IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We have to check for OOM here, let's add that. There's really no point in
checking for path_is_absolute() on the result however, as there's no particular
reason why that should be refused. Also, we don't have similar checks for the
other mount devices the generator deals with, hence don't bother with it here
either. Let's remove that check.
(And it shouldn't return made-up errors like "-1" in this case anyway.)
If run_qemu() exits with non-zero, this either meant that QEMU was not
available (which should be a SKIP) or that QEMU timed out if $QEMU_TIMEOUT was
set (which then should be a FAIL).
Limit the exit code of run_qemu() to QEMU availability only, and track timeouts
separately through the new $TIMED_OUT variable, which is then checked in
check_result_qemu().
Do the same for $NSPAWN_TIMEOUT and run_nspawn() so that nspawn and QEMU work
similarly.
This is a follow-up to 5d2036b5f3, and also makes
the "machinectl clean" verb asynchronous, after all it's little more than a
series of image removals.
The changes required to make this happen are a bit more comprehensive as we
need to pass information about deleted images back to the client, as well as
information about the image we failed on if we failed on one. Hence, create a
temporary file in /tmp, serialize that data into, and read it from the parent
after the operation is complete.
There's no point in explicitly closing the errno pipe, if we exit right after
anyway. It doesn't hurt doing this either, but let's do this the same way for
all cases where we use the "Operation" object right now, and in all other cases
we do not close the pipe explicitly, hence don't do so here either.
The result of check_nspawn does not mean much, and this forgot to ask
check_nspawn() whether nspawn can be used at all. This brings
TEST-12-ISSUE-3171 in line with other nspawn tests.
In some cases, caching DNS results locally is not desirable, a it makes DNS
cache poisoning attacks a tad easier and also allows users on the system to
determine whether or not a particular domain got visited by another user. Thus
provide a new "Cache" resolved.conf option to disable it.
Some upstream DNS servers return SERVFAIL if we ask them for DNSSEC RRs, which
some forwarding DNS servers pass on to us as SERVFAIL (other though as
NOERROR...). This is should not be considered a problem, as long as the domain
in question didn't have DNSSEC enabled. Hence: when making use of auxiliary
transactions accept those that return SERVFAIL.
There might be two reasons why we get a SERVFAIL response from our selected DNS
server: because this DNS server itself is bad, or because the DNS server
actually serving the zone upstream is bad. So far we immediately downgraded our
server feature level when getting SERVFAIL, under the assumption that the first
case is the only possible case. However, this meant we'd downgrade immediately
even if we encountered the second case described above.
With this commit handling of SERVFAIL is reworked. As soon as we get a SERVFAIL
on a transaction we retry the transaction with a lower feature level, without
changing the feature level tracked for the DNS server itself. If that fails
too, we downgrade further, and so on. If during this downgrading the SERVFAIL
goes away we assume that the DNS server we are talking to is bad, but the zone
is fine and propagate the detected feature level to the information we track
about the DNS server. Should the SERVFAIL not go away this way we let the
transaction fail and accept the SERVFAIL.
udevd already limits its number of workers/children: the max number is actually
twice the number of CPUs the system is using.
(The limit can also be raised with udev.children-max= kernel command line
option BTW).
On some servers, this limit can easily exceed the maximum number of tasks that
systemd put on all services, which is 512 by default.
Since udevd has already its limitation logic, simply disable the static
limitation done by TasksMax.
root=/dev/nfs is a legacy option for the kernel to handle root on NFS.
Documentation for this kernel command line option
can be found in the kernel source tree:
Documentation/filesystems/nfs/nfsroot.txt
It makes use of the sd_listen_fds() call, and as such should live in
src/shared, as the distinction between src/basic and src/shared is that the
latter may use libsystemd APIs, the former does not.
Note that btrfs-util.[ch] and log.[ch] also include header files from
libsystemd, but they only need definitions, they do not invoke any function
from it. Hence they may stay in src/basic.
This change documents the existance of the systemd-nspawn@.service template
unit file, which was previously not mentioned at all. Since the unit file uses
slightly different default than nspawn invoked from the command line, these
defaults are now explicitly documented too.
A couple of further additions and changes are made, too.
Replaces: #3497
Otherwise starting a machine named `foo-bar-baz` will end up in
machinectl attempting to start the service unit
`systemd-nspawn@foo\x2dbar\x2dbaz` instead of
`systemd-nspawn@foo-bar-baz`.
Add sd_notify() parameter to change watchdog_usec during runtime.
Application can change watchdog_usec value by
sd_notify like this. Example. sd_notify(0, "WATCHDOG_USEC=20000000").
To reset watchdog_usec as configured value in service file,
restart service.
Notice.
sd_event is not currently supported. If application uses
sd_event_set_watchdog, or sd_watchdog_enabled, do not use
"WATCHDOG_USEC" option through sd_notify.
When systemd is started by the kernel, the kernel set the TERM
environment variable unconditionnally to "linux" no matter the console
device used. This might be an issue for dumb devices with no colors
support.
This patch uses default_term_for_tty() for getting a more accurate
value. But it makes sure to keep the user preferences (if any) which
might be passed via the kernel command line. For that purpose /proc
should be mounted.
Specifically "machinectl shell" (or its OpenShell() bus call) is implemented by
entering the file system namespace of the container and opening a TTY there.
In order to enter the file system namespace, chroot() is required, which is
filtered by SystemCallFilter='s @mount group. Hence, let's make this work again
and drop @mount from the filter list.
Previously, we'd stop processing of the argument list immediately when hitting
the "shell" verb. However, we really should continue processing options then,
until we hit the machine name.
Fixes: #3472
Quoting @cgwalters:
Just uploading this as an RFC. Now I know reading the code that systemd says
`Welcome to $OS` as a generic thing, but my initial impression on seeing this
was that it was almost sarcastic =)
Let's say "You are in emergency mode" as a more neutral/less excited phrase.
This patch is based on #3556, but makes the same change for rescue mode.