1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-10 05:18:17 +03:00

man: more hyperlinks and other fixes

Closes https://github.com/systemd/systemd/issues/29814.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2023-11-06 14:59:00 +01:00
parent 55e40b0be8
commit bf63dadbc6
26 changed files with 157 additions and 117 deletions

View File

@ -865,7 +865,7 @@
<para><option>--vacuum-time=</option> removes archived journal files older than the specified
timespan. Accepts the usual <literal>s</literal> (default), <literal>m</literal>,
<literal>h</literal>, <literal>days</literal>, <literal>months</literal>, <literal>weeks</literal>
<literal>h</literal>, <literal>days</literal>, <literal>weeks</literal>, <literal>months</literal>,
and <literal>years</literal> suffixes, see
<citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
details.</para>

View File

@ -413,10 +413,12 @@
<varlistentry>
<term><command>edit</command> <replaceable>NAME|FILE</replaceable></term>
<listitem><para>Edit the settings file of the specified machines. For the format of the settings file, refer to <citerefentry
project='man-pages'><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
If an existing settings file of the given machine can't be found, <command>edit</command> automatically
create a new settings file from scratch under <filename>/etc/</filename></para>
<listitem><para>Edit the settings file of the specified machines. For the format of the settings
file, refer to
<citerefentry project='man-pages'><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
If an existing settings file of the given machine can't be found, <command>edit</command>
automatically create a new settings file from scratch under <filename>/etc/</filename>.
</para>
<xi:include href="version-info.xml" xpointer="v254"/></listitem>
</varlistentry>

View File

@ -436,7 +436,8 @@ s - Service VLAN, m - Two-port MAC Relay (TPMR)
the main configuration file. Unless <option>--no-reload</option> is specified,
<command>systemd-networkd</command> will be reloaded after the edit of the
<filename>.network</filename> or <filename>.netdev</filename> files finishes.
The same applies for <filename>.link</filename> files and <command>systemd-udevd</command>.
The same applies for <filename>.link</filename> files and
<citerefentry><refentrytitle>systemd-udevd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
Note that the changed link settings are not automatically applied after reloading.
To achieve that, trigger uevents for the corresponding interface. Refer to
<citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>
@ -514,8 +515,7 @@ s - Service VLAN, m - Two-port MAC Relay (TPMR)
</varlistentry>
<varlistentry>
<term><option>--drop-in=</option></term>
<replaceable>NAME</replaceable>
<term><option>--drop-in=</option><replaceable>NAME</replaceable></term>
<listitem>
<para>When used with <command>edit</command>, edit the drop-in file <replaceable>NAME</replaceable>
@ -529,8 +529,11 @@ s - Service VLAN, m - Two-port MAC Relay (TPMR)
<term><option>--no-reload</option></term>
<listitem>
<para>When used with <command>edit</command>, <command>systemd-networkd</command>
or <command>systemd-udevd</command> will not be reloaded after the editing finishes.</para>
<para>When used with <command>edit</command>,
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
or
<citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
will not be reloaded after the editing finishes.</para>
<xi:include href="version-info.xml" xpointer="v254"/>
</listitem>

View File

@ -363,17 +363,21 @@ DNSStubListenerExtra=udp:[2001:db8:0:f102::13]:9953</programlisting>
</varlistentry>
<varlistentry>
<term>StaleRetentionSec=<replaceable>SECONDS</replaceable></term>
<listitem><para>Takes a duration value, which determines the length of time DNS resource records can be retained
in the cache beyond their Time To Live (TTL). This allows these records to be returned as stale records.
By default, this value is set to zero, meaning that DNS resource records are not stored in the cache after their TTL expires.</para>
<listitem><para>Takes a duration value, which determines the length of time DNS resource records can
be retained in the cache beyond their Time To Live (TTL). This allows these records to be returned as
stale records. By default, this value is set to zero, meaning that DNS resource records are not
stored in the cache after their TTL expires.</para>
<para>This is useful when a DNS server failure occurs or becomes unreachable.
In such cases, systemd-resolved continues to use the stale records to answer DNS queries, particularly when no valid response
can be obtained from the upstream DNS servers. However, this doesn't apply to NXDOMAIN responses, as those are still perfectly valid responses.
This feature enhances resilience against DNS infrastructure failures and outages.</para>
<para>This is useful when a DNS server failure occurs or becomes unreachable. In such cases,
<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>
continues to use the stale records to answer DNS queries, particularly when no valid response can be
obtained from the upstream DNS servers. However, this doesn't apply to NXDOMAIN responses, as those
are still perfectly valid responses. This feature enhances resilience against DNS infrastructure
failures and outages.</para>
<para>systemd-resolved always attempts to reach the upstream DNS servers first, before providing the client application with any stale data.
If this feature is enabled, cache will not be flushed when changing servers.</para>
<para><command>systemd-resolved</command> always attempts to reach the upstream DNS servers first,
before providing the client application with any stale data. If this feature is enabled, cache will
not be flushed when changing servers.</para>
<xi:include href="version-info.xml" xpointer="v254"/>
</listitem>

View File

@ -2740,11 +2740,11 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
</varlistentry>
<varlistentry>
<term><option>--drop-in=</option></term>
<term><option>--drop-in=</option><replaceable>NAME</replaceable></term>
<listitem>
<para>When used with <command>edit</command>, use the given drop-in file name instead of
<filename>override.conf</filename>.</para>
<para>When used with <command>edit</command>, use <replaceable>NAME</replaceable> as the drop-in
file name instead of <filename>override.conf</filename>.</para>
<xi:include href="version-info.xml" xpointer="v253"/>
</listitem>

View File

@ -863,7 +863,7 @@ stored sock 0:8 4213190 - socket:[4213190] ro
<citerefentry><refentrytitle>systemd.image-policy</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The
policy is normalized and simplified. For each currently defined partition identifier (as per the <ulink
url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable
Partitions Specification</ulink> the effect of the image policy string is shown in tabular form.</para>
Partitions Specification</ulink>) the effect of the image policy string is shown in tabular form.</para>
<example>
<title>Example Output</title>

View File

@ -18,7 +18,7 @@
<refnamediv>
<refname>systemd-battery-check.service</refname>
<refname>systemd-battery-check</refname>
<refpurpose>Check battery level whether there's enough charge, and power off if not.</refpurpose>
<refpurpose>Check battery level whether there's enough charge, and power off if not</refpurpose>
</refnamediv>
<refsynopsisdiv>
@ -32,14 +32,11 @@
<refsect1>
<title>Description</title>
<para>
<filename>systemd-battery-check.service</filename> is used to check the battery level during the early
boot stage to determine whether there's sufficient battery power to carry on with the booting process.
</para>
<para>
<command>systemd-battery-check</command> returns success if the device is connected to an AC power
source or if the battery charge is greater than 5%. It returns failure otherwise.
</para>
<para>This service checks the presence of an external power supply and the battery level during the early
boot stage to determine whether there is sufficient power to carry on with the booting process.</para>
<para><command>systemd-battery-check</command> returns success if the device is connected to an AC power
source or if the battery charge is greater than 5%. It returns failure otherwise.</para>
</refsect1>
<refsect1>

View File

@ -293,8 +293,8 @@
<term><option>--force</option></term>
<listitem><para>Write configuration even if the relevant files already exist. Without this option,
<filename>systemd-firstboot</filename> doesn't modify or replace existing files. Note that when
configuring the root account, even with this option, <filename>systemd-firstboot</filename> only
<command>systemd-firstboot</command> doesn't modify or replace existing files. Note that when
configuring the root account, even with this option, <command>systemd-firstboot</command> only
modifies the entry of the <literal>root</literal> user, leaving other entries in
<filename>/etc/passwd</filename> and <filename>/etc/shadow</filename> intact.</para>

View File

@ -55,12 +55,12 @@
last check, number of mounts, unclean unmount, etc.</para>
<para><filename>systemd-fsck-root.service</filename> and <filename>systemd-fsck-usr.service</filename>
will activate <filename>reboot.target</filename> if <filename>fsck</filename> returns the "System
should reboot" condition, or <filename>emergency.target</filename> if <filename>fsck</filename>
will activate <filename>reboot.target</filename> if <command>fsck</command> returns the "System
should reboot" condition, or <filename>emergency.target</filename> if <command>fsck</command>
returns the "Filesystem errors left uncorrected" condition.</para>
<para><filename>systemd-fsck@.service</filename> will fail if
<filename>fsck</filename> returns with either "System should reboot"
<command>fsck</command> returns with either "System should reboot"
or "Filesystem errors left uncorrected" conditions. For filesystems
listed in <filename>/etc/fstab</filename> without <literal>nofail</literal>
or <literal>noauto</literal> options, <literal>local-fs.target</literal>
@ -70,7 +70,7 @@
<refsect1>
<title>Kernel Command Line</title>
<para><filename>systemd-fsck</filename> understands these kernel
<para><command>systemd-fsck</command> understands these kernel
command line parameters:</para>
<variablelist class='kernel-commandline-options'>

View File

@ -31,7 +31,7 @@
<para><filename>systemd-hibernate-resume.service</filename> initiates the resume from hibernation.</para>
<para><filename>systemd-hibernate-resume</filename> only supports the in-kernel hibernation
<para><command>systemd-hibernate-resume</command> only supports the in-kernel hibernation
implementation, see <ulink url="https://docs.kernel.org/power/swsusp.html">Swap suspend</ulink>.
Internally, it works by writing the major:minor of specified device node to
<filename>/sys/power/resume</filename>, along with the offset in memory pages

View File

@ -211,7 +211,9 @@
invoked. This option may be used multiple times to pass multiple file descriptors in a single
notification message.</para>
<para>To use this functionality from a <command>bash</command> shell, use an expression like the following:</para>
<para>To use this functionality from a
<citerefentry project='man-pages'><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>
shell, use an expression like the following:</para>
<programlisting>systemd-notify --fd=4 --fd=5 4&lt;/some/file 5&lt;/some/other/file</programlisting>
<xi:include href="version-info.xml" xpointer="v254"/></listitem>

View File

@ -560,7 +560,8 @@ Dec 08 20:44:48 container systemd[1]: Started /bin/touch /tmp/foo.</programlisti
<example>
<title>Allowing access to the tty</title>
<para>The following command invokes <citerefentry project='man-pages'><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>
<para>The following command invokes
<citerefentry project='man-pages'><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>
as a service passing its standard input, output and error to the calling TTY.</para>
<programlisting># systemd-run -t --send-sighup bash</programlisting>
@ -618,18 +619,22 @@ There is a screen on:
</programlisting>
<para>The first argument is expanded by the shell (double quotes), but the second one is not expanded
by the shell (single quotes). <command>echo</command> is called with [<literal>/usr/bin/echo</literal>,
by the shell (single quotes).
<citerefentry project='man-pages'><refentrytitle>echo</refentrytitle><manvolnum>1</manvolnum></citerefentry>
is called with [<literal>/usr/bin/echo</literal>,
<literal>[]</literal>, <literal>[${INVOCATION_ID}]</literal>] as the argument array, and then
<command>systemd</command> generates <varname>${INVOCATION_ID}</varname> and substitutes it in the
command-line. This substitution could not be done on the client side, because the target ID that will
be set for the service isn't known before the call is made.</para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
generates <varname>${INVOCATION_ID}</varname> and substitutes it in the command-line. This substitution
could not be done on the client side, because the target ID that will be set for the service isn't
known before the call is made.</para>
</example>
<example>
<title>Variable expansion and output redirection using a shell</title>
<para>Variable expansion by <command>systemd</command> can be disabled with
<varname>--expand-environment=no</varname>.</para>
<para>Variable expansion by
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
can be disabled with <varname>--expand-environment=no</varname>.</para>
<para>Disabling variable expansion can be useful if the command to execute contains dollar characters
and escaping them would be inconvenient. For example, when a shell is used:</para>
@ -639,9 +644,10 @@ There is a screen on:
/bin/bash 12345
</programlisting>
<para>The last argument is passed verbatim to the <command>bash</command> shell which is started by the
service unit. The shell expands <literal>$SHELL</literal> to the path of the shell, and
<literal>$$</literal> to its process number, and then those strings are passed to the
<para>The last argument is passed verbatim to the
<citerefentry project='man-pages'><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>
shell which is started by the service unit. The shell expands <literal>$SHELL</literal> to the path of
the shell, and <literal>$$</literal> to its process number, and then those strings are passed to the
<command>echo</command> built-in and printed to standard output (which in this case is connected to the
calling terminal).</para>
</example>

View File

@ -129,7 +129,7 @@
an extension with the same name in a system folder with lower precedence.</para>
<para>A simple mechanism for version compatibility is enforced: a system extension image must carry a
<filename>/usr/lib/extension-release.d/extension-release.<replaceable>$name</replaceable></filename>
<filename>/usr/lib/extension-release.d/extension-release.<replaceable>NAME</replaceable></filename>
file, which must match its image name, that is compared with the host <filename>os-release</filename>
file: the contained <varname>ID=</varname> fields have to match unless <literal>_any</literal> is set
for the extension. If the extension <varname>ID=</varname> is not <literal>_any</literal>, the
@ -168,11 +168,13 @@
<filename>.raw</filename> suffix are considered disk image based confext images.</para>
<para>Again, just like sysext images, the confext images will contain a
<filename>/etc/extension-release.d/extension-release.<replaceable>$name</replaceable></filename>
file, which must match the image name (with the usual escape hatch of xattr), and again with content
being one or more of <varname>ID=</varname>, <varname>VERSION_ID=</varname>, and
<varname>CONFEXT_LEVEL</varname>. Confext images will then be checked and matched against the
base OS layer.</para>
<filename>/etc/extension-release.d/extension-release.<replaceable>NAME</replaceable></filename>
file, which must match the image name (with the usual escape hatch of
the <varname>user.extension-release.strict</varname>
<citerefentry project='man-pages'><refentrytitle>xattr</refentrytitle><manvolnum>7</manvolnum></citerefentry>),
and again with content being one or more of <varname>ID=</varname>, <varname>VERSION_ID=</varname>, and
<varname>CONFEXT_LEVEL</varname>. Confext images will then be checked and matched against the base OS
layer.</para>
</refsect1>
<refsect1>

View File

@ -150,7 +150,7 @@
<title>Credentials</title>
<para><command>systemd-sysusers</command> supports the service credentials logic as implemented by
<varname>ImportCredential=</varname><varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
<varname>ImportCredential=</varname>/<varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
(see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
details). The following credentials are used when passed in:</para>

View File

@ -57,7 +57,7 @@
<title>Credentials</title>
<para><command>systemd-vconsole-setup</command> supports the service credentials logic as implemented by
<varname>ImportCredential=</varname><varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
<varname>ImportCredential=</varname>/<varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
(see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
details). The following credentials are used when passed in:</para>

View File

@ -232,10 +232,11 @@
<para>To make sure making ephemeral copies can be made efficiently, the root directory or root image
should be located on the same filesystem as <filename>/var/lib/systemd/ephemeral-trees/</filename>.
When using <varname>RootEphemeral=</varname> with root directories, btrfs should be used as the
filesystem and the root directory should ideally be a subvolume which <command>systemd</command> can
snapshot to make the ephemeral copy. For root images, a filesystem with support for reflinks should
be used to ensure an efficient ephemeral copy.</para>
When using <varname>RootEphemeral=</varname> with root directories,
<citerefentry project='url'><refentrytitle url='https://btrfs.wiki.kernel.org/index.php/Manpage/btrfs(5)'>btrfs</refentrytitle><manvolnum>5</manvolnum></citerefentry>
should be used as the filesystem and the root directory should ideally be a subvolume which
<command>systemd</command> can snapshot to make the ephemeral copy. For root images, a filesystem
with support for reflinks should be used to ensure an efficient ephemeral copy.</para>
<xi:include href="system-only.xml" xpointer="singular"/>
@ -1917,7 +1918,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
<para>Note that this functionality might not be available, for example if KSM is disabled in the
kernel, or the kernel doesn't support controlling KSM at the process level through
<function>prctl()</function>.</para>
<citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>.</para>
<xi:include href="version-info.xml" xpointer="v254"/>
</listitem>
@ -3180,7 +3181,7 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
<varname>RateLimitBurst=</varname> configured in
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Note that this only applies to log messages that are processed by the logging subsystem, i.e. by
<citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
<citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
This means that if you connect a service's stderr directly to a file via
<varname>StandardOutput=file:…</varname> or a similar setting, the rate limiting will not be applied
to messages written that way (but it will be enforced for messages generated via
@ -4147,9 +4148,9 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
<varname>FileDescriptorStoreMax=</varname> is set to a non-zero value (see
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details). Applications may check this environment variable before sending file descriptors to
the service manager via <function>sd_pid_notify_with_fds()</function> (see
<citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
details).</para>
the service manager via
<citerefentry><refentrytitle>sd_pid_notify_with_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
</para>
<xi:include href="version-info.xml" xpointer="v254"/></listitem>
</varlistentry>

View File

@ -51,10 +51,10 @@
<listitem><para><option>verity</option> for partitions that shall exist and be used, with Verity
authentication. (Note: if a DDI image carries a data partition, along with a Verity partition and a
signature partition for it, and only the <option>verity</option> flag is set and
<option>signed</option> is not , then the image will be set up with Verity, but the signature data will
not be used. Or in other words: any DDI with a set of partitions that qualify for
<option>signature</option> also implicitly qualifies for <option>verity</option>, and in fact
signature partition for it, and only the <option>verity</option> flag is set (<option>signed</option>
is not), then the image will be set up with Verity, but the signature data will not be used. Or in
other words: any DDI with a set of partitions that qualify for <option>signature</option> also
implicitly qualifies for <option>verity</option>, and in fact also
<option>unprotected</option>).</para></listitem>
<listitem><para><option>signed</option> for partitions that shall exist and be used, with Verity
@ -130,9 +130,9 @@
<para>Most systemd components that support operating with disk images support a
<option>--image-policy=</option> command line option to specify the image policy to use, and default to
relatively open policies by default (typically the <literal>*</literal> policy, as described above),
under the assumption that trust in disk images is established before the images are passed to the program
in question.</para>
relatively open policies (typically the <literal>*</literal> policy, as described above), under the
assumption that trust in disk images is established before the images are passed to the program in
question.</para>
<para>For the host image itself
<citerefentry><refentrytitle>systemd-gpt-auto-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>

View File

@ -1306,9 +1306,9 @@ $ sudo ip link set eth0 down
$ sudo udevadm trigger --verbose --settle --action add /sys/class/net/eth0</programlisting>
<para>You may also need to stop the service that manages the network interface, e.g.
<filename>systemd-networkd.service</filename> or <filename>NetworkManager.service</filename> before
the above operation, and then restart the service after that. For more details about
<command>udevadm</command> command, see
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
or <filename>NetworkManager.service</filename> before the above operation, and then restart the service
after that. For more details about <command>udevadm</command> command, see
<citerefentry><refentrytitle>udevadm</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
</example>

View File

@ -448,7 +448,7 @@
property or none at all.</para>
<para>Some firmware and hypervisor implementations report unreasonably high numbers for the
on-board index. To prevent the generation of bogus onbard interface names, index numbers greater
on-board index. To prevent the generation of bogus on-board interface names, index numbers greater
than 16381 (2¹⁴-1) were ignored. For s390 PCI devices index values up to 65535 (2¹⁶-1) are valid.
To account for that, the limit was increased to 65535.</para>

View File

@ -2430,7 +2430,9 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
<term><varname>UseCaptivePortal=</varname></term>
<listitem>
<para>When true (the default), the captive portal advertised by the DHCP server will be recorded
and made available to client programs and displayed in the networkctl status output per-link.</para>
and made available to client programs and displayed in the
<citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
status output per-link.</para>
<xi:include href="version-info.xml" xpointer="v254"/>
</listitem>
@ -2881,7 +2883,9 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
<term><varname>UseCaptivePortal=</varname></term>
<listitem>
<para>When true (the default), the captive portal advertised by the DHCPv6 server will be recorded
and made available to client programs and displayed in the networkctl status output per-link.</para>
and made available to client programs and displayed in the
<citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
status output per-link.</para>
<xi:include href="version-info.xml" xpointer="v254"/>
</listitem>
@ -3297,7 +3301,9 @@ Token=prefixstable:2002:da8:1::</programlisting></para>
<term><varname>UseCaptivePortal=</varname></term>
<listitem>
<para>When true (the default), the captive portal received in the Router Advertisement will be recorded
and made available to client programs and displayed in the networkctl status output per-link.</para>
and made available to client programs and displayed in the
<citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
status output per-link.</para>
<xi:include href="version-info.xml" xpointer="v254"/>
</listitem>
@ -3306,9 +3312,11 @@ Token=prefixstable:2002:da8:1::</programlisting></para>
<varlistentry>
<term><varname>UsePREF64=</varname></term>
<listitem>
<para>When true, the IPv6 PREF64 (or NAT64) prefixes received in the Router Advertisement will be recorded
and made available to client programs and displayed in the <command>networkctl</command> status output per-link.
See <ulink url="https://tools.ietf.org/html/rfc8781">RFC 8781</ulink>. Defaults to false.</para>
<para>When true, the IPv6 PREF64 (or NAT64) prefixes received in the Router Advertisement will be
recorded and made available to client programs and displayed in the
<citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
status output per-link. See <ulink url="https://tools.ietf.org/html/rfc8781">RFC 8781</ulink>.
Defaults to false.</para>
<xi:include href="version-info.xml" xpointer="v255"/>
</listitem>

View File

@ -1143,7 +1143,7 @@ NFTSet=cgroup:inet:filter:my_service user:inet:filter:serviceuser
<listitem>
<para><varname>BPFProgram=</varname> allows attaching custom BPF programs to the cgroup of a
unit. (This generalizes the functionality exposed via <varname>IPEgressFilterPath=</varname> and
and <varname>IPIngressFilterPath=</varname> for other hooks.) Cgroup-bpf hooks in the form of BPF
<varname>IPIngressFilterPath=</varname> for other hooks.) Cgroup-bpf hooks in the form of BPF
programs loaded to the BPF filesystem are attached with cgroup-bpf attach flags determined by the
unit. For details about attachment types and flags see <ulink
url="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/include/uapi/linux/bpf.h"><filename>bpf.h</filename></ulink>. Also
@ -1154,13 +1154,27 @@ NFTSet=cgroup:inet:filter:my_service user:inet:filter:serviceuser
<replaceable>type</replaceable>:<replaceable>program-path</replaceable>.</para>
<para>The BPF program type is equivalent to the BPF attach type used in
<command>bpftool</command>. It may be one of <constant>egress</constant>,
<constant>ingress</constant>, <constant>sock_create</constant>, <constant>sock_ops</constant>,
<constant>device</constant>, <constant>bind4</constant>, <constant>bind6</constant>,
<constant>connect4</constant>, <constant>connect6</constant>, <constant>post_bind4</constant>,
<constant>post_bind6</constant>, <constant>sendmsg4</constant>, <constant>sendmsg6</constant>,
<constant>sysctl</constant>, <constant>recvmsg4</constant>, <constant>recvmsg6</constant>,
<constant>getsockopt</constant>, <constant>setsockopt</constant>.</para>
<citerefentry project='mankier'><refentrytitle>bpftool</refentrytitle><manvolnum>8</manvolnum></citerefentry>
It may be one of
<constant>egress</constant>,
<constant>ingress</constant>,
<constant>sock_create</constant>,
<constant>sock_ops</constant>,
<constant>device</constant>,
<constant>bind4</constant>,
<constant>bind6</constant>,
<constant>connect4</constant>,
<constant>connect6</constant>,
<constant>post_bind4</constant>,
<constant>post_bind6</constant>,
<constant>sendmsg4</constant>,
<constant>sendmsg6</constant>,
<constant>sysctl</constant>,
<constant>recvmsg4</constant>,
<constant>recvmsg6</constant>,
<constant>getsockopt</constant>,
or <constant>setsockopt</constant>.
</para>
<para>The specified program path must be an absolute path referencing a BPF program inode in the
bpffs file system (which generally means it must begin with <filename>/sys/fs/bpf/</filename>). If
@ -1545,7 +1559,7 @@ DeviceAllow=/dev/loop-control
<varname>$MEMORY_PRESSURE_WATCH</varname> environment variable to the literal string
<filename>/dev/null</filename>. If <literal>on</literal> tells the service to watch for memory
pressure events. This enables memory accounting for the service, and ensures the
<filename>memory.pressure</filename> cgroup attribute files is accessible for read and write to the
<filename>memory.pressure</filename> cgroup attribute file is accessible for reading and writing by the
service's user. It then sets the <varname>$MEMORY_PRESSURE_WATCH</varname> environment variable for
processes invoked by the unit to the file system path to this file. The threshold information
configured with <varname>MemoryPressureThresholdSec=</varname> is encoded in the

View File

@ -167,7 +167,7 @@
been forked off (i.e. immediately after <function>fork()</function>, and before various process
attributes have been configured and in particular before the new process has called
<function>execve()</function> to invoke the actual service binary). Typically,
<varname>Type=</varname><option>exec</option> (see below) is the better choice, see below.</para>
<varname>Type=</varname><option>exec</option> is the better choice, see below.</para>
<para>It is expected that the process configured with <varname>ExecStart=</varname> is the main
process of the service. In this mode, if the process offers functionality to other processes on
@ -239,7 +239,7 @@
socket provided by systemd. If <varname>NotifyAccess=</varname> is missing or set to
<option>none</option>, it will be forcibly set to <option>main</option>.</para>
<para>If the service supports reloading, and uses the a signal to start the reload, using
<para>If the service supports reloading, and uses a signal to start the reload, using
<option>notify-reload</option> instead is recommended.</para></listitem>
<listitem><para>Behavior of <option>notify-reload</option> is similar to <option>notify</option>,
@ -1239,8 +1239,9 @@
<constant>stop</constant> the event is logged but the unit is terminated cleanly by the service
manager. If set to <constant>kill</constant> and one of the unit's processes is killed by the OOM
killer the kernel is instructed to kill all remaining processes of the unit too, by setting the
<filename>memory.oom.group</filename> attribute to <constant>1</constant>; also see <ulink
url="https://docs.kernel.org/admin-guide/cgroup-v2.html">kernel documentation</ulink>.</para>
<filename>memory.oom.group</filename> attribute to <constant>1</constant>; also see kernel
page <ulink url="https://docs.kernel.org/admin-guide/cgroup-v2.html">Control Group v2</ulink>.
</para>
<para>Defaults to the setting <varname>DefaultOOMPolicy=</varname> in
<citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>

View File

@ -349,9 +349,9 @@
queue that have not been accepted yet. This setting matters only for stream and sequential packet
sockets. See
<citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
details. Note that this value is silently capped by the <literal>net.core.somaxconn</literal> sysctl,
which typically defaults to 4096. By default this is set to 4294967295, so that the sysctl takes full
effect.</para></listitem>
details. Defaults to 4294967295. Note that this value is silently capped by the
<literal>net.core.somaxconn</literal> sysctl, which typically defaults to 4096, so typically
the sysctl is the setting that actually matters.</para></listitem>
</varlistentry>
<varlistentry>

View File

@ -884,12 +884,12 @@
<term><varname>JoinsNamespaceOf=</varname></term>
<listitem><para>For units that start processes (such as service units), lists one or more other units
whose network and/or temporary file namespace to join. If this is specified on a unit (say, a.service
has <varname>JoinsNamespaceOf=b.service</varname>), then this the inverse dependency
(<varname>JoinsNamespaceOf=a.service</varname> for b.service) is implied. This only applies to unit
types which support the <varname>PrivateNetwork=</varname>, <varname>NetworkNamespacePath=</varname>,
<varname>PrivateIPC=</varname>, <varname>IPCNamespacePath=</varname>, and
<varname>PrivateTmp=</varname> directives (see
whose network and/or temporary file namespace to join. If this is specified on a unit (say,
<filename>a.service</filename> has <varname>JoinsNamespaceOf=b.service</varname>), then the inverse
dependency (<varname>JoinsNamespaceOf=a.service</varname> for b.service) is implied. This only
applies to unit types which support the <varname>PrivateNetwork=</varname>,
<varname>NetworkNamespacePath=</varname>, <varname>PrivateIPC=</varname>,
<varname>IPCNamespacePath=</varname>, and <varname>PrivateTmp=</varname> directives (see
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
details). If a unit that has this setting set is started, its processes will see the same
<filename>/tmp/</filename>, <filename>/var/tmp/</filename>, IPC namespace and network namespace as

View File

@ -872,10 +872,10 @@ e! /var/cache/krb5rcache - - - 0
<programlisting>-smbios type=11,value=io.systemd.credential.binary:tmpfiles.extra=$(echo "f~ /root/.ssh/authorized_keys 700 root root - $(ssh-add -L | base64 -w 0)" | base64 -w 0)
</programlisting>
<para>By passing this line to QEMU, the public key of the current user will be encoded in
base64, added to a tmpfiles.d line that tells systemd-tmpfiles to decode it into
<filename>/root/.ssh/authorized_keys</filename>, encode that line itself in base64 and
pass it as a Credential that will be picked up by systemd from SMBIOS on boot.
<para>By passing this line to QEMU, the public key of the current user will be encoded in base64, added
to a tmpfiles.d line that tells <command>systemd-tmpfiles</command> to decode it into
<filename>/root/.ssh/authorized_keys</filename>, encode that line itself in base64 and pass it as a
Credential that will be picked up by systemd from SMBIOS on boot.
</para>
</example>
</refsect1>

View File

@ -111,7 +111,7 @@
<para>If the stub and/or the kernel contain <literal>.sbat</literal> sections they will be merged in
the UKI so that revocation updates affecting either are considered when the UKI is loaded by Shim. For
more information on SBAT see
<ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim's documentation.</ulink>
<ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim documentation</ulink>.
</para>
</refsect2>
@ -243,7 +243,7 @@
<term><option>--summary</option></term>
<listitem><para>Print a summary of loaded config and exit. This is useful to check how the options
form the configuration file and the command line are combined.</para>
from the configuration file and the command line are combined.</para>
<xi:include href="version-info.xml" xpointer="v254"/></listitem>
</varlistentry>
@ -478,7 +478,7 @@
DBX/MOKX. If not specified manually, a default metadata entry consisting of
<literal>uki,1,UKI,uki,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html</literal>
will be used, to ensure it is always possible to revoke UKIs and addons. For more information on
SBAT see <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim's documentation.</ulink>
SBAT see <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim documentation</ulink>.
</para>
<xi:include href="version-info.xml" xpointer="v254"/></listitem>
@ -512,8 +512,8 @@
<para>On the command line, this option may be specified more than once, similarly to the
<option>--pcr-private-key=</option> option. If not present, the public keys will be extracted from
the private keys. On the command line, if present, the this option must be specified the same number
of times as the <option>--pcr-private-key=</option> option.</para>
the private keys. On the command line, if present, this option must be specified the same number of
times as the <option>--pcr-private-key=</option> option.</para>
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
</varlistentry>
@ -662,13 +662,13 @@ Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem
<para>(Both operations need to be done as root to allow write access
to <filename>/etc/kernel/</filename>.)</para>
<para>Subsequent invocations of using the config file
<para>Subsequent invocations using the config file
(<command>ukify build --config=/etc/kernel/uki.conf</command>)
will use this certificate and key files. Note that the
<citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry>
plugin <filename>60-ukify.install</filename> uses <filename>/etc/kernel/uki.conf</filename>
by default, so after this file has been created, installations of kernels that create a UKI on the
local machine using <command>kernel-install</command> would perform signing using this config.</para>
local machine using <command>kernel-install</command> will perform signing using this config.</para>
</example>
</refsect1>