1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Commit Graph

43 Commits

Author SHA1 Message Date
Mike Yuan
a375e14519 units/{user,capsule}@.service: issue daemon-reexec when notify-reloading
Closes #28367 (but not really in the exact form, see below)

We have the problem of restarting all user manager instances
after upgrade. Current approaches involve systemctl kill
with SIGRTMIN+25, which is async and feels rather ugly [1][2];
or systemctl --machine=user@ --user, which requires entering
each user session. Neither is particularly elegant.
Instead, let's just signal daemon-reexec when user@.service
is reloaded from system manager. Our long goal of dropping
daemon-reload in favor of reexec (see TODO) is unlikely to happen
due to user dbus restrictions, but here the synchronization
is done via READY=1.

[1] https://gitlab.archlinux.org/archlinux/packaging/packages/systemd/-/blob/main/systemd.install?ref_type=heads#L37
[2] https://salsa.debian.org/systemd-team/systemd/-/blob/debian/master/debian/systemd.postinst#L24

#28367 would not really work for us now I come to think about it,
because all processes will be reparented to pid1 as soon as
original user manager process exits. This alternative approach
seems good enough for our use case.
2024-10-11 10:36:08 +02:00
Lennart Poettering
29294d21cf units: add dep on systemd-logind.service by user@.service
Let's make sure logind is accessible by the time user@.service runs, and
that logind stays around as long as it does so.

Addresses an issue reported here:

https://lists.freedesktop.org/archives/systemd-devel/2024-June/050468.html

This addresses an issued introduced by
278e815bfa, which dropped the a dependency
from user@.service systemd-user-sessions.service without replacement.
While dropping that dependency does make sense, it should have been
replaced with the weaker dependency on systemd-logind.service, hence fix
that now.

user@.service is after all a logind concept, hence logind really should
be around for its lifetime.

systemd-user-sessions.service is a later milestone that only really
should apply to regular users (not root), hence it's too strong a
requirement.
2024-07-01 18:52:35 +02:00
Mike Yuan
e2a42c0c43
logind-user: track user started/stopping state through user-runtime-dir@.service
Before #30884, the user state is tied to user@.service (user service
manager). However, #30884 introduced sessions that need no manager,
and we can no longer rely on that.

Consider the following situation:

1. A 'background-light' session '1' is created (i.e. no user service manager
   is needed)
2. Session '1' scope unit pulls in user-runtime-dir@.service
3. Session '1' exits. A stop job is enqueued for user-runtime-dir@.service
   due to StopWhenUnneeded=yes
4. At the same time, another session '2' which requires user manager is started.
   However, session scope units have JobMode=fail, therefore the start job
   for user-runtime-dir@.service that was pulled in by session '2' scope job
   is deleted as it conflicts with the stop job.

We want session scope units to continue using JobMode=fail, but we still need
the dependencies to be started correctly, i.e. explicitly requested by logind
beforehand. Therefore, let's stop using StopWhenUnneeded=yes for
user-runtime-dir@.service, and track users' `started` and `stopping` state
based on that when user@.service is not needed. Then, for every invocation
of user_start(), we'll recheck if we need the service manager and start it
if so.

Also, the dependency type on user-runtime-dir@.service from user@.service
is upgraded to `BindsTo=`, in order to ensure that when logind stops the
former, the latter is stopped as well.
2024-02-15 19:23:44 +08:00
Luca Boccassi
b0d3095fd6 Drop split-usr and unmerged-usr support
As previously announced, execute order 66:

https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html

The meson options split-usr, rootlibdir and rootprefix become no-ops
that print a warning if they are set to anything other than the
default values. We can remove them in a future release.
2023-07-28 19:34:03 +01:00
Lennart Poettering
3975e3f8ae units: make system service manager create init.scope subcgroup for user service manager
This one is basically for free, since the service manager is already
prepared for being invoked in init.scope. Hence let's start it in the
right cgroup right-away.
2023-04-27 12:18:32 +02:00
Daan De Meyer
cafd2c0be4 units: Order user@.service after systemd-oomd.service
The user manager connects to oomd over varlink. Currently, during
shutdown, if oomd is stopped before any user manager, the user
manager will try to reconnect to the socket, leading to a warning
from pid 1 about a conflicting transaction.

Let's fix this by ordering user@.service after systemd-oomd.service,
so that user sessions are stopped before systemd-oomd is stopped,
which makes sure that the user sessions won't try to start oomd via
its socket after systemd-oomd is stopped.
2023-03-18 15:05:43 +09:00
Lennart Poettering
9d03637404 units: let systemd --user manage its own memory pressure handling
Let's make things systematic: the per-user and the per-system manager
should manage their own memory pressure, as they are, well, managers of
things.

This is particularly relevant and the per-user service manager should
watch its own "init.scope" subcgroup, instead of the main service unit
cgroup, and hence $MEMORY_PRESSURE_WATCH as set by the per-system
service manager would simply be wrong.
2023-03-01 09:43:24 +01:00
Zbigniew Jędrzejewski-Szmek
e4c7b5f517 core: split system/user job timeouts and make them configurable
Config options are -Ddefault-timeout-sec= and -Ddefault-user-timeout-sec=.
Existing -Dupdate-helper-user-timeout= is renamed to -Dupdate-helper-user-timeout-sec=
for consistency. All three options take an integer value in seconds. The
renaming and type-change of the option is a small compat break, but it's just
at compile time and result in a clear error message. I also doubt that anyone was
actually using the option.

This commit separates the user manager timeouts, but keeps them unchanged at 90 s.
The timeout for the user manager is set to 4/3*user-timeout, which means that it
is still 120 s.

Fedora wants to experiment with lower timeouts, but doing this via a patch would
be annoying and more work than necessary. Let's make this easy to configure.
2023-02-01 11:52:29 +00:00
Lennart Poettering
dd0ab174c3 pid1: make sure we send our calling service manager RELOADING=1 when reloading
And send READY=1 again when we are done with it.

We do this not only for "daemon-reload" but also for "daemon-reexec" and
"switch-root", since from the perspective of an encapsulating service
manager these three operations are not that different.
2023-01-10 18:28:38 +01:00
Franck Bui
278e815bfa logind: don't delay login for root even if systemd-user-sessions.service is not activated yet
If for any reason something goes wrong during the boot process (most likely due
to a network issue), system admins should be allowed to log in to the system to
debug the problem. However due to the login session barrier enforced by
systemd-user-sessions.service for all users, logins for root will be delayed
until a (dbus) timeout expires. Beside being confusing, it's not a nice user
experience to wait for an indefinite period of time (no message is shown) this
and also suggests that something went wrong in the background.

The reason of this delay is due to the fact that all units involved in the
creation of a user session are ordered after systemd-user-sessions.service,
which is subject to network issues. If root needs to log in at that time,
logind is requested to create a new session (via pam_systemd), which ultimately
ends up waiting for systemd-user-session.service to be activated. This has the
bad side effect to block login for root until the dbus call done by pam_systemd
times out and the PAM stack proceeds anyways.

To solve this problem, this patch orders the session scope units and the user
instances only after systemd-user-sessions.service for unprivileged users only.
2022-07-12 22:54:39 +01:00
Zbigniew Jędrzejewski-Szmek
b8df7f8629 user: delegate cpu controller, assign weights to user slices
So far we didn't enable the cpu controller because of overhead of the
accounting. If I'm reading things correctly, delegation was enabled for a while
for the units with user and pam context set, i.e. for user@.service too.
a931ad47a8 added the explicit Delegate=yes|no
switch, but it was initially set to 'yes'.
acc8059129 disabled delegation for user@.service
with the justication that CPU accounting is expensive, but half a year later
a88c5b8ac4 changed DefaultCPUAccounting=yes for
kernels >=4.15 with the justification that CPU accounting is inexpensive there.

In my (very noncomprehensive) testing, I don't see a measurable overhead if the
cpu controller is enabled for user slices. I tried some repeated compilations,
and there is was no statistical difference, but the noise level was fairly
high. Maybe better benchmarking would reveal a difference.

The goal of this change is very simple: currently all of the user session,
including services like the display server and pipewire are under user@.service.
This means that when e.g. a compilation job is started in the session's
app.slice, the processes in session.slice compete for CPU and can be starved.
In particular, audio starts to stutter, etc. With CPU controller enabled,
I can start start 'ninja -C build -j40' in a tab and this doesn't have any
noticable effect on audio.

I don't think the particular values matter too much: the CPU controller is
work-convserving, and presumably the session slice would never need more than
e.g. one 1 full CPU, i.e. half or a quarter of available CPU resources on even
the smallest of today's machines. app.slice and session.slice are assigned
equal weights, background.slice is assigned a smaller fraction. CPUWeight=100
is the default, but I wrote it explicitly to make it easier for users to see
how the split is done. So effectively this should result in session.slice
getting as much power as it needs.

If if turns out that this does have a noticable overhead, we could make it
opt-in. But I think that the benefit to usability is important enough to enable
it by default. W/o something like this the session is not really usable with
background tasks.
2022-07-05 14:40:01 +02:00
Lennart Poettering
ce7de0ba8e units: run user service managers at OOM score adjustment 100
Let's make it slightly more likely that a per-user service manager is
killed than any system service. We use a conservative 100 (from a range
that goes all the way to 1000).

Replaces: #17426

Together with the previous commit this means: system manager and system
services are placed at OOM score adjustment 0 (specifically: they
inherit kernel default of 0). User service manager (both for root and
non-root) are placed at 100. User services for non-root are placed at
200, those for root inherit 100.

Note that processes forked off the user *sessions* (i.e. not forked off
the per-user service manager) remain at 0 (e.g. the shell process
created by a tty or ssh login). This probably should be
addressed too one day (maybe in pam_systemd?), but is not covered here.
2021-10-04 16:27:10 +02:00
Zbigniew Jędrzejewski-Szmek
059cc610b7 meson: use jinja2 for unit templates
We don't need two (and half) templating systems anymore, yay!

I'm keeping the changes minimal, to make the diff manageable. Some enhancements
due to a better templating system might be possible in the future.

For handling of '## ' — see the next commit.
2021-05-19 10:24:43 +09:00
Yu Watanabe
db9ecf0501 license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
Zbigniew Jędrzejewski-Szmek
a3558e7952 units: do not ignore return value from systemd --user
This minus has been there since the unit was added in
d42d27ead9. I think the idea was not cause things
to fail if the user instance doesn't work. But ignoring the return value
doesn't seem to be the right way to approach the problem. In particular, if
the program fails to run, we'll get a bogus fail state, see
https://bugzilla.redhat.com/show_bug.cgi?id=1727895#c1:

with the minus:
$ systemctl start user@1002
Job for user@1002.service failed because the service did not take the steps required by its unit configuration.
See "systemctl status user@1002.service" and "journalctl -xe" for details.

without the minus:
$ systemctl start user@1002
Job for user@1002.service failed because the control process exited with error code.
See "systemctl status user@1002.service" and "journalctl -xe" for details.
2020-03-05 04:49:37 +09:00
Lennart Poettering
928df2c251 units: turn off keyring handling for user@.service
This service uses PAM anyway, hence let pam_keyring set things up for
us. Moreover, this way we ensure that the invocation ID is not set for
this service as key, and thus can't confuse the user service's
invocation ID.

Fixes: #11649
2019-03-19 10:58:20 +01:00
Thomas Blume
8c1f04352b user@.service: don't kill user manager at runlevel switch
Loggin in as root user and then switching the runlevel results in a
stop of the user manager, even though the user ist still logged in.
That leaves a broken user session.

Adding "IgnoreOnIsolate=true" to user@.service fixes this.
2018-09-13 12:18:27 +02:00
Lennart Poettering
e5b3ace969 units: make sure user@.service runs with dbus still up
Fixes: #9565
2018-07-25 14:12:09 +02:00
Zbigniew Jędrzejewski-Szmek
a99655b052 man: add a description of user@.service, user-runtime-dir@.service, user-*.slice
Fixes #9590.
2018-07-20 16:57:50 +02:00
Zbigniew Jędrzejewski-Szmek
a9f0f5e501 logind: split %t directory creation to a helper unit
Unfortunately this needs a new binary to do the mount because there's just
too many special steps to outsource this to systemd-mount:
- EPERM needs to be treated specially
- UserRuntimeDir= setting must be obeyed
- SELinux label must be adjusted

This allows user@.service to be started independently of logind.
So 'systemctl start user@nnn' will start the user manager for user nnn.
Logind will start it too when the user logs in, and will stop it (unless
lingering is enabled) when the user logs out.

Fixes #7339.
2018-04-25 16:20:28 +02:00
Franck Bui
acc8059129 units: delegate "memory" instead of "cpu" by default for user instances (#8320)
CPU accounting has a too bad impact on performance to be enabled by
default. Therefore we should not delegate "cpu" for now.

OTOH since commit e0c46a7364, memory accounting
has been turned on for all units by default so it makes sense to delegate this
controller by default.
2018-03-01 10:58:03 +01:00
Lennart Poettering
5dfcaaaf11 units: delegate only "cpu" and "pids" controllers by default (#7564)
Now that we can configure which controllers to delegate precisely, let's
limit wht we delegate to the user session: only "cpu" and "pids" as a
minimal baseline.

Fixes: #1715
2017-12-07 08:48:08 +01:00
Zbigniew Jędrzejewski-Szmek
a7df2d1e43 Add SPDX license headers to unit files 2017-11-19 19:08:15 +01:00
Yu Watanabe
4429c69f8d units: do not perform m4 if not necessary (#6575) 2017-08-09 09:13:41 -04:00
Przemyslaw Kedzierski
dd5ae4c36c bus-proxy: cloning smack label
When dbus client connects to systemd-bus-proxyd through
Unix domain socket proxy takes client's smack label and sets for itself.

It is done before and independent of dropping privileges.

The reason of such soluton is fact that tests of access rights
performed by lsm may take place inside kernel, not only
in userspace of recipient of message.

The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label.

In case of systemd running in system mode, CAP_MAC_ADMIN
should be added to CapabilityBoundingSet in service file of bus-proxyd.

In case of systemd running in user mode ('systemd --user')
it can be achieved by addition
Capabilities=cap_mac_admin=i and SecureBits=keep-caps
to user@.service file
and setting cap_mac_admin+ei on bus-proxyd binary.
2014-12-09 18:23:24 +01:00
Lennart Poettering
a931ad47a8 core: introduce new Delegate=yes/no property controlling creation of cgroup subhierarchies
For priviliged units this resource control property ensures that the
processes have all controllers systemd manages enabled.

For unpriviliged services (those with User= set) this ensures that
access rights to the service cgroup is granted to the user in question,
to create further subgroups. Note that this only applies to the
name=systemd hierarchy though, as access to other controllers is not
safe for unpriviliged processes.

Delegate=yes should be set for container scopes where a systemd instance
inside the container shall manage the hierarchies below its own cgroup
and have access to all controllers.

Delegate=yes should also be set for user@.service, so that systemd
--user can run, controlling its own cgroup tree.

This commit changes machined, systemd-nspawn@.service and user@.service
to set this boolean, in order to ensure that container management will
just work, and the user systemd instance can run fine.
2014-11-05 18:49:14 +01:00
Lennart Poettering
58ea275a68 core: introduce new KillMode=mixed which sends SIGTERM only to the main process, but SIGKILL to all daemon processes
This should fix some race with terminating systemd --user, where the
system systemd instance might race against the user systemd instance
when sending SIGTERM.
2014-01-29 13:42:06 +01:00
Zbigniew Jędrzejewski-Szmek
d8160f21fd Improve messages about user mode a bit 2014-01-08 22:15:27 -05:00
Kay Sievers
8b255ecd99 pam_systemd: export DBUS_SESSION_BUS_ADDRESS 2014-01-08 18:11:37 +08:00
Zbigniew Jędrzejewski-Szmek
4acbce7979 build-sys: fix generation of user@.service 2013-12-27 12:12:41 -05:00
Mantas Mikulėnas
3dc9f55d6e units: user@.service: fix user bus path 2013-12-27 12:12:41 -05:00
Zbigniew Jędrzejewski-Szmek
59fccd8211 execute.c: always set $SHELL
In e6dca81 $SHELL was added to user@.service. Let's
instead provide it to all units which have a user.
2013-10-02 22:23:56 +02:00
Evan Callicoat
e6dca81441 units: Add SHELL environment variable
With the advent of systemd --user sessions, it's become very interesting to spawn X as a user unit, as well as accompanying processes that may have previously been in a .xinitrc/.xsession, or even just to replace a collection of XDG/GDM/KDM/etc session files with independent systemd --user units. The simplest case here would be to login on a tty, with the traditional /usr/sbin/login "login manager".

However, systemd --user (spawned by user@.service) is at the top level of the slice for the user, and does not inherit any environment variables from the login process. Given the number of common applications which rely on SHELL being set in the environment, it seems like the cleanest way to provide this variable is to set it to %s in the user@.service.

Ideally in the long-term, applications which rely on SHELL being set should be fixed to just grab it from getpwnam() or similar, but until that becomes more common, I propose this simple change to make user sessions a little bit nicer out of the box.
2013-10-01 04:17:31 +02:00
Zbigniew Jędrzejewski-Szmek
5c390a4ae0 Add pam configuration to allow user sessions to work out of the box
systemd-logind will start user@.service. user@.service unit uses
PAM with service name 'systemd-user' to perform account and session
managment tasks. Previously, the name was 'systemd-shared', it is
now changed to 'systemd-user'.

Most PAM installations use one common setup for different callers.
Based on a quick poll, distributions fall into two camps: those that
have system-auth (Redhat, Fedora, CentOS, Arch, Gentoo, Mageia,
Mandriva), and those that have common-auth (Debian, Ubuntu, OpenSUSE).
Distributions that have system-auth have just one configuration file
that contains auth, password, account, and session blocks, and
distributions that have common-auth also have common-session,
common-password, and common-account. It is thus impossible to use one
configuration file which would work for everybody. systemd-user now
refers to system-auth, because it seems that the approach with one
file is more popular and also easier, so let's follow that.
2013-09-11 15:35:06 -04:00
Lennart Poettering
4c5420a0c1 units: since we auto-spawn user@.service instances now we don need an [Install] section in it 2013-07-11 01:57:09 +02:00
Lennart Poettering
fb6becb443 logind: port over to use scopes+slices for all cgroup stuff
In order to prepare things for the single-writer cgroup scheme, let's
make logind use systemd's own primitives for cgroup management.

Every login user now gets his own private slice unit, in which his sessions
live in a scope unit each. Also, add user@$UID.service to the same
slice, and implicitly start it on first login.
2013-07-02 01:48:55 +02:00
Auke Kok
9541fe6adf systemctl does not expand %u, so revert back to %I
The description field is only displayed by systemctl, and
it can't expand %u properly (it will always display "root").
2013-05-09 09:39:15 -07:00
Lennart Poettering
a34cb32e54 units: update user@.service to reflect new user cgroup paths 2013-04-23 16:00:32 -03:00
Auke Kok
3abcb6aced Update user session unit template.
While most folks will be using the derivative from user-session-units,
I'm updating this one to reflect some of the fixes and things to note
about user sessions:

- cgroup should be set with "%u" - username instead of %I
- set dbus path with %U explicitly too
- hint to folks that wish to use MEM_CG features in user sessions
- allow unit to be enabled for instances with systemctl enable
2013-03-22 21:43:31 -07:00
Lennart Poettering
5430f7f2bc relicense to LGPLv2.1 (with exceptions)
We finally got the OK from all contributors with non-trivial commits to
relicense systemd from GPL2+ to LGPL2.1+.

Some udev bits continue to be GPL2+ for now, but we are looking into
relicensing them too, to allow free copy/paste of all code within
systemd.

The bits that used to be MIT continue to be MIT.

The big benefit of the relicensing is that closed source code may now
link against libsystemd-login.so and friends.
2012-04-12 00:24:39 +02:00
Kay Sievers
e0d25329b2 move /usr/bin/systemd to /usr/lib/systemd/systemd 2012-02-08 00:08:10 +01:00
Lennart Poettering
bde7f90721 logind: temporarily hack right user bus address into unit file 2011-07-01 22:36:15 +02:00
Lennart Poettering
d42d27ead9 logind: add service for per-user shared systemd daemon 2011-06-30 02:18:01 +02:00