stops from external causes
the stopping is propagated too. Note that this does *not* include the
UNIT_ATOM_CANNOT_BE_ACTIVE_WITHOUT atom (which is used by BoundBy=),
i.e. this dependency is purely about propagating "edges" and not
"levels", i.e. it's about propagating specific events, instead of
continious states.

This is supposed to be useful for dependencies between .mount units and
their backing .device units. So far we either placed a BindsTo= or
Requires= dependency between them. The former gave a very clear binding
of the to units together, however was problematic if users establish
mounnts manually with different block device sources than our
configuration defines, as we there might come to the conclusion that the
backing device was absent and thus we need to umount again what the user
mounted. By combining Requires= with the new StopPropagatedFrom= (i.e.
the inverse PropagateStopTo=) we can get behaviour that matches BindsTo=
in every single atom but one: UNIT_ATOM_CANNOT_BE_ACTIVE_WITHOUT is
absent, and hence the level-triggered logic doesn't apply.

Replaces: #11340
2021-05-25 16:03:03 +02:00
Lennart Poettering
629b2a6f7b core: add a reverse dep for OnFailure=
Let's add an implicit reverse dep OnFailureOf=. This is exposed via the
bus to make things more debuggable: you can now ask systemd for which
units a specific unit is the failure handler.

OnFailure= was the only dependency type that had no inverse, this fixes
that.

Now that deps are a bit cheaper, it should be OK to add deps that only
serve debug purposes.
2021-05-25 16:03:03 +02:00
Lennart Poettering
d219a2b07c core: convert Slice= into a proper dependency (and add a back dependency)
The slice a unit is assigned to is currently a UnitRef reference. Let's
turn it into a proper dependency, to simplify and clean up code a bit.
Now that new dep types are cheaper, deps should generally be preferable
over everything else, if the concept applies.

This brings one major benefit: we often have to iterate through all unit
a slice contains. So far we iterated through all Before= dependencies of
the slice unit to achieve that, filtering out unrelated units, and
taking benefit of the fact that slice units are implicitly ordered
Before= the units they contain. By making Slice= a proper dependency,
and having an accompanying SliceOf= dependency type, this is much
simpler and nicer as we can directly enumerate the units a slice
contains.

The forward dependency is actually called InSlice internally, since we
already used the UNIT_SLICE name as UnitType field. However, since we
don't intend to expose the dependency to users as dep anyway (we already
have the regular Slice D-Bus property for this) this shouldn't matter.
The SliceOf= implicit dependency type (the erverse of Slice=/InSlice=)
is exported over the bus, to make things a bit nicer to debug and
discoverable.
2021-05-25 16:03:01 +02:00
Yu Watanabe
f0c09831bd network: allow to set Group=0 in [Link] section
Previously, when a link has already in a numbered group, we cannot
remove the link from the group.

This also fixes the range mentioned in the man page.
2021-05-25 07:12:05 +09:00
наб
8a2f7b7c9b
man: we is OK too -> which is OK too (#19708) 2021-05-24 18:39:38 +09:00
Yu Watanabe
75d5abd298 network: IPv6LinkLocalAddressGenerationMode=none disables IPv6LL addressing 2021-05-23 17:13:06 +09:00
Luca Boccassi
d1cb55e6e4
Merge pull request #19700 from keszybz/check-os-release-fixups
Fixups for man/check-os-release.*
2021-05-22 23:56:59 +01:00
Zbigniew Jędrzejewski-Szmek
91da09bd1a man/check-os-release.*: allow ID_LIKE to have multiple values
I missed the fact that it is documented to be a space-separated list.
2021-05-22 20:44:04 +02:00
Zbigniew Jędrzejewski-Szmek
82ca34e6e6 man/check-os-release.py: ignore comment and empty lines
Plus fix off-by-one in error printing.
2021-05-22 20:44:04 +02:00
Lennart Poettering
83a04afc06
Merge pull request #19686 from keszybz/os-release-modernization-and-examples
os-release modernization and examples
2021-05-22 14:44:50 +02:00
Zbigniew Jędrzejewski-Szmek
412339835e man/check-os-release.py: strip trailing whitespace
The shell parser would do that, so so should we.
2021-05-22 12:20:51 +02:00
Zbigniew Jędrzejewski-Szmek
c0527e1f95 man: say that initrd-release is like os-release 2021-05-22 12:20:51 +02:00
Yu Watanabe
228c3e21e9 network: nexthop: add Group= setting to configure multipath route with group nexthop 2021-05-22 04:59:40 +09:00
Zbigniew Jędrzejewski-Szmek
8fd67ab5a3 man: reword description of BUILD_ID in os-release
Our description was pretty hard to parse. Let's replace it with a description
loosely based on a fairly clear description written by a distro that actually
uses BUILD_ID:
https://developer.rigado.com/docsets/Working-with-the-Rigado-Vesta-Gateway/latest/production/versioning-images.html#the-rigos-scheme.
2021-05-21 17:06:28 +02:00
Zbigniew Jędrzejewski-Szmek
3ca606d103 man: add example os-release mangling in python
This is also not entirely obvious. I think the code I came
up with is pretty elegant ;] The final part of of the code that makes
use of the parsed data is kept very similar to the shell code on purpose,
even though it could be written a bit more idiomatically.
2021-05-21 16:33:04 +02:00
Zbigniew Jędrzejewski-Szmek
e839ebe551 man: add an example how to correctly read os-release in shell
This is not entirely obvious.

The logic of how to interpret the fields applies in any language, so drop the
pointless mention of C or shell.
2021-05-21 16:32:54 +02:00
Zbigniew Jędrzejewski-Szmek
00e3abe024 man: reorder fields in os-release
Let's order the fields from the most general to least: os name, os variant, os
version, machine-parseable version details, metadata, special settings. I added
section headers to roughly group the settings. The division is not strict,
because for example CPE_NAME also includes the version, and PRETTY_NAME may
too, but it still makes it easier to find the right name.

Also split out Examples to separate paragraphs:
almost all descriptions had "Example:" at the end, where multiple
examples were listed. Splitting this out to separate paragraphs
makes the whole thing much easier to read.

Add missing markup and punctuation while at it.

About
- If not set, defaults to <literal>NAME=Linux</literal>.
+ If not set, a default of <literal>NAME=Linux</literal> may be used.
and similar changes: in many circumstances, if this is not set, no value should
be used. The fallback mostly make sense when we need to present something to the
user. So let's reword this to not imply that the default is necessary.
2021-05-21 12:24:14 +02:00
asavah
670427a4d4 man: prevent race condition when generating systemd.directives.xml 2021-05-20 20:49:50 +01:00
Lennart Poettering
f9e60ff9ad
Merge pull request #19605 from yuwata/network-fdb-outgoing-interface
network: bridge-fdb: add support to specify outgoing interface
2021-05-20 21:33:14 +02:00
Yu Watanabe
e6655fbe40 man: mention that drop-in files are merged in alphanumeric order
This addresses the request in https://github.com/systemd/systemd/issues/19467#issuecomment-829332877.
2021-05-20 21:20:51 +02:00
Susant Sahani
af99cdf4d4 network: bridge-fdb: add support to specify outgoing interface 2021-05-20 18:23:15 +09:00
Anita Zhang
1539124b39 man: document default rlimits
Fixes #19645
2021-05-20 09:58:48 +02:00
Lennart Poettering
a06c9ac277 man: document new nspawn --bind-user= feature 2021-05-19 17:46:59 +02:00
Alvin Šipraga
7e59cfe951 man: describe overall online status in networkctl(1) 2021-05-19 10:34:06 +09:00
Alvin Šipraga
553022c4af man: clarify RequiredFamilyForOnline= behaviour for online state
With new "online state" semantics in networkd, make the description of
RequiredFamilyForOnline= a little more broad. Some rewording has been
done to make the passage easier to understand.
2021-05-19 10:34:06 +09:00
Alvin Šipraga
6c95e09388 man: clarify RequiredForOnline= behaviour for online state
With new "online state" semantics in networkd, make the description of
RequiredForOnline= a little more broad.
2021-05-19 10:34:06 +09:00
Yu Watanabe
e7901aba14
Merge pull request #19611 from yuwata/network-dhcp-server-introduce-server-address
network: dhcp-server: introduce ServerAddress= setting
2021-05-19 10:29:43 +09:00
Zbigniew Jędrzejewski-Szmek
23b8071d47 man: use readable names for entities
Let's use the same names as in the jinja2 substitutions.
2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
fd3a3e31b3 meson: drop "_YES_NO" variables
We can generate the right string in the template directly.
2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
46c4f8dc8a meson: use jinja2 also for custom-entities.ent
This doesn't matter too much, but makes things a bit more consistent.
A minor advantage is that the file is not a configuration file for meson
anymore, so:
 a) It is not built unless pulled in by another target. Since
    we don't usually build man pages by default, this saves a tiny
    amount of work.
 b) When the .in file is updated, meson does not reconfigure everything,
    but just rebuilds the dependent targets.

Now that the conversion is finished, time for benchmarking:
a full build with default settings (and -Dstandalonebinaries=true), yields

before this pull request: 1687 targets, 148.13s user 35.17s system 317% cpu 57.697 total
with the full pull request: 1714 targets, 143.07s user 27.87s system 314% cpu 54.369 total

The difference doesn't seem significant. Partial rebuilds might be faster as
mentioned before.
2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
195a8a9327 meson: use custom configuration_data() object for man/man and man/html helpers
I want to stop using 'substs'. But in this case, configure_file() is nicer
than custom_target(), because it causes meson to immediately generate the
helpers after configuration, so it's possible to do
'meson build && build/man/man ...', without building anything first.

We only substitute one variable here, so let's use a custom configuration_data()
object.
2021-05-19 10:24:43 +09:00
Yu Watanabe
0017ba3165 network: dhcp-server: introduce ServerAddress= setting
This may be useful when the link which DHCP server running on has
multiple static addresses.
2021-05-18 20:20:24 +09:00
Anita Zhang
c54cfef396 man: only the system manager does not pass vars in ManagerEnvironment=
User managers always pass their environment on to their children.
Make that clear in the description of ManagerEnvironment= which
states that none of those args will get passed to child processes of
service managers.
2021-05-18 12:59:10 +02:00
ei-ke
410477a78f Fixed a typo 2021-05-16 18:28:58 +02:00
Sebastian Blunt
1fa94a3124 Add crypttab option silent
Adds a crypttab option 'silent' that enables the AskPasswordFlag
ASK_PASSWORD_SILENT. This allows usage of systemd-cryptsetup to default
to silent mode, rather than requiring the user to press tab every time.
2021-05-15 16:23:56 +02:00
Zbigniew Jędrzejewski-Szmek
f1e696221f
Merge pull request #19612 from keszybz/meson-0.58-quieting
Make meson output quiet again
2021-05-15 10:49:10 +02:00
Lennart Poettering
d47f96b4ef
Merge pull request #19609 from keszybz/networkd-dhcp-man
Tweak man page ordering for DHCPv[46] options
2021-05-14 16:26:18 +02:00
Zbigniew Jędrzejewski-Szmek
0f4c4f3824 meson: call find_program() once and reuse the variable everywhere
Meson 0.58 has gotten quite bad with emitting a message every time
a quoted command is used:
Program /home/zbyszek/src/systemd-work/tools/meson-make-symlink.sh found: YES (/home/zbyszek/src/systemd-work/tools/meson-make-symlink.sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program xsltproc found: YES (/usr/bin/xsltproc)
Configuring custom-entities.ent using configuration
Message: Skipping bootctl.1 because ENABLE_EFI is false
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Message: Skipping journal-remote.conf.5 because HAVE_MICROHTTPD is false
Message: Skipping journal-upload.conf.5 because HAVE_MICROHTTPD is false
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Message: Skipping loader.conf.5 because ENABLE_EFI is false
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
...

Let's suffer one message only for each command. Hopefully we can silence
even this when https://github.com/mesonbuild/meson/issues/8642 is
resolved.
2021-05-14 14:21:27 +02:00
Zbigniew Jędrzejewski-Szmek
6c55cefe2f man: reword descriptions of two DHCPv4 options 2021-05-14 11:48:33 +02:00
Zbigniew Jędrzejewski-Szmek
c3696a9111 man: reorder items in [DHCPv4] and [DHCPv6] sections
The settings were listen in a completely random order, also different
between the v4 and v6 sections. Order by "options sent", "options received",
"communication settings" in both sections.

Also minor formatting changes are done, e.g. "=" is added in various places.
2021-05-14 11:48:33 +02:00
Yu Watanabe
bfc2b05e59 networkctl: introduce --json option for "status" and "list" commands
When `--json` option is specified, "status" and "list" commands gives
the same information, as originally "list" just gives partial
information of "status" in different format.
2021-05-14 09:18:29 +09:00
Zbigniew Jędrzejewski-Szmek
c799d93cfa
Merge pull request #19567 from poettering/ipv4-ipv6-lowercase
various follow-ups to socket-bind logic
2021-05-12 12:21:58 +02:00
Lennart Poettering
971c07fc68 pam: fix typo try_authtok → use_authtok
This was a copy/paste mistae apparently, there's not "try_authtok" and
this was supposed to copy what Fedora uses, which uses "use_authtok"
correctly. Hence adjust this.

Fixes: #19369
2021-05-12 12:14:17 +02:00
Lennart Poettering
f80a206aa4 socket-bind: use lowercase "ipv4"/"ipv6" spelling
In most of our codebase when we referenced "ipv4" and "ipv6" on the
right-hand-side of an assignment, we lowercases it (on the
left-hand-side we used CamelCase, and thus "IPv4" and "IPv6"). In
particular all across the networkd codebase the various "per-protocol
booleans" use the lower-case spelling. Hence, let's use lower-case for
SocketBindAllow=/SocketBindDeny= too, just make sure things feel like
they belong together better.

(This work is not included in any released version, hence let's fix this
now, before any fixes in this area would be API breakage)

Follow-up for #17655
2021-05-11 15:37:31 +02:00
Lennart Poettering
7eea910d24 bootctl: extend --make-machine-id-directory= documentation a bit
The directory might not be created in the ESP but in the extended boot
loader partition, hence don#t claim otherwise.

Also, give a brief reason why the concept exists at all.

Link up machine-id man page.

Follow-up for: 6a3fff75ba
2021-05-11 14:32:42 +09:00
Lennart Poettering
9854ac4af4 man: remove some trailing whitespace 2021-05-10 23:10:44 +02:00
Lennart Poettering
c96a301213 man: document new userdbctl features 2021-05-10 18:02:50 +02:00
Lennart Poettering
62a90b48d0 man: document new userdbd features 2021-05-10 14:59:05 +02:00
Lennart Poettering
71b5738030 man: update nss-systemd documentation with new features 2021-05-10 14:58:44 +02:00
Zbigniew Jędrzejewski-Szmek
8808d3289e
Merge pull request #19556 from lucasrangit/network-wifi-interface-type-typos
network: update documentation and examples to use correct interface type and lookup command
2021-05-10 13:55:07 +02:00
Lucas Magasweran
2480ca95ba man: network: use networkctl list instead of status to list network interface type
To determine the network interface type for use in the `Type=` directive, it is more concise to use the `list` command. Whereas, the `status` command requires an interface parameter.

For example, on a RaspberryPi 4 the following shows that the `wlan0` interface type `wlan` is more coveniently listed by the `list` command.

```
root@raspberrypi4-64:~# networkctl list
IDX LINK  TYPE     OPERATIONAL SETUP
  1 lo    loopback carrier     unmanaged
  2 eth0  ether    routable    configured
  3 wlan0 wlan     off         unmanaged

3 links listed.
```

Whereas the `networkctl status` command doesn't include this information.

```
root@raspberrypi4-64:~# networkctl status
●   State: routable
  Address: 192.168.1.141 on eth0
           fd8b:8779:b7a4::f43 on eth0
           fd8b:8779:b7a4:0:dea6:32ff:febe:d1ce on eth0
           fe80::dea6:32ff:febe:d1ce on eth0
  Gateway: 192.168.1.1 (CZ.NIC, z.s.p.o.) on eth0
      DNS: 192.168.1.1

May 07 14:17:18 raspberrypi4-64 systemd-networkd[212]: eth0: Gained carrier
May 07 14:17:19 raspberrypi4-64 systemd-networkd[212]: eth0: Gained IPv6LL
May 07 14:17:19 raspberrypi4-64 systemd-networkd[212]: eth0: DHCPv6 address fd8b:8779:b7a4::f43/128 timeout preferred -1 valid -1
May 07 14:17:21 raspberrypi4-64 systemd-networkd[212]: eth0: DHCPv4 address 192.168.1.141/24 via 192.168.1.1
```

To get the interface type using the `status` command you need to specify an additional argument.

```
root@raspberrypi4-64:~# networkctl status wlan0
● 3: wlan0
                     Link File: /lib/systemd/network/99-default.link
                  Network File: n/a
                          Type: wlan
                         State: off (unmanaged)
                          Path: platform-fe300000.mmcnr
                        Driver: brcmfmac
                    HW Address: dc:a6:32:be:d1:cf (Raspberry Pi Trading Ltd)
                           MTU: 1500 (min: 68, max: 1500)
                         QDisc: noop
  IPv6 Address Generation Mode: eui64
          Queue Length (Tx/Rx): 1/1
```
2021-05-10 13:40:33 +02:00
Samuel BF
c362a432af Wider range of options for selecting entries for systemd-journal-gatewayd
Introducing --user, --system, --merge and --file flags, like for journalctl
and systemd-journal-upload.
2021-05-10 12:20:27 +02:00
Lennart Poettering
2baec39665
Merge pull request #19545 from poettering/nss-systemd-shadow
nss-systemd: also expose shadow/gshadow entries from userdb records
2021-05-10 09:46:49 +02:00
Luca Boccassi
63225fe159
Merge pull request #19298 from bluca/cryptsetup_nopass
cryptsetup: add 'headless' parameter to skip password/pin query, allow pin-less enroll on FIDO2, support user presence/verification flags
2021-05-09 13:49:55 +01:00
Lennart Poettering
f43a19ecd6 nss-systemd: synthesize NSS shadow/gshadow records from userdb, as well
This ensures we not only synthesize regular paswd/group records of
userdb records, but shadow records as well. This should make sure that
userdb can be used as comprehensive superset of the classic
passwd/group/shadow/gshadow functionality.
2021-05-08 14:35:28 +02:00
Yegor Alexeyev
11c38d3e51 rfc3046 implementation 2021-05-08 15:59:29 +09:00
Lennart Poettering
22326f15a6 man: document new nspawn ID mapping mounts features 2021-05-07 22:44:17 +02:00
Luca Boccassi
896cc0da98 FIDO2: ask and record whether user verification was used to lock the volume
Some tokens support authorization via fingerprint or other biometric
ID. Add support for "user verification" to cryptenroll and cryptsetup.
Disable by default, as it is still quite uncommon.
2021-05-07 21:36:27 +01:00
Luca Boccassi
06f087192d FIDO2: ask and record whether user presence was used to lock the volume
In some cases user presence might not be required to get _a_
secret out of a FIDO2 device, but it might be required to
the get actual secret that was used to lock the volume.
Record whether we used it in the LUKS header JSON metadata.
Let the cryptenroll user ask for the feature, but bail out if it is
required by the token and the user disabled it.
Enabled by default.
2021-05-07 21:36:27 +01:00
Luca Boccassi
cde2f8605e FIDO2: support pin-less LUKS enroll/unlock
Closes: https://github.com/systemd/systemd/issues/19246

Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.
2021-05-07 21:36:27 +01:00
Luca Boccassi
cd5f57bda7 cryptsetup: add 'headless' parameter to skip password/pin query
On headless setups, in case other methods fail, asking for a password/pin
is not useful as there are no users on the terminal, and generates
unwanted noise. Add a parameter to /etc/crypttab to skip it.
2021-05-07 21:36:27 +01:00
Lennart Poettering
37ef2fc9f7
Merge pull request #18863 from keszybz/cmdline-escaping
Escape command lines properly
2021-05-07 17:29:39 +02:00
Zbigniew Jędrzejewski-Szmek
d0f14a6cf4
Merge pull request #19134 from poettering/outbound-special-hostname
introduce a new synthetic hostname "_outbound" that maps to "the" local IP address
2021-05-07 17:15:22 +02:00
Zbigniew Jędrzejewski-Szmek
ac2c088939
Merge pull request #19391 from poettering/dissect-grow
optionally, grow file systems to partition size when mounting them via GPT auto-discovery
2021-05-07 15:04:55 +02:00
наб
6a3fff75ba
bootctl: take --make-machine-id-directory=yes|no|auto and make/remove \$MACHINE_ID accordingly
auto resolves to yes if /etc/machine-id resides on non-tmpfs

This effectively reverts commit 31e57550b5
2021-05-05 14:35:00 +02:00
Zbigniew Jędrzejewski-Szmek
5dd55303f4 coredump: use "POSIX quotes" for cmdline
$ coredumpctl info |grep Command
  Command Line: bash -c kill -SEGV $$      (before)
  Command Line: bash -c "kill -SEGV \$\$"  (road not taken, C quotes)
  Command Line: bash -c $'kill -SEGV $$'   (now, POSIX quotes)

Before we wouldn't use any quoting, making it impossible to figure how the
command line was split into arguments. We could use "normal" quotes, but this
has the disadvantage that the commandline *looks* like it could be pasted into
the terminal and executed, but this is not true: various non-printable
characters cannot be expressed in this quoting style. (This is not visible in
this example). Thus, "POSIX quotes" are used, which should allow any command
line to be expressed acurrately and pasted directly into a shell prompt to
reexecute.

I wonder if we should another field in the coredump entry that simply shows the
original cmdline with embedded NULs, in the original /proc/*/cmdline
format. This would allow clients to format the data as they see fit. But I
think we'd want to keep the serialized form anyway, for backwards compatibility.
2021-05-05 13:59:23 +02:00
Zbigniew Jędrzejewski-Szmek
4e3fbc133e man: add an example of coredumpctl output
People like examples. Also shows off the new quoted command line.
2021-05-05 13:59:23 +02:00
Jakub Warczarek
572c55ee3c hostnamectl: deprecate set-* methods and expose getters by only using nouns in commands 2021-05-03 20:19:19 +02:00
Ryan Hendrickson
c2503e359a core: apply LogLevelMax to messages about units
This commit applies the filtering imposed by LogLevelMax on a unit's
processes to messages logged by PID1 about the unit as well.

The target use case for this feature is a service that runs on a timer
many times an hour, where the system administrator decides that writing
a generic success message to the journal every few minutes or seconds
adds no diagnostic value and isn't worth the clutter or disk I/O.
2021-05-03 17:48:41 +02:00
Lennart Poettering
16ecdf3c80
Merge pull request #19403 from nmeyerhans/dmi-entries
virt: differentiate Amazon EC2 bare-metal from VM instances using SMBIOS data
2021-05-03 17:48:13 +02:00
Luca Adrian L
19d25fdec1
Document the need to do journalctl --flush for persistent logging (#19481)
Document the need to do journalctl --flush for persistent logging. (fixes #19480)

Co-authored-by: Luca Lindhorst <l.lindhorst@wut.de>
2021-05-03 17:08:25 +02:00
Bertrand Jacquin
b6eca3731d virt: detect Amazon EC2 Nitro instance
Amazon EC2 Nitro hypervisor is technically based on KVM[1], which
systemd-detect-virt identify propely from CPUID. However the lack of
CPUID on aarch64 (A1, T4 instance type) prevents a correct
identification, impacting hostnamectl and systemd-random-seed. Instead
it's possible to identify virtualization from DMI vendor ID.

Prior to this commit:
  # hostnamectl
     Static hostname: n/a
  Transient hostname: ip-10-97-8-12
           Icon name: computer
          Machine ID: 8e3772fbcfa3dd6f330a12ff5df5a63b
             Boot ID: b7b7e2fe0079448db664839df59f9817
    Operating System: Gentoo/Linux
              Kernel: Linux 5.4.69-longterm
        Architecture: arm64

After this commit:
  # hostnamectl
     Static hostname: n/a
  Transient hostname: ip-10-97-8-12
           Icon name: computer-vm
             Chassis: vm
          Machine ID: 8e3772fbcfa3dd6f330a12ff5df5a63b
             Boot ID: bd04da57084e41078f20541101867113
      Virtualization: amazon
    Operating System: Gentoo/Linux
              Kernel: Linux 5.4.69-longterm
        Architecture: arm64

[1] https://aws.amazon.com/ec2/faqs/
2021-04-30 09:31:34 -07:00
Yu Watanabe
c068a17f6a sd-bus: fix vtable named argument logic
Fixes #19468.
2021-04-30 17:06:29 +01:00
Steve Bonds
88c2c8a0ba Clarify that these values are in bytes
Similar to `ProcessSizeMax`. The defaults in percentages can be misunderstood to mean the values for these parameters will be in percentages.
2021-04-30 11:18:39 +02:00
syyhao1994
96ae72ce1a
man: importd also provides the option of import-fs for machinectl (#19477) 2021-04-30 16:55:50 +09:00
Viktor Mihajlovski
5a7eb46c02 udev: allow onboard index up to 65535
The maximum allowed value of the sysfs device index entry was limited to
16383 (2^14-1) to avoid the generation of unreasonable onboard interface
names.
For s390 the index can assume a value of up to 65535 (2^16-1) which is
now allowed depending on the new naming flag NAMING_16BIT_INDEX.
Larger index values are considered unreasonable and remain to be
ignored.
2021-04-29 21:38:21 +02:00
Lennart Poettering
97a7243650 man: document new dbus method 2021-04-29 16:39:09 +02:00
Lennart Poettering
ac8a4f6b78 hostnamectl: add --json= switch for JSON output
This wraps the new Describe() bus call of hostnamed.
2021-04-29 16:39:09 +02:00
Lennart Poettering
fd98562099
Merge pull request #19374 from yuwata/network-dhcp-routes-to-ntp
network: dhcp4: introduce RoutesToNTP= boolean setting
2021-04-28 22:47:21 +02:00
Zbigniew Jędrzejewski-Szmek
fe12f036fe mkosi,man: bump fedora version
F34 was just released and should be fine for systemd builds.

Cloud-1.2 is the latest version.
2021-04-28 11:32:48 +02:00
Uwe Kleine-König
cbcdcaaa0e Add support for conditions on the machines firmware
This allows to limit units to machines that run on a certain firmware
type. For device tree defined machines checking against the machine's
compatible is also possible.
2021-04-28 10:55:55 +02:00
Julia Kartseva
6359811021 man: add SocketBind{Allow|Deny}= documentation 2021-04-26 16:26:28 -07:00
Julia Kartseva
dcf4781caf dbus: add dbus-cgroup for SocketBind{Allow|Deny}= 2021-04-26 16:26:28 -07:00
Yu Watanabe
d7b0450639 network: dhcp4: introduce RoutesToNTP= boolean setting 2021-04-27 00:01:18 +09:00
Yu Watanabe
7057030610 network: dhcp4: enable RoutesToDNS= by default 2021-04-27 00:01:18 +09:00
Lennart Poettering
1c41c1dc34 repart: add GrowFileSystem= setting to set new GPT partition flag for newly created partitions
And set it to on by default, except if partition is marked read-only.
2021-04-23 17:56:55 +02:00
Lennart Poettering
74a54baeec dissect: enable growfs by default, but make it configurable
This adds a new --growfs=yes|no switch to systemd-dissect, defaulting to
on.
2021-04-23 17:56:34 +02:00
Lennart Poettering
2f166bb79b man: document _outbound 2021-04-23 12:02:24 +02:00
Flos Lonicerae
c44a285c41
Add D-Bus property exposing Ctrl-Alt-Delete action (#19217) 2021-04-23 09:57:14 +02:00
Lennart Poettering
60c6c2101c man: --add was renamed --copy-to when it was merged, fix man page reference to it 2021-04-21 22:24:38 +02:00
Lennart Poettering
6f4a5f25fc
Merge pull request #19271 from yuwata/dhcp-duid-uuid
network: fix issues arround DHCP DUID-UUID
2021-04-21 21:59:35 +02:00
Lennart Poettering
e19479aa7d
Merge pull request #19365 from keszybz/sd_id128_equals
Add sd_id128_in_set()
2021-04-21 21:45:14 +02:00
Zbigniew Jędrzejewski-Szmek
64b21afc72 sd-id128: add convenience functions to compare multiple sd_id128_t
Similar to sd_bus_error_has_names() that was added in
2b07ec316a.

It is made inline in the hope that the compiler will be able to optimize
all the va_args boilerplate away, and do an efficient comparison when
the arguments are all constants.
2021-04-21 17:51:24 +02:00
Yu Watanabe
4e26a5baa0 network: make IAID and DUID for DHCPv6 configurable explicitly
Closes #18996.
2021-04-21 21:00:11 +09:00
Yu Watanabe
b67bbfef14
Merge pull request #19344 from yuwata/network-route-metric-19028
network: add RouteMetric= setting in [Address] and more
2021-04-21 20:51:31 +09:00
Yu Watanabe
ea846e45c1 doc: fix typo 2021-04-21 09:57:30 +02:00
Zbigniew Jędrzejewski-Szmek
78aa5b6f59 man: mention sd_id128_is_allf(), SD_ID128_ALLF
It was added in 670814387b, but not
mentioned in the man pages.
2021-04-21 08:45:05 +02:00
Zbigniew Jędrzejewski-Szmek
e0a41aa4c6 man: dedent examples in sd-id128 to 2 columns
In man pages, horizontal space it at premium, and everything should
generally be indented with 2 spaces to make it more likely that the
examples fit on a user's screen.

C.f. 798d3a524e.
2021-04-21 08:45:05 +02:00
Yu Watanabe
4c0aae015f man: update explanation about route metric 2021-04-21 13:55:02 +09:00
Yu Watanabe
0e1fb1d09a network: radv: add RouteMetric= setting in [IPv6Prefix] 2021-04-21 13:55:02 +09:00
Yu Watanabe
9fe0b7b493 network: dhcp6-pd: add RouteMetric= setting in [DHCPv6PrefixDelegation] 2021-04-21 13:55:02 +09:00
Yu Watanabe
8ebafba9f9 network: move RouteMetric= from [DHCPv6] to [IPv6AcceptRA]
As the value is used in the routes in RA.
2021-04-21 13:55:02 +09:00
Yu Watanabe
c4ff0629dd network: add RouteMetric= setting in [Address] section 2021-04-21 13:54:59 +09:00
Lennart Poettering
3464514457 man: document new initrd-usr-fs.target 2021-04-20 19:11:07 +02:00
Yegor Alexeyev
c95df5879e relay role implementation 2021-04-20 15:11:53 +02:00
Yu Watanabe
d5bfddf037 man: fix typo
Follow-up for e73309c532.
2021-04-20 11:41:05 +01:00
Lennart Poettering
fd2f6f7248
Merge pull request #19096 from poettering/repart-features
repart: four new features: CopyBlocks=auto + --image= + ReadOnly=/Flags= + MakeDirectories=
2021-04-20 10:20:22 +02:00
Lennart Poettering
e73309c532 repart: add new ReadOnly= and Flags= settings for repart dropins
Let's make the GPT partition flags configurable when creating new
partitions. This is primarily useful for the read-only flag (which we
want to set for verity enabled partitions).

This adds two settings for this: Flags= and ReadOnly=, which strictly
speaking are redundant. The main reason to have both is that usually the
ReadOnly= setting is the one wants to control, and it' more generic.
Moreover we might later on introduce inherting of flags from CopyBlocks=
partitions, where one might want to control most flags as is except for
the RO flag and similar, hence let's keep them separate.
2021-04-19 23:16:02 +02:00
Lennart Poettering
5c08da586f repart: add CopyBlocks=auto support
When using systemd-repart as an installer that replicates the install
medium on another medium it is useful to reference the root
partition/usr partition or verity data that is currently booted, in
particular in A/B scenarios where we have two copies and want to
reference the one we currently use. Let's add a CopyBlocks=auto for this
case: for a partition that uses that we'll copy a suitable partition
from the host.

CopyBlocks=auto finds the partition to copy like this: based on the
configured partition type uuid we determine the usual mount point (i.e.
for the /usr partition type we determine /usr/, and so on). We then
figure out the block device behind that path, through dm-verity and
dm-crypt if necessary. Finally, we compare the partition type uuid of
the partition found that way with the one we are supposed to fill and
only use it if it matches (the latter is primarily important on
dm-verity setups where a volume is likely backed by two partitions and
we need to find the right one).

This is particularly fun to use in conjunction with --image= (where
we'll restrict the device search onto the specify device, for security
reasons), as this allows "duplicating" an image like this:

    # systemd-repart --image=source.raw --empty=create --size=auto target.raw

If the right repart data is embedded into "source.raw" this will be able
to create and initialize a partition table on target.raw that carrries
all needed partitions, and will stream the source's file systems onto it
as configured.
2021-04-19 23:16:02 +02:00
Lennart Poettering
d83d804863 repart: add high-level setting for creating dirs in formatted file systems
So far we already had the CopyFiles= option in systemd-repart drop-in
files, as a mechanism for populating freshly formatted file systems with
files and directories. This adds MakeDirectories= in similar style, and
creates simple directories as listed. The option is of course entirely
redundant, since the same can be done with CopyFiles= simply by copying
in a directory. It's kinda nice to encode the dirs to create directly in
the drop-in files however, instead of providing a directory subtree to
copy in somehere, to make the files more self-contained — since often
just creating dirs is entirely sufficient.

The main usecase for this are GPT OS images that carry only a /usr/
tree, and for which a root file system is only formatted on first boot
via repart.  Without any additional CopyFiles=/MakeDirectories=
configuration these root file systems are entirely empty of course
initially. To mount in the /usr/ tree, a directory inode for /usr/ to
mount over needs to be created.  systemd-nspawn will do so automatically
when booting up the image, as will the initrd during boot. However, this
requires the image to be writable – which is OK for npawn and
initrd-based boots, but there are plenty tools where read-only operation
is desirable after repart ran, before the image was booted for the first
time. Specifically, "systemd-dissect" opens the image in read-only to
inspect its contents, and this will only work of /usr/ can be properly
mounted. Moreover systemd-dissect --mount --read-only won't succeed
either if the fs is read-only.

Via MakeDirectories= we now provide a way that ensures that the image
can be mounted/inspected in a fully read-only way immediately after
systemd-repart completed. Specifically, let's consider a GPT disk image
shipping with a file usr/lib/repart.d/50-root.conf:

       [Partition]
       Type=root
       Format=btrfs
       MakeDirectories=/usr
       MakeDirectories=/efi

With this in place systemd-repart will create a root partition when run,
and add /usr and /efi into it as directory inods. This ensures that the
whole image can then be mounted truly read-only anf /usr and /efi can be
overmounted by the /usr partition and the ESP.
2021-04-19 23:16:02 +02:00
Lennart Poettering
252d626711 repart: add --image= switch
This is similar to the --image= switch in the other tools, like
systemd-sysusers or systemd-tmpfiles, i.e. it apply the configuration
from the image to the image.

This is particularly useful for downloading minimized GPT image, and
then extending it to the desired size via:

   # systemd-repart --image=foo.image --size=5G
2021-04-19 23:16:02 +02:00
Jason Francis
941c5275ea
sd-login: fix wrong constructor used in sd_login_monitor manpage example 2021-04-19 12:20:29 -04:00
Yu Watanabe
4e6c50a5d4 core: add RestrictAddressFamilies=none to deny all address families
Closes #15753.
2021-04-19 11:47:08 +01:00
Zbigniew Jędrzejewski-Szmek
b7c3447a2f
Merge pull request #19310 from yuwata/network-dhcp-anonymize
network: dhcp4: several fixes and cleanups for Anonymize=
2021-04-16 11:12:22 +02:00
Anita Zhang
169be51f94 man: correct requirements for systemd-oomd.service
Fixes: #19331
2021-04-16 09:50:44 +01:00
Yu Watanabe
a2b1572ce4
Merge pull request #19287 from yuwata/network-manage-foreign-routing-policy-rule-19106
network: add ManageForeignRoutingPolicyRules= boolean setting
2021-04-14 19:01:41 +09:00
Yu Watanabe
86d58c8625 man: update explanation for Anonymize= 2021-04-14 14:15:15 +09:00
LetzteInstanz
6dc4531d16 wait-online: wait for address family
This introduce -4 and -6 commandline options.
2021-04-14 09:00:08 +09:00
LetzteInstanz
8430841b5e network: save IPv4/IPv6 address states into state file
This also introduces RequiredFamilyForOnline= setting to .network file,
and IPv4AddressState/IPv6AddressState DBus properties.
2021-04-14 08:51:02 +09:00
Yegor Alexeyev
21b6b87eb3 dhcp: Implemented BindToInterface= configuration option 2021-04-14 07:30:40 +09:00
Yu Watanabe
f1a5c566c1 man: fix typo 2021-04-13 12:52:56 +09:00
Yu Watanabe
3fe23a96d6 man: update description for ManageForeignRoutes= 2021-04-13 12:23:59 +09:00
Yu Watanabe
d94dfe7053 network: introduce ManageForeignRoutingPolicyRules= boolean setting in networkd.conf
The commit 0b81225e57 makes that networkd
remove all foreign rules except those with "proto kernel".

But, in some situation, people may want to manage routing policy rules
with other tools, e.g. 'ip' command. To support such the situation,
this introduce ManageForeignRoutingPolicyRules= boolean setting.

Closes #19106.
2021-04-13 12:22:42 +09:00
Zbigniew Jędrzejewski-Szmek
7c5fd25119 meson: do not fail if rsync is not installed with meson 0.57.2
https://github.com/mesonbuild/meson/issues/8641

Our CI started to fail. Even if the change is reverted in meson,
we need a quick workaround here.
2021-04-12 21:28:23 +01:00
Zbigniew Jędrzejewski-Szmek
839eb4a458
Merge pull request #13496 from wat-ze-hex/custom-bpf-progs-parameterized-3
bpf: extend bpf cgroup program support
2021-04-12 14:31:42 +02:00
gaoyi
45f5efdea7 man: fix discriptions for --exec-delay
There are two ambiguity in the original description:
1. It will delay all RUN instructions, include builtin.
2. It will delay before running RUN, not each of RUN{program} instructions.
2021-04-12 13:03:26 +02:00
Yu Watanabe
37b7a716d3
Merge pull request #19164 from mmatsuya/main
tmpfiles: use a entry in hashmap as ItemArray in read_config_file()
2021-04-11 16:46:25 +09:00
Julia Kartseva
9e009a145d dbus-cgroup: add BPFProgram= dbus support
- Handle BPFProgram= property in string format
"<bpf_attach_type>:<bpffs_path>", e.g. egress:/sys/fs/bpf/egress-hook.
- Add dbus getter to list foreign bpf programs attached to a cgroup.
2021-04-09 20:28:47 -07:00
Julia Kartseva
ee08909059 man: add BPFProgram= documentation 2021-04-09 20:28:47 -07:00
Zbigniew Jędrzejewski-Szmek
5c91fdf3f8 man: document system-systemd\x2dcryptsetup.slice
As discussed in
1dc85eff1d (r606821495),
follow-up for commit 1dc85eff1d.
2021-04-09 10:38:09 +02:00
Zbigniew Jędrzejewski-Szmek
708b299203
Merge pull request #19254 from poettering/native-journal-proto-doc
document native journal protocol
2021-04-09 08:13:21 +02:00
Zbigniew Jędrzejewski-Szmek
8649ec4725
Merge pull request #19248 from keszybz/make-tests-test
Make tests test
2021-04-09 07:56:04 +02:00
Lennart Poettering
8ee62e53e8 man: link up new journal protocol docs 2021-04-08 22:16:58 +02:00
Zbigniew Jędrzejewski-Szmek
b9bfa250f2 homectl,TEST-46: fix test and fix homectl return value, update docs
The usual: the test wasn't testing, so we didn't notice that the
command wasn't returning as expected.
2021-04-08 20:21:50 +02:00
Zbigniew Jędrzejewski-Szmek
b88ba6c761 tmpfiles: make handling of existing-but-different targets more consistent
create_fifo() was added in a2fc2f8dd3, and
would always ignore failure. The test was trying to fail in this case, but
we actually don't fail, which seems to be correct. We didn't notice before
because the test was ineffective.

To make things consistent, generally log at warning level, but don't propagate
the error. For symlinks, log at debug level, as before.

For 'e', failure is not propagated now. The test is adjusted to match.

I think warning is appropriate in most cases: we do not expect a device node to
be replaced by a different device node or even a non-device file. This would
most likely be an error somewhere. An exception is made for symlinks, which are
mismatched on purpose, for example /etc/resolv.conf. With this patch, we don't
get any warnings with the any of the 74 tmpfiles.d files, which suggests that
increasing the warning levels will not cause too many unexpected warnings. If
it turns out that there are valid cases where people have expected mismatches
for non-symlink types, we can always decrease the log levels again.
2021-04-08 20:16:37 +02:00
Zbigniew Jędrzejewski-Szmek
3bbb76f621 sd-bus: make sd_bus_is_{ready,open} accept NULL
We didn't document this behaviour one way or another, so I think it's
OK to change. All callers do the NULL check before callling this to avoid
the assert warning, so it seems reasonable to do it internally.

sd_bus_can_send() is similar, but there we expressly say that an
error is returned on NULL, so I didn't change it.
2021-04-08 14:59:10 +02:00
Zbigniew Jędrzejewski-Szmek
3dd61ee5be man: fix quickhelp listing in tmpfiles.d(5)
Unlike many other small/big letter combos, this one has the recursive
version attached to the lowercase letter.
2021-04-08 11:01:29 +02:00
Luca Boccassi
671769c932 coredump: rename COREDUMP_PKGMETA_ fields to COREDUMP_PACKAGE_
Follow-up for c546154a44
2021-04-07 14:02:38 +01:00
Morten Linderud
29d898cc7b man/systemd-cryptenroll: Fix sd-boot manvolnum from 8 to 7
Off-by-one error in the documentation index. The volume number for
systemd-boot/sd-boot is 7.

Signed-off-by: Morten Linderud <morten@linderud.pw>
2021-04-07 13:57:33 +02:00
Luca Boccassi
c546154a44 coredump: parse and append package metadata to journal message
Append 'package' and 'packageVersion' to the journal as discrete fields
COREDUMP_PKGMETA_PACKAGE and COREDUMP_PKGMETA_PACKAGEVERSION respectively,
and the full json blurb as COREDUMP_PKGMETA_JSON.
2021-04-06 23:12:51 +01:00
Zbigniew Jędrzejewski-Szmek
9d5ae3a121
Merge pull request #19126 from anitazha/oomdimprovements
systemd-oomd post-test week improvements
2021-04-06 07:59:59 +02:00
Anita Zhang
685b0985f0 oomd: threshold swap kill candidates to usages of more than 5%
In some instances, particularly with swap on zram, swap used will be high
while there is still a lot of memory available. FB OOMD handles this by
thresholding kills to X% of total swap usage. Let's do the same thing here.

Anecdotally with these thresholds and my laptop which is exclusively swap
on zram I can sit at 0K / 4G swap free with most of memory free and
systemd-oomd doesn't kill anything.

Partially addresses aggressive kill behavior from
https://bugzilla.redhat.com/show_bug.cgi?id=1941170
2021-04-05 02:04:49 -07:00
Viktor Mihajlovski
a496a238e8 udev: fix slot based network names on s390
The s390 PCI driver assigns the hotplug slot name from the
function_id attribute of the PCI device using a 8 char hexadecimal
format to match the underlying firmware/hypervisor notation.

Further, there's always a one-to-one mapping between a PCI
function and a hotplug slot, as individual functions can
hot plugged even for multi-function devices.

As the generic matching code will always try to parse the slot
name in /sys/bus/pci/slots as a positive decimal number, either
a wrong value might be produced for ID_NET_NAME_SLOT if
the slot name consists of decimal numbers only, or none at all
if a character in the range from 'a' to 'f' is encountered.

Additionally, the generic code assumes that two interfaces
share a hotplug slot, if they differ only in the function part
of the PCI address. E.g., for an interface with the PCI address
dddd:bb:aa.f, it will match the device to the first slot with
an address dddd:bb:aa. As more than one slot may have this address
for the s390 PCI driver, the wrong slot may be selected.

To resolve this we're adding a new naming schema version with the
flag NAMING_SLOT_FUNCTION_ID, which enables the correct matching
of hotplug slots if the device has an attribute named function_id.
The ID_NET_NAME_SLOT property will only be produced if there's
a file /sys/bus/pci/slots/<slotname> where <slotname> matches
the value of /sys/bus/pci/devices/.../function_id in 8 char
hex notation.

Fixes #19016
See also #19078
2021-04-02 18:08:23 +02:00
Carlo Teubner
6d3831cee5 docs: use current spelling "macOS" not "OS X" etc. 2021-04-02 10:53:26 +01:00
Anita Zhang
a858355e4a oomd: force DefaultMemoryPressureDurationSec= to be greater than or equal 1 sec 2021-04-01 19:53:42 -07:00
Zbigniew Jędrzejewski-Szmek
af46237ea1 man: split the description of sd_bus_error_set()
It was one giant all of text in pseudo-random order. Let's split it into
paragraphs talk about one subject each.

And unfortunately, the description of what happens when the error is not
set was not correct. In general, various functions treat 0/NULL as
not-an-error, and return 0.
2021-03-31 18:24:53 +02:00
Luca Boccassi
907952bbc9 portabled: add --extension parameter for layered images support
Add an --extension parameter to portablectl, and new DBUS methods
to attach/detach/reattach/inspect.
Allows to append separate images on top of the root directory (os-release
will be searched in there) and mount the images using an overlay-like
setup (unit files will be searched in there) using the new ExtensionImages
service option.
2021-03-31 09:56:44 +01:00
Deepak Rawat
0d96caa5c0 logind: Add new flag for kexec reboot
Add new flag to allow kexec reboot if kernel is already loaded.
2021-03-31 10:48:48 +02:00
Lennart Poettering
9a515f0a55 shared: add new IMAGE_VERSION=/IMAGE_ID= field to /etc/os-release
This specifes two new optional fields for /etc/os-release:
IMAGE_VERSION= and IMAGE_ID= that are supposed to identify the image of
the current booted system by name and version.

This is inspired by the versioning stuff in
https://github.com/systemd/mkosi/pull/683.

In environments where pre-built images are installed and updated as a
whole the existing os-release version/distro identifier are not
sufficient to describe the system's version, as they describe only the
distro an image is built from, but not the image itself, even if that
image is deployed many times on many systems, and even if that image
contains more resources than just the RPMs/DEBs.

In particular, "mkosi" is a tool for building disk images based on
distro RPMs with additional resources dropped in. The combination of all
of these together with their versions should also carry an identifier
and version, and that's what IMAGE_VERSION= and IMAGE_ID= is supposed to
be.
2021-03-31 10:46:22 +02:00
Zbigniew Jędrzejewski-Szmek
a2dc3adef2
Merge pull request #18990 from yuwata/network-dhcpv6-use-domains
network: also introduce UseDomains= for [DHCPv6] section
2021-03-31 10:38:37 +02:00
Lennart Poettering
e0b4bc239f machine-id-setup: support --image= mode 2021-03-31 10:35:31 +02:00
Lennart Poettering
f9d8325e69
Merge pull request #18971 from poettering/sysusers-creds
let's read LoadCredentials=/SetCredentials= style cred in sysusers/firstboot and when asking for passwords
2021-03-31 10:35:17 +02:00
Henri Chain
cb0e818f7c Introduce ExitType 2021-03-31 10:26:07 +02:00
Lennart Poettering
8806bb4bc7 ask-password: when querying for a password, try to read from credential store first
This adds generic support for the SetCredential=/LoadCredential= logic
to our password querying infrastructure: if a password is requested by a
program that has a credential store configured via
$CREDENTIALS_DIRECTORY we'll look in it for a password.

The "systemd-ask-password" tool is updated with an option to specify the
credential to look for.
2021-03-26 12:21:56 +01:00
Lennart Poettering
f6ab6199a2 man: document in nspawn docs how to make use of the new firstboot/sysusers features 2021-03-26 12:21:37 +01:00
Lennart Poettering
416f7b3a11 firstboot: allow provisioning of firstboot params via creds too 2021-03-26 12:21:18 +01:00
Lennart Poettering
99e9f896fb sysusers: read passwords from the credentials logic
Let's make use of our own credentials infrastructure in our tools: let's
hook up systemd-sysusers with the credentials logic, so that the root
password can be provisioned this way. This is really useful when working
with stateless systems, in particular nspawn's "--volatile=yes" switch,
as this works now:

 # systemd-nspawn -i foo.raw --volatile=yes --set-credential=passwd.plaintext-password:foo

For the first time we have a nice, non-interactive way to provision the
root password for a fully stateless system from the container manager.
Yay!
2021-03-26 12:20:52 +01:00
Lennart Poettering
8a29862e32 core: allow omitting second part of LoadCredentials= argument
This allows "LoadCredentials=foo" to be used as shortcut for
"LoadCredentials=foo:foo", i.e. it's a very short way to inherit a
credential under its original name from the service manager into a
service.
2021-03-26 12:20:29 +01:00
David Tardon
f055cf7786 man: document differences in clean exit status for Type=oneshot
See commit 1f0958f640 .
2021-03-23 09:33:23 +01:00
Christian Hesse
3babb81625 man: rate limited services can be restartet from timer or socket
If rate limiting kicks in for Restart= logic it is still possible for a
timer or socket to restart the service.
2021-03-23 09:16:30 +01:00
Zbigniew Jędrzejewski-Szmek
ccd593a61c man: say that .device units need udev
This was implied by the need to tag them with "systemd", but let's make this
obvious, since it's rather easy to trip over this as a user.

Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1941458.
2021-03-22 21:48:45 +01:00
igo95862
ca1eacd8e0 man: Specify that only d-bus methods can be answered async
Not properties.
2021-03-17 16:15:56 +01:00
Luca Boccassi
301e7cd047 man: specify that ProtectProc= does not work with root/cap_sys_ptrace
When using hidepid=invisible on procfs, the kernel will check if the
gid of the process trying to access /proc is the same as the gid of
the process that mounted the /proc instance, or if it has the ptrace
capability:

https://github.com/torvalds/linux/blob/v5.10/fs/proc/base.c#L723
https://github.com/torvalds/linux/blob/v5.10/fs/proc/root.c#L155

Given we set up the /proc instance as root for system services,
The same restriction applies to CAP_SYS_PTRACE, if a process runs with
it then hidepid=invisible has no effect.

ProtectProc effectively can only be used with User= or DynamicUser=yes,
without CAP_SYS_PTRACE.
Update the documentation to explicitly state these limitations.

Fixes #18997
2021-03-15 16:53:16 +00:00
Yu Watanabe
b63dae3168 man: DNS/NTP servers received from DHCP server are concatenated with the statically configured ones
Prompted by #9473.
2021-03-15 14:48:47 +00:00
Yu Watanabe
f225a338c3 network: also introduce UseDomains= for [DHCPv6] section
When we split [DHCP] section into [DHCPv4] and [DHCPv6], UseDomains=
setting was forgot to be introduced in [DHCPv6] section.
2021-03-14 00:28:19 +09:00
Luca Boccassi
495787b56c
Merge pull request #18978 from keszybz/man-rc.local
Suggest network-online.target for rc.local
2021-03-12 14:54:12 +00:00
Zbigniew Jędrzejewski-Szmek
eb0845dfb8 man: mention network-online.target in discussion of rc.local
Replacement for #18853.
2021-03-12 11:22:58 +01:00
Zbigniew Jędrzejewski-Szmek
ba3dc45126 man: fix html links to two external man pages 2021-03-12 10:58:16 +01:00
Zbigniew Jędrzejewski-Szmek
21bee820ab man: sd_bus_message_reply()→sd_bus_message_send()
Fixup for 6c41cf4459.
2021-03-12 10:58:16 +01:00
Zbigniew Jędrzejewski-Szmek
45b218b058 man: also refname rc-local.service to the generator man page
This makes it easier to find for users.
2021-03-12 09:04:59 +01:00
ulf-f
2d8ce4c701 Update resolvectl.xml
fixed typo of filename
2021-03-11 19:24:53 +01:00
Lennart Poettering
170c659338 man: shorten list of partition types a bit
Tables with only one column aren't really tables, they are lists. And if
each cell only consists of a single word, they are probably better
written in a single line. Hence, shorten the man page a bit, and list
boot loader spec partition types in a simple sentence.

Also, drop "root-secondary" from the list. When dissecting images we'll
upgrade "root-secondary" to "root" if we mount it, and do so only if
"root" doesn't exist. Hence never mention "root-secondary" as we never
will mount a partition under that id.
2021-03-11 12:04:13 +01:00
Yu Watanabe
266d0bb9e0 man: update document about NoNewPrivileges=
Fixes #18914.
2021-03-08 21:42:06 +09:00
Carlo Wood
57f69536a8
Manual page fixes (#18906) 2021-03-07 02:54:33 +09:00