From 8c4db5629c877425b2f46e414a94a8f24280a9d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 17 Feb 2022 20:34:14 +0100 Subject: [PATCH 1/4] man: adjust command for Fedora installations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit glibc now has Suggests:glibc-minimal-langpack, so we don't need to mention it ourselves. --repo=… is a nicer alternative to --disablerepo=* --enablerepo=…. It also avoids the issue with quoting. Let's exclude weak deps, but install systemd-networkd, so the container can configure networking if necessary. --- man/systemd-nspawn.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 9c1cb33c014..8a527269d3f 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -1646,8 +1646,8 @@ After=sys-subsystem-net-devices-ens1.device Build and boot a minimal Fedora distribution in a container # dnf -y --releasever=&fedora_latest_version; --installroot=/var/lib/machines/f&fedora_latest_version; \ - --disablerepo='*' --enablerepo=fedora --enablerepo=updates install \ - systemd passwd dnf fedora-release vim-minimal glibc-minimal-langpack + --repo=fedora --repo=updates --setopt=install_weak_deps=False install \ + passwd dnf fedora-release vim-minimal systemd systemd-networkd # systemd-nspawn -bD /var/lib/machines/f&fedora_latest_version; This installs a minimal Fedora distribution into the From e6ce19516315138d983ed4b7776d9ebd2fb296d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 22 Feb 2022 22:55:42 +0100 Subject: [PATCH 2/4] man/systemd-analyze: split out example to a separate section It turns out we can't have an Example nested in a list, and every combination of nesting I tried looked bad either in troff or in html. The whole example is moved to a separate section. --- man/systemd-analyze.xml | 126 +++++++++++++++++++++------------------- 1 file changed, 65 insertions(+), 61 deletions(-) diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 8bc67a1ea89..7baa1794d7c 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -1129,69 +1129,9 @@ $ systemd-analyze verify /tmp/source:alias.service - - JSON Policy - The JSON file passed as a path parameter to - has a top-level JSON object, with keys being the assessment test identifiers mentioned - above. The values in the file should be JSON objects with one or more of the - following fields: description_na (string), description_good (string), description_bad - (string), weight (unsigned integer), and range (unsigned integer). If any of these fields - corresponding to a specific id of the unit file is missing from the JSON object, the - default built-in field value corresponding to that same id is used for security analysis - as default. The weight and range fields are used in determining the overall exposure level - of the unit files: the value of each setting is assigned a badness score, which is multiplied - by the policy weight and divided by the policy range to determine the overall exposure that - the setting implies. The computed badness is summed across all settings in the unit file, - normalized to the 1…100 range, and used to determine the overall exposure level of the unit. - By allowing users to manipulate these fields, the 'security' verb gives them the option to - decide for themself which ids are more important and hence should have a greater effect on - the exposure level. A weight of 0 means the setting will not be - checked. - - - { - "PrivateDevices": - { - "description_good": "Service has no access to hardware devices", - "description_bad": "Service potentially has access to hardware devices", - "weight": 1000, - "range": 1 - }, - "PrivateMounts": - { - "description_good": "Service cannot install system mounts", - "description_bad": "Service may install system mounts", - "weight": 1000, - "range": 1 - }, - "PrivateNetwork": - { - "description_good": "Service has no access to the host's network", - "description_bad": "Service has access to the host's network", - "weight": 2500, - "range": 1 - }, - "PrivateTmp": - { - "description_good": "Service has no access to other software's temporary files", - "description_bad": "Service has access to other software's temporary files", - "weight": 1000, - "range": 1 - }, - "PrivateUsers": - { - "description_good": "Service does not have access to other users", - "description_bad": "Service has access to other users", - "weight": 1000, - "range": 1 - } - } - - - + See example "JSON Policy" below. - @@ -1261,6 +1201,70 @@ $ systemd-analyze verify /tmp/source:alias.service + + Examples + + + JSON Policy + + The JSON file passed as a path parameter to has a top-level + JSON object, with keys being the assessment test identifiers mentioned above. The values in the file + should be JSON objects with one or more of the following fields: + (string), (string), (string), + (unsigned integer), and (unsigned integer). If any of + these fields corresponding to a specific id of the unit file is missing from the JSON object, the + default built-in field value corresponding to that same id is used for security analysis as default. + The weight and range fields are used in determining the overall exposure level of the unit files: the + value of each setting is assigned a badness score, which is multiplied by the policy weight and divided + by the policy range to determine the overall exposure that the setting implies. The computed badness is + summed across all settings in the unit file, normalized to the 1…100 range, and used to determine the + overall exposure level of the unit. By allowing users to manipulate these fields, the 'security' verb + gives them the option to decide for themself which ids are more important and hence should have a + greater effect on the exposure level. A weight of 0 means the setting will not be + checked. + + +{ + "PrivateDevices": + { + "description_good": "Service has no access to hardware devices", + "description_bad": "Service potentially has access to hardware devices", + "weight": 1000, + "range": 1 + }, + "PrivateMounts": + { + "description_good": "Service cannot install system mounts", + "description_bad": "Service may install system mounts", + "weight": 1000, + "range": 1 + }, + "PrivateNetwork": + { + "description_good": "Service has no access to the host's network", + "description_bad": "Service has access to the host's network", + "weight": 2500, + "range": 1 + }, + "PrivateTmp": + { + "description_good": "Service has no access to other software's temporary files", + "description_bad": "Service has access to other software's temporary files", + "weight": 1000, + "range": 1 + }, + "PrivateUsers": + { + "description_good": "Service does not have access to other users", + "description_bad": "Service has access to other users", + "weight": 1000, + "range": 1 + } +} + + + + See Also From d68c797c6da322e25483cf66fc8f43f3ec327c40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 22 Feb 2022 22:56:10 +0100 Subject: [PATCH 3/4] man/systemd-network: reword descriptions of DHCPPrefixDelegation= and dst-host --- man/systemd.network.xml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 3e8d9affd96..1199c3bda28 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -824,12 +824,11 @@ Table=1234 DHCPPrefixDelegation= - Takes a boolean value. When enabled, requests subnet prefixes acquired by a DHCPv6 - client, or by a DHCPv4 client through the 6RD option configured on another link. By default, - an address within each delegated prefix will be assigned, and the prefixes will be announced - through IPv6 Router Advertisement when IPv6SendRA= is enabled. Such - default settings can be configured in the [DHCPPrefixDelegation] section. Defaults to - disabled. + Takes a boolean value. When enabled, requests subnet prefixes on another link via the DHCPv6 + protocol or via the 6RD option in the DHCPv4 protocol. An address within each delegated prefix will + be assigned, and the prefixes will be announced through IPv6 Router Advertisement if + IPv6SendRA= is enabled. This behaviour can be configured in the + [DHCPPrefixDelegation] section. Defaults to disabled. @@ -3686,7 +3685,7 @@ Token=prefixstable:2002:da8:1:: Flows are defined only by destination address. Equivalent to the - srchost option for tc qdisc command. See also + dsthost option for tc qdisc command. See also tc-cake8. From fe003f02dd19b9ae88af0384e5cf4f5934d1e9db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 22 Feb 2022 22:54:23 +0100 Subject: [PATCH 4/4] man: various issues reported in #22432 Fixes #22432. --- man/homectl.xml | 12 ++++++------ man/integritytab.xml | 2 +- man/nss-resolve.xml | 8 ++++---- man/os-release.xml | 8 ++++---- man/systemd-integritysetup@.service.xml | 4 +++- man/systemd-stub.xml | 7 +++++-- man/systemd.exec.xml | 4 +--- man/systemd.link.xml | 2 +- man/systemd.network.xml | 2 +- man/systemd.nspawn.xml | 2 +- man/systemd.path.xml | 20 ++++++++++---------- man/userdbctl.xml | 8 ++++---- 12 files changed, 41 insertions(+), 38 deletions(-) diff --git a/man/homectl.xml b/man/homectl.xml index 5a06346d7b6..eaed7897b1c 100644 --- a/man/homectl.xml +++ b/man/homectl.xml @@ -698,12 +698,12 @@ done. If set to grow the home area is grown to the size configured via should it currently be smaller. If it already matches the configured size or is larger no operation is executed. If set to shrink-and-grow the home - area is also resized to the minimal size used disk space and file system constraints permit, during - logout. This mode thus ensures that while a home area is activated it is sized to the configured - size, but while deactivated it is compacted taking up only the minimal space possible. Note that if - the system is powered off abnormally or if the user otherwise not logged out cleanly the shrinking - operation will not take place, and the user has to re-login/logout again before it is executed - again. + area is also resized during logout to the minimal size the used disk space and file system + constraints permit. This mode thus ensures that while a home area is activated it is sized to the + configured size, but while deactivated it is compacted taking up only the minimal space possible. + Note that if the system is powered off abnormally or if the user otherwise not logged out cleanly the + shrinking operation will not take place, and the user has to re-login/logout again before it is + executed again. diff --git a/man/integritytab.xml b/man/integritytab.xml index c2ad2573a0c..44f0a559290 100644 --- a/man/integritytab.xml +++ b/man/integritytab.xml @@ -50,7 +50,7 @@ UUID= followed by the UUID, PARTUUID= followed by the partition UUID, LABEL= followed by the label, - PARTLABEL= followed by the partition label, + PARTLABEL= followed by the partition label. The third field if present contains an absolute filename path to a key file or a - diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml index 061d0d74bbe..b72b1ba64d0 100644 --- a/man/nss-resolve.xml +++ b/man/nss-resolve.xml @@ -94,7 +94,7 @@ $SYSTEMD_NSS_RESOLVE_CACHE Takes a boolean argument. When false, the cache of previously queried records will - not be used by systemd-resolved. + not be used by systemd-resolved. @@ -121,7 +121,7 @@ $SYSTEMD_NSS_RESOLVE_NETWORK Takes a boolean argument. When false, answers will be returned without using the - network, i.e. either from local sources or the cache in systemd-resolved. + network, i.e. either from local sources or the cache in systemd-resolved. @@ -130,8 +130,8 @@ Example - Here is an example /etc/nsswitch.conf file that enables nss-resolve - correctly: + Here is an example /etc/nsswitch.conf file that enables + nss-resolve correctly: passwd: compat systemd diff --git a/man/os-release.xml b/man/os-release.xml index f5d6756f899..dd3c39f8762 100644 --- a/man/os-release.xml +++ b/man/os-release.xml @@ -424,10 +424,10 @@ PORTABLE_PREFIXES= Takes a space-separated list of one or more valid prefix match strings for the Portable Services logic. This field - serves two purposes: it's informational, identifying portable service images as such (and thus - allowing them to be distinguished from other OS images, such as bootable system images); whenever a - portable service image is attached the specified or implied portable service prefix is checked - against this list, to enforce restrictions how images may be attached to a + serves two purposes: it is informational, identifying portable service images as such (and thus + allowing them to be distinguished from other OS images, such as bootable system images). In is also + used when a portable service image is attached: the specified or implied portable service prefix is + checked against the list specified here, to enforce restrictions how images may be attached to a system. diff --git a/man/systemd-integritysetup@.service.xml b/man/systemd-integritysetup@.service.xml index 24336c262d2..ade5663c283 100644 --- a/man/systemd-integritysetup@.service.xml +++ b/man/systemd-integritysetup@.service.xml @@ -56,7 +56,9 @@ Create a block device volume using - device. See integritytab man page and + device. See + systemd-integritytab5 + and Kernel dm-integrity documentation for details. diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml index 6439878951b..28c6ba938cb 100644 --- a/man/systemd-stub.xml +++ b/man/systemd-stub.xml @@ -94,9 +94,12 @@ then access them in this directory. This is supposed to be used to store auxiliary, encrypted, authenticated credentials for use with LoadCredentialEncrypted= in the UEFI System Partition. See - systemd.exec5 for + systemd.exec5 + and + systemd-creds1 + for details on encrypted credentials. The generated cpio archive is measured into TPM - PCR 4 (if a TPM is present) + PCR 4 (if a TPM is present). Similarly, files foo.efi.extra.d/*.raw are packed up in a cpio archive and placed in the /.extra/sysext/ diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 2c00c08affb..38220958b42 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1964,9 +1964,7 @@ RestrictFileSystems=ext4 @known - All known filesystems defined by the kernel. This list is defined statically in systemd based on a kernel - version that was available when this systemd version was released. It will become progressively more - out-of-date as the kernel is updated. + All known filesystems defined by the kernel. This list is defined statically in systemd based on a kernel version that was available when this systemd version was released. It will become progressively more out-of-date as the kernel is updated. diff --git a/man/systemd.link.xml b/man/systemd.link.xml index 1eaf8e14cbc..5629057bf26 100644 --- a/man/systemd.link.xml +++ b/man/systemd.link.xml @@ -812,7 +812,7 @@ TransmitVLANSTAGHardwareAcceleration= - Takes a boolean. If set to true, transmit VLAN STAG HW acceleration is enabled. + Takes a boolean. If set to true, transmit VLAN STAG hardware acceleration is enabled. When unset, the kernel's default will be used. diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 1199c3bda28..5939e38a00a 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -2304,7 +2304,7 @@ Table=1234 sd-id1283, sd_id128_from_string3, and - sd_id128_get_machine3, + sd_id128_get_machine3. Note that the prefixstable algorithm uses both the interface diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml index 15cfd4bc764..c1eef7853b6 100644 --- a/man/systemd.nspawn.xml +++ b/man/systemd.nspawn.xml @@ -202,7 +202,7 @@ capabilities (see capabilities7 for details). The AmbientCapability= setting - specifies capability which will be passed to the started program + specifies capabilities which will be passed to the started program in the inheritable and ambient capability sets. This will grant these capabilities to this process. This setting correspond to the command line switch. diff --git a/man/systemd.path.xml b/man/systemd.path.xml index fd3d4efc2a5..0392f0dae05 100644 --- a/man/systemd.path.xml +++ b/man/systemd.path.xml @@ -190,16 +190,16 @@ TriggerLimitIntervalSec= TriggerLimitBurst= - Configures a limit on how often this path unit may be activated within a specific time - interval. The TriggerLimitIntervalSec= may be used to configure the length of the time - interval in the usual time units us, ms, s, - min, h, … and defaults to 2s (See - systemd.time7 for details on - the various time units understood). The TriggerLimitBurst= setting takes a positive integer - value and specifies the number of permitted activations per time interval, and defaults to 200. Set either to - 0 to disable any form of trigger rate limiting. If the limit is hit, the unit is placed into a failure mode, - and will not watch the path(s) anymore until restarted. Note that this limit is enforced before the service - activation is enqueued. + Configures a limit on how often this path unit may be activated within a specific + time interval. The TriggerLimitIntervalSec= may be used to configure the length of + the time interval in the usual time units us, ms, + s, min, h, … and defaults to 2s. See + systemd.time7 for + details on the various time units understood. The TriggerLimitBurst= setting takes + a positive integer value and specifies the number of permitted activations per time interval, and + defaults to 200. Set either to 0 to disable any form of trigger rate limiting. If the limit is hit, + the unit is placed into a failure mode, and will not watch the path(s) anymore until restarted. Note + that this limit is enforced before the service activation is enqueued. diff --git a/man/userdbctl.xml b/man/userdbctl.xml index 6a01e9d1791..fbab8102c9f 100644 --- a/man/userdbctl.xml +++ b/man/userdbctl.xml @@ -74,10 +74,10 @@ FORMAT - Selects JSON out mode (like ) and selects the precise - display mode. Takes one of pretty or short. If - pretty human-friendly whitespace and newlines are inserted in the output to make - the JSON data more readable. If short all superfluous whitespace is + Selects JSON output mode (like ) and selects the + precise display mode. Takes one of pretty or short. If + pretty, human-friendly whitespace and newlines are inserted in the output to make + the JSON data more readable. If short, all superfluous whitespace is suppressed.