1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-31 07:51:21 +03:00
Commit Graph

54058 Commits

Author SHA1 Message Date
Yu Watanabe
01b4e90f32 sd-dhcp6-client: request IA_PD by default
For consistency with 0f5ef9b62a.
2021-11-01 10:02:50 +09:00
Yu Watanabe
5e82251913 sd-dhcp6-client: always set suitable ARP type
Also, drops unnecessary comparisons.
2021-11-01 09:51:52 +09:00
Topi Miettinen
2ad2925de5 execute: respect selinux_context_ignore
When `SELinuxContext=` parameter is prefixed with `-`, the documentation states
that any errors determining or changing context should be ignored, but this
doesn't actually happen and the service may fail with `229/SELINUX_CONTEXT`.

Fix by adding checks to `context->selinux_context_ignore`.

Closes: #21057
2021-11-01 08:28:41 +09:00
Daan De Meyer
6b64d74091 mkosi: Install less in the mkosi Fedora image
We're actually falling back to `more` in the mkosi image which doesn't
behave quite the same as less which is somewhat annoying. Let's make
sure `less` is installed so systemd can use it as the pager.
2021-10-30 11:53:49 +01:00
Yu Watanabe
6db9b30066
Merge pull request #21175 from tohojo/dhcp-server-expire
sd-dhcp-server: clear out expired leases when finding new address
2021-10-30 04:13:40 +09:00
Yu Watanabe
43b7a806df
Merge pull request #21180 from yuwata/libsystemd-network-cleanups
libsystemd-network: drop unused functions, and _public_ attribute
2021-10-30 01:18:28 +09:00
Toke Høiland-Jørgensen
cb3c06a02e sd-dhcp-server: fix address availability checks
The checks for finding a new available address in the pool were broken in two
ways: not using UINT32_TO_PTR() on hashmap lookups resulted in false negatives,
and the check wasn't skipping the server address if that was part of the pool.

Move the check for available addresses to a small helper function and fix both
issues, and also add a check to the REQUEST code for the server address.
2021-10-29 15:29:05 +02:00
Toke Høiland-Jørgensen
d635a7f9e4 sd-dhcp-server: clear out expired leases when processing requests
The DHCP server configuration supports setting a maximum lease time, but old
leases are never actually cleared out if the client doesn't send a RELEASE.
This causes the pool to run out of addresses on networks where clients just
disappear, which is a fairly common occurrence on wireless networks.

Fix this by cleaning up expired leases before processing client requests, so
addresses can be reused for new clients.
2021-10-29 15:29:05 +02:00
Yu Watanabe
17347053cf libsystemd-network: drop _public_ attribute
No function in libsystemd-network is exposed yet.
2021-10-29 22:13:23 +09:00
Yu Watanabe
41521417ab sd-radv: fix implicit conversion to boolean 2021-10-29 22:10:43 +09:00
Yu Watanabe
9661d2e80c sd-ndisc: drop unused functions
All received information is stored in sd_ndisc_router, and we have
sd_ndisc_router_get_mtu() and sd_ndisc_router_get_hop_limit().
2021-10-29 22:05:27 +09:00
Yu Watanabe
cb4aae6341 home: fix use of uninitialized value
Fixes CID#1465077.
2021-10-29 21:51:44 +09:00
Lennart Poettering
a27c229c15
Merge pull request #21172 from poettering/fix-systemctl-cgroup-tree
fix "sytemctl status" cgroup tree output
2021-10-29 09:17:43 +02:00
Lennart Poettering
30f194001f homework,repart: turn on cryptsetup logging before we have a context
Otherwise we'll miss the log message from allocation of the context. We
already made this change in most of our tools that interface with
libcryptsetup, but we forgot two.

As suggested:

https://github.com/systemd/systemd/pull/21135#discussion_r738287504
2021-10-29 09:16:59 +02:00
Lennart Poettering
07bca16fc8 nspawn: make sure to chown() implicit source dirs for --bind= to container root UID
This makes sure that a switch like --bind=:/foo does the right thing if
user namespacing is one: the backing dir should be owned by the
container's root UID not the host's. Thus, whenever the source path is
left empty and we automatically generate a source dir as temporary
directory, ensure it's owned by the right UID.

Fixes: #20869
2021-10-29 09:16:34 +02:00
Yu Watanabe
d36a343c52
Merge pull request #21163 from poettering/scope-no-pid
pid1: fail scope unit activation if all PIDs to add already died
2021-10-29 16:14:51 +09:00
Lennart Poettering
ff8b7bd6a0
Merge pull request #20321 from bluca/state_dir_symlink
core: add [State|Runtime|Cache|Logs]DirectorySymlink
2021-10-28 20:52:56 +02:00
Lennart Poettering
16d41892c3
Merge pull request #20609 from DaanDeMeyer/recursive-template
core: Try to prevent infinite recursive template instantiation
2021-10-28 19:23:17 +02:00
Andreas Valder
c0c8f71800 nspawn: add filesystem id mapping support to --bind and --bind-ro 2021-10-28 19:19:22 +02:00
Lennart Poettering
5433d425b4
Merge pull request #21135 from poettering/homed-uidmap
homed: make use of uidmap'ped mounts for avoiding recursive chown()
2021-10-28 19:18:18 +02:00
Lennart Poettering
22d0f9a7d8 systemctl: make dbus PID cgroup tree output look more like systemd-cgls
Let's add the same dash of color (well, grey, …) to the dbus-based
pid/cgroup tree output as systemd-cgls has.
2021-10-28 18:54:52 +02:00
Lennart Poettering
038cae098b systemctl: make sure "systemctl -M status" shows cgroup tree of container not host
This shows the cgroup tree of the root slice of the container now, by
querying the cgroup pid tree via the bus instead of going directly to
the cgroupfs.

A fallback is kept for really old systemd versions where querying the
PID tree was not available.

Fixes: #20958
2021-10-28 18:53:46 +02:00
Lennart Poettering
35ac0260db systemctl: only fall back to local cgroup display if we talk to local systemd
Otherwise we likely show rubbish because even in local containers we
nowadays have cgroup namespacing, hence we likely can't access the
cgroup tree from the host at the same place as inside the container.
2021-10-28 18:35:18 +02:00
Lennart Poettering
a0dde733ac systemctl: use LESS_BY where appropriate 2021-10-28 16:43:27 +02:00
Lennart Poettering
27ba2ad2f6 systemctl: use empty_to_root() where appropriate 2021-10-28 16:42:22 +02:00
Lennart Poettering
5e1b4929f5 systemctl: suppress second argument of ternary op where we can 2021-10-28 16:41:16 +02:00
Lennart Poettering
a21e88d476 docs: document what integer range we expect from JSON parsers 2021-10-28 14:15:46 +01:00
Christian Göttsche
e3a0a862f6 core: correct SELinux label of service credential directory
Label the service root credential directory so write_credential() will
create entries with the label of their parent directory.

Resolves: #21134
2021-10-28 20:55:37 +09:00
Tony Asleson
f4ae986649 integritysetup: Check args to prevent assert
The utility function parse_integrity_options is used to both validate
integritytab options or validate and return values.  In the case where
we are validating only and we have specific value options we will
assert.
2021-10-28 20:54:41 +09:00
Benjamin Herrenschmidt
d6eda677b3 udev: net_id: introduce predictable names for xen-netfront
Those devices show up as /sys/devices/vif-N, let's use that number
to name them enXN.

Without this, all schemes fail and they keep the kernel names, which can
be racy.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2021-10-28 13:09:00 +02:00
Daan De Meyer
88022148c4 core: Try to prevent infinite recursive template instantiation
To prevent situations like in #17602 from happening, let's drop
direct recursive template dependencies. These will almost certainly
lead to infinite recursion so let's drop them immediately to avoid
instantiating potentially thousands of irrelevant units.

Example of a template that would lead to infinite recursion which
is caught by this check:

notify@.service:

```
[Unit]
Wants=notify@%n.service
```
2021-10-28 11:42:21 +01:00
Luca Boccassi
ac33cf9282
Merge pull request #21167 from poettering/various-doc-tweaks
Four documentation tweaks
2021-10-28 11:12:09 +01:00
Luca Boccassi
211a3d87fb core: add [State|Runtime|Cache|Logs]Directory symlink as second parameter
When combined with a tmpfs on /run or /var/lib, allows to create
arbitrary and ephemeral symlinks for StateDirectory or RuntimeDirectory.
This is especially useful when sharing these directories between
different services, to make the same state/runtime directory 'backend'
appear as different names to each service, so that they can be added/removed
to a sharing agreement transparently, without code changes.

An example (simplified, but real) use case:

foo.service:
StateDirectory=foo

bar.service:
StateDirectory=bar

foo.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:foo

bar.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:bar

foo and bar use respectively /var/lib/foo and /var/lib/bar. Then
the orchestration layer decides to stop this sharing, the drop-in
can be removed. The services won't need any update and will keep
working and being able to store state, transparently.

To keep backward compatibility, new DBUS messages are added.
2021-10-28 10:47:46 +01:00
Lennart Poettering
c896eb7ad6 man: document that daemons can close fds they receive via sd_listen_fds() if they like
Fixes: #18872
2021-10-28 11:05:22 +02:00
Lennart Poettering
1d69754988 man: document how nss-resolve and systemd-resolved communicate
Fixes: #20925
2021-10-28 10:53:55 +02:00
Lennart Poettering
c04358ce84 docs: document $PASSWORD in ENVIRONMENT.md
Fixes: #20955
2021-10-28 10:51:12 +02:00
Lennart Poettering
7ea5e82f6a man: clarify the situation of unit templates regarding "systemctl list-units" + "systemctl list-unit-files"
Fixes: #21075
2021-10-28 10:45:02 +02:00
Lennart Poettering
cc4cbe49ce update TODO 2021-10-28 08:17:46 +02:00
Lennart Poettering
1147c538bb homework: teach luks backend uid mapping
This teachs the LUKS backend UID mapping, similar to the existing
logic for the "directory", "subvolume" and "fscrypt" backends: the files
will be owned by "nobody" on the fs itself, but will be mapped to
logging in user via uidmapped mounts.

This way LUKS home dirs become truly portable: no local UID info will
leak onto the images anymore, and the need to recursively chown them on
activation goes away. This means activation is always as performant as
it should be.
2021-10-28 08:17:46 +02:00
Lennart Poettering
a2bc39786a homework: also move to using .image_fd field of HomeSetup in home_create_luks()
One last resource we can manage with HomeSetup, instead of doing that
manually.
2021-10-28 08:17:46 +02:00
Lennart Poettering
ebcdfc79ab homework: get rid of manual error path in home_create_luks()
Now that all objects we need to destroy are managed by the HomeSetup
object we can drop our manual destruction path and just use the normal
clean-up logic implemented for HomeSetup anyway. More unification, yay!
2021-10-28 08:17:46 +02:00
Lennart Poettering
32dda527d8 homework: move destruction of temporary image file into HomeSetup
Let's simplify things further a bit and move the destruction of the
temporary image file we operate on when creating a LUKS home into
HomeSetup, like all our other resources.
2021-10-28 08:17:46 +02:00
Lennart Poettering
d33f024100 homework: get rid of manual clean up path in home_setup_luks()
Now that we stored all our different objects inside the HomeSetup
structure, we can get rid of our manual clean-up path, since
home_setup_done() will clean up everything stored therein anyway, in the
right order.

This is the main reason we moved everything into HomeSetup in the
previous commits: so that we can share clean-up paths for these objects
with everything else.
2021-10-28 08:17:46 +02:00
Lennart Poettering
80ffbbfbfb homework: move image_fd field in home_setup_luks() also into HomeSetup
Let's unify even more codepaths, and let's reuse the .image_fd field we
already maintain.
2021-10-28 08:17:46 +02:00
Lennart Poettering
ae4d05f649 homework: rework home_setup_luks() to store its root_fd also in HomeSetup 2021-10-28 08:17:46 +02:00
Lennart Poettering
c00b2ddc6e homework: always pass HomeSetup param first, PasswordCache second
Some of our operations did it one way, most the other. Let's unify on
the order that is more popular.
2021-10-28 08:17:46 +02:00
Lennart Poettering
a70e0ad764 homework: replace homegrown syncfs_path() reimplementation by syncfs_path() 2021-10-28 08:17:46 +02:00
Lennart Poettering
a23cf7f4c7 homework: unify similar code for opening existing LUKS DM devices
Let's introduce a new helper acquire_open_luks_device() that combines a
few steps we keep doing at three places into one.
2021-10-28 08:17:46 +02:00
Lennart Poettering
e4d1e79bc5 homework: move all LoopDevice handling into HomeSetup too
Similar story as with the DM objects: let's maintain it all as part of
HomeSetup. We do that for  part of the operations already, let's unify
that.
2021-10-28 08:17:46 +02:00
Lennart Poettering
f7800049eb homework: move all DM detachment/freeing into HomeSetup
We actually already detach/free the LUKS DM devices for most operations
via HomeSetup, let's move the creation logic to also do this, in order
to unify behaviour between operations.
2021-10-28 08:17:46 +02:00