1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00
Commit Graph

8980 Commits

Author SHA1 Message Date
Adrian Vovk
57ada07e7a
sysupdate: Track incompletely-installed versions
When enumerating what versions exist for a given target, sysupdate would
completely throw out any version that's incomplete (where some of the
transfers in the target have that version installed or available, and
other transfers do not).

If we're trying to find what versions we can offer for download, this is
great behavior. If the server side is advertising a partial update to
download, we shouldn't present it to the user.

On the other hand, if we're enumerating what versions we have currently
installed, this is a bad behavior. It makes sysupdate fragile. For
example, if a sysext introduces a new .conf file into
/usr/lib/sysupdate.d, suddenly the currently-installed OS stops being a
version that we've enumerated. Since it's not enumerated, it's not
protected, and so sysupdate will wipe the booted OS.

So if we're looking for installed versions, we now loosen the
restrictions and enumerate incomplete installations.

Partial fix for https://github.com/systemd/systemd/issues/33339
2024-08-22 16:00:45 -04:00
Adrian Vovk
0402bf682f
sysupdate: Check that --instances-max is in bounds
Otherwise user can pass in --instances-max=0 and crash sysupdate with an
assertion failure.
2024-08-22 16:00:44 -04:00
Mike Yuan
1aeea8a60a
logind: DesignatedMaintenanceTime is added in v257 and constant
Follow-up for 0e10c3d872

Addresses https://github.com/systemd/systemd/pull/25049#discussion_r1647513862
2024-08-22 20:06:31 +02:00
Lennart Poettering
d1b04f47e3 man: document .membership files that nss-systemd processes
This has been a glaring omission the docs: when people create
.user/.group/.user-privileged/.group-privileged drop-in files, they
should also create matching .membership files.
2024-08-22 15:16:00 +02:00
Yu Watanabe
80c9c81779
Merge pull request #34051 from rpigott/resolved-demote-fallback
resolved: demote only the fallback servers in the global scope
2024-08-22 20:21:33 +09:00
Adrian Vovk
d470a6c227
sysupdate: man: Cleanup sections about flags 2024-08-21 22:40:18 -04:00
Adrian Vovk
e0081f18a0
sysupdated: Fixup redundant constant name
SD_ stands for systemd, so SD_SYSTEMD_* is SYSTEMD_SYSTEMD_*
2024-08-21 22:33:16 -04:00
Adrian Vovk
38d7b8d3ff
Merge pull request #32363 from CodethinkLabs/sysupdate-dbus
sysupdate: Implement dbus service
2024-08-21 15:35:34 -04:00
Yu Watanabe
2ddf5bdece
Merge pull request #34053 from YHNdnzj/follow-ups
Two follow-ups for recent PRs
2024-08-22 04:34:11 +09:00
A. Wilcox
b9d326c568 man: Ensure notify example includes <string.h>
This ensures that memcpy and strerror are defined.  This is especially
important with GCC 14 as implicit function declarations are now an error.
2024-08-22 04:26:32 +09:00
Ronan Pigott
d229e282d6 resolved: demote the fallback dns servers
This softens the behavior originally introduced in eded61e410 to apply
only to the fallback dns servers.

The intent is that the global FallbackDNS (instead of DNS) can now be
used in conjunction with the per-link dns, providing a fallback behavior
without introducing a scope overlap.

References: eded61e410 (resolved: demote the global unicast scope, 2024-08-19)
2024-08-21 10:27:07 -07:00
Daan De Meyer
148b16cb2a
Merge pull request #33498 from DaanDeMeyer/btrfs
repart: Allow Subvolumes= when running offline
2024-08-21 17:19:09 +02:00
Ronan Pigott
bebec88653 Revert "resolved: demote the global unicast scope"
This commit may have been a breaking change for sd-resolved foreign
resolv.conf mode, where a legacy network management daemon directly
modifies resolv.conf and sd-resolved consumes that.

This reverts commit eded61e410.
2024-08-21 06:59:22 -07:00
Mike Yuan
988ca0953e
man: use standard-options for --no-ask-password everywhere 2024-08-21 15:17:02 +02:00
Luca Boccassi
bdf75118ba
Merge pull request #34049 from yuwata/network-routing-policy-rule
network: further rework for routing policy rule
2024-08-21 12:46:37 +02:00
Daan De Meyer
eca3d07dd1 repart: Allow Subvolumes= and DefaultSubvolume= when running offline
mkfs.btrfs has recently learned new options --subvol and --default-subvol
so let's stop failing when Subvolumes= and DefaultSubvolume= are used offline
and use the new --subvol and --default-subvol options instead to create subvolumes
in the generated root filesystem without root privileges or loop devices.
2024-08-21 11:29:47 +02:00
Adrian Vovk
ec15bb71c2
sysupdate: Implement updatectl
This is the command-line tool to manage systemd-sysudpated

Co-authored-by: Tom Coldrick <thomas.coldrick@codethink.co.uk>
Co-authored-by: Abderrahim Kitouni <abderrahim.kitouni@codethink.co.uk>
2024-08-21 09:31:41 +01:00
Adrian Vovk
bf2c741fd7
sysupdate: Implement systemd-sysupdated dbus service
Co-authored-by: Tom Coldrick <thomas.coldrick@codethink.co.uk>
Co-authored-by: Abderrahim Kitouni <abderrahim.kitouni@codethink.co.uk>
2024-08-21 09:31:41 +01:00
Yu Watanabe
ac1d8aa5bc network/routing-policy-rule: support all known type of rule
This also adds GoTo= to specify the target priority of goto rule.

Note, table was the default but could not be specified in Type=.
2024-08-20 21:02:31 +09:00
Yu Watanabe
489671d225 network/address-label: allow to configure IPv6 address label in networkd.conf
Closes #23159.
2024-08-20 20:50:56 +09:00
Lennart Poettering
8915e4aef5 man: fix ID_NET_LABEL_ONBOARD= documentation
We do not prefix the field with anything, since
8c053c83ae.
2024-08-20 20:30:39 +09:00
Luca Boccassi
a8d1f9da55
Merge pull request #34009 from yuwata/network-resolve-polkit
network,resolve: support interactive authentication
2024-08-20 12:14:03 +02:00
Luca Boccassi
a16079fccc
Merge pull request #34014 from yuwata/network-ip-masquerade
network: make IPMasquerade= imply global IP forwarding settings again
2024-08-20 11:59:30 +02:00
Ronan Pigott
eded61e410 resolved: demote the global unicast scope
This will greatly reduce the number of cases where the global unicast
scope overlaps with link scopes configured as default-route, making it
feasible to use the global DNS setting in conjunction with per-link dns
servers configured by the network.

This change is preferred over demoting links to default-route=no where
the user prefers to use the network provided DNS servers, and I expect
it is non-disruptive in that it should not degrade the efficacy of any
existing configuration.
2024-08-20 11:45:22 +02:00
Yu Watanabe
5703301ada resolvectl: introduce --no-ask-password option 2024-08-19 11:36:22 +09:00
Yu Watanabe
21f31f23cc networkctl: introduce --no-ask-password option 2024-08-19 11:28:22 +09:00
Yu Watanabe
6e4918a944 analyze: introduce --instance= option to control instance name for template units
Note, `systemd-analyze foo@.service --instance=hoge` is equivalent to
`systemd-analyze foo@hoge.service`. But, the option may be useful when
e.g. passing multiple template units that have restriction on their
instance name:
```
$ ls
template_aaa@.service   template_bbb@.service   template_ccc@.service
$ systemd-analyze ./template_* --instance=hoge
```
Without the option, we need to embed an instance name into each unit
name, so cannot use globs.

Prompted by #33681.
2024-08-19 04:29:23 +09:00
Yu Watanabe
4bf1a2c383 network/wireguard: introduce [WireGuardPeer] PublicKeyFile=
Similar to PresharedKeyFile=, but for public key.

Closes #34012.
2024-08-17 01:58:02 +09:00
Yu Watanabe
0b695febb2 network: make IPMasquerade= imply global IP forwarding settings again
After 3976c43092 (#31423), IPMasquerade=
implies only per-interface IP forwarding. That means, nspawn users need
to manually enable IPv4/IPv6Forwarding= in networkd.conf when
--network-veth or friend is used. Even the change was announced in NEWS,
the change itself breaks backward compatibility and extremely reduces
usability.

Let's make the setting imply the global setting again.

Fixes #34010.
2024-08-17 00:13:06 +09:00
Matthias Schiffer
24c2e04e9a udev-builtin-net_id: add NAMING_DEVICETREE_PORT_ALIASES to check of_node of netdevs before their parents
The net_id builtin only checked the of_node of a netdev's parent device,
not that of the netdev itself. While it is common that netdevs don't have
an OF node assigned themselves, as they are derived from some parent
device, this is not always the case. In particular when a single
controller provides multiple ports that can be referenced indiviually in
the Device Tree (both for aliases/MAC address assignment and phandle
references), the correct of_node will be that of the netdev itself, not
that of the parent, so it needs to be checked, too.

A new naming scheme flag NAMING_DEVICETREE_PORT_ALIASES is added to
allow selecting the new behavior.
2024-08-15 18:20:49 +02:00
Thorsten Scherer
932cc94436 repart: Fix misleading typo in GPT partition flag
Bit 60 is the one corresponding to ReadOnly, not 50.  Fix this.
2024-08-15 05:59:58 +09:00
Susant Sahani
7918894302 network: netdev - BareUDP Add support for srcportmin
Allows to configure the lowest value of the UDP tunnel source port range.
2024-08-14 23:18:20 +05:30
James Muir
c5903cde63 man/systemd-sysusers, man/systemd-tmpfiles: fix sentence fragments
add "are executed" so that those two sentences have a verb.
2024-08-13 19:27:21 +02:00
Luca Boccassi
5936b4054a
Merge pull request #33979 from YHNdnzj/edit-util-no-duplicate-strip
edit-util: a few cleanups; support networkctl edit --stdin
2024-08-13 01:48:06 +02:00
Lukas Nykryn
fe5a6c47af systemd-run: add unit and invocation_id JSON output 2024-08-12 20:19:01 +02:00
Mike Yuan
119cba7835
networkctl: support edit --stdin 2024-08-12 16:23:23 +02:00
Luca Boccassi
0dd6fe931d
Merge pull request #33961 from bluca/busctl_exit
busctl: add support for --timeout and --num-matches for monitor verb
2024-08-09 14:48:40 +02:00
Luca Boccassi
702d74b62a busctl: add --num-matches= for monitor verb
Useful in scripts when one wants to wait for a specific
signal before continuing
2024-08-09 12:12:28 +01:00
Luca Boccassi
989e843e75 busctl: add support for --timeout to monitor verb
Useful in scripts when you want to exit successfully after a certain time
2024-08-08 09:18:41 +01:00
Daan De Meyer
570a11eb9d crash-handler: Drop 10s sleep before we spawn the crash shell
It pointlessly delays getting to the crash shell so let's drop the
10s sleep.
2024-08-07 21:26:53 +02:00
Daan De Meyer
4fde35f27e
Merge pull request #33951 from DaanDeMeyer/nspawn
nspawn: Allow specifying custom init program
2024-08-07 07:32:50 +02:00
Daan De Meyer
ce2291730d nspawn: Allow specifying custom init program
This allows for example forcing to use /sbin/init instead of always
using /usr/lib/systemd/systemd if it exists. Or it allows using a
different path altogether.
2024-08-06 23:00:17 +02:00
Michal Sekletar
68511cebe5 coredump: generate properly symbolized stacktrace for containerized processes 2024-08-06 18:32:42 +02:00
Yu Watanabe
c243302ee0
Merge pull request #33941 from yuwata/network-dhcp-pd-route-type
network/dhcp-pd: introduce UnassignedSubnetPolicy= to customize type of 'catch-all' route
2024-08-06 09:11:54 +09:00
Yu Watanabe
a61869d4a5 network/dhcp-pd: allow to customize route type for delegated prefix
Closes #33929.
2024-08-06 05:24:16 +09:00
Luca Boccassi
1e0ef01439 logind: add PreparingForShutdownWithMetadata property
The PrepareForShutdownWithMetadata signal was added via
e4aab5cf1a but a corresponding property
was not. A property has to be a single type, so the bool needs to be
one of the key/value pairs as 'ba{sv}' is not a valid property.
2024-08-05 19:30:15 +02:00
rajmohan r
1592d2f900 systemd-analyze: Add svg scaling options
+ Scale the x-axis of the resulting plot by a factor (default 1.0)
+ Add activation timestamps to each bar

Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
2024-08-05 15:23:44 +02:00
Marc Reisner
2d00f4c306
sleep: add HibernateOnACPower= option (#33846)
* Add HibernateOnACPower= systemd-sleep configuration option
2024-08-05 00:01:34 +01:00
Yu Watanabe
1c0130e8dc man/net-naming-scheme: mention that NAMING_BRIDGE_MULTIFUNCTION_SLOT is reverted
Follow-up for af7417ac7b.
Closes #33596.
2024-08-03 05:58:15 +09:00
Yu Watanabe
347c8822d1 man: extend explanation for ConfigureWithoutCarrier= in systemd.network(5)
Prompted by #33702.
2024-08-03 05:57:55 +09:00
Yu Watanabe
b8db3cc373 man: fix typo
Follow-up for 7102dc52e6 and 3d689b675b.
2024-08-03 05:46:51 +09:00
Yu Watanabe
2bb72aadb8 man/net-naming-scheme: add missing period
Follow-up for 0a4ecc54cb.
2024-08-03 05:36:12 +09:00
Yu Watanabe
c7d9925396
Merge pull request #33913 from berrange/cvm-s390x
Add detection of confidential virtualization on s390x architcture
2024-08-03 05:32:39 +09:00
Daniel P. Berrangé
a8fb5d21fd man/systemd-detect-virt: list known CVM technologies
Add a section which lists the known confidential virtual machine
technologies.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2024-08-02 16:55:03 +01:00
Daniel P. Berrangé
9ffdfc67c6 man/systemd-detect-virt: fix row spanning for VM header
This fixes

  commit 9b0688f491
  Author: Yu Watanabe <watanabe.yu+github@gmail.com>
  Date:   Tue Jan 9 10:52:49 2024 +0900

    virt: add Google Compute Engine support

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2024-08-02 16:55:03 +01:00
jauge-technica
82f2a2f032
Added support for L2 BridgeMDB entries (#32894)
* Added support for L2 BridgeMDB entries
2024-08-02 16:31:20 +01:00
Yu Watanabe
40d90c9c01 localectl: introduce -l/--full option
Closes #33906.
2024-08-02 09:33:46 +02:00
Luca Boccassi
3d689b675b os-release: break RELEASE_TYPE into paragraphs and clarify about rolling stable releases
Arch and Tumbleweed do not do EOLs but are still stable, so clarify the paragraph.
Also break the entry in paragraphs, to make it more readable when rendered.
2024-08-01 20:59:20 +01:00
Luca Boccassi
67f90b0d85 os-release: change RELEASE_TYPE value from 'pre-release' to 'development'
The point was made on https://lists.debian.org/debian-ctte/2024/08/msg00005.html
that 'pre-release sounds' like an RC candidate, ie, something that will change
very slightly in the released version. But this is not necessarily the case
for example at the beginnig of a Fedora Rawhide or Debian Testing release cycle,
so change it to a more generic 'development'

Follow-up for 7102dc52e6
2024-08-01 20:36:02 +01:00
Adrian Vovk
d25a9bfa8f os-release: Introduce experiment RELEASE_TYPE
This is for experimental builds of the OS made to test some specific WIP
feature.

For example, let's say the distro in question is Asahi Linux and Apple
just released the M3 SoC. The Asahi developers will start porting to the
M3, and will quickly generate builds of Asahi Linux that can technically
boot but aren't ready for any kind of daily use. These images are marked
as experimental, and can be shared among the developers. If a user
somehow stumbles upon one of these images and tries to install it,
they'll be warned that they're about to install an experimental Apple M3
port of Asahi Linux. Eventually, once the Asahi developers think that
their M3 port is ready for a wider audience, they can merge it into the
mainline Asahi repos, where it will be distributed through the usual
nightly CI builds (where RELEASE_TYPE=pre-release; M3 support is no
longer experimental).
2024-08-01 17:22:23 +01:00
Adrian Vovk
7102dc52e6 os-release: Add RELEASE_TYPE=
This will allow GUIs to customize their behavior a little based on the
type of release.

For example, an OS installer may display a warning/disclaimer if
RELEASE_TYPE=prerelease. The software updates app might be a bit more
insistent about upgrading to the next major release if
RELEASE_TYPE=stable than if RELEASE_TYPE=lts
2024-08-01 17:22:13 +01:00
Yu Watanabe
7d3ae6b213 journalctl: add --list-invocations command and -I/--invocation options
The --list-invocations command is similar to --list-boots, but shows
invocation IDs of specified unit. This should be useful when showing
a specific invocation of a unit.

The --invocation option is similar to --boot, but takes a invocation ID
or an offset. The -I option is equivalent to --invocation=0.
2024-08-01 07:31:44 +09:00
Daan De Meyer
831f208783 core: Add support for renaming credentials with ImportCredential=
This allows for "per-instance" credentials for units. The use case
is best explained with an example. Currently all our getty units
have the following stanzas in their unit file:

"""
ImportCredential=agetty.*
ImportCredential=login.*
"""

This means that setting agetty.autologin=root as a system credential
will make every instance of our all our getty units autologin as the
root user. This prevents us from doing autologin on /dev/hvc0 while
still requiring manual login on all other ttys.

To solve the issue, we introduce support for renaming credentials with
ImportCredential=. This will allow us to add the following to e.g.
serial-getty@.service:

"""
ImportCredential=tty.serial.%I.agetty.*:agetty.
ImportCredential=tty.serial.%I.login.*:login.
"""

which for serial-getty@hvc0.service will make the service manager read
all credentials of the form "tty.serial.hvc0.agetty.xxx" and pass them
to the service in the form "agetty.xxx" (same goes for login). We can
apply the same to each of the getty units to allow setting agetty and
login credentials for individual ttys instead of globally.
2024-07-31 15:52:27 +02:00
Yu Watanabe
175cdefd33 man: suggest to enable global IPv6Forwarding= setting to make IPv6 packets forwarded
Closes #33414.
2024-07-31 09:53:18 +02:00
Yu Watanabe
dd87ad8e19 network: mention that IPv4 ACD is enabled by default for 169.254.0.0/16
Prompted by #33824.
2024-07-31 10:06:25 +09:00
Arian van Putten
a55d1b29a4
document how TimeoutStartSec= affects notify-reload (#33653)
* document how TimeoutStartSec=  affects notify-reload
2024-07-30 12:35:52 +01:00
Nick Cao
034b7dfc08
man: network: move note about L3MasterDevice to the correct section 2024-07-28 13:51:36 -04:00
Vladimir Panteleev
3f24fa57df man: clarify systemd-path variable source 2024-07-28 10:33:49 +01:00
Vladimir Panteleev
6c1e0823b0 man: improve ManagerEnvironment documentation
- Improve wording for explanation when these variables are inherited

- Clarify that these variables are not placed in the process environment block,
  so /proc/PID/environ cannot be used as a debugging tool
2024-07-28 10:33:17 +01:00
Luca Boccassi
804874d26a logind: always check for inhibitor locks
Currently inhibitors are bypassed unless an explicit request is made to
check for them, or even in that case when the requestor is root or the
same uid as the holder of the lock.

But in many cases this makes it impractical to rely on inhibitor locks.
For example, in Debian there are several convoluted and archaic
workarounds that divert systemctl/reboot to some hacky custom scripts
to try and enforce blocking accidental reboots, when it's not expected
that the requestor will remember to specify the command line option
to enable checking for active inhibitor locks.

Also in many cases one wants to ensure that locks taken by a user are
respected by actions initiated by that same user.

Change logind so that inhibitors checks are not skipped in these
cases, and systemctl so that locks are checked in order to show a
friendly error message rather than "permission denied".

Add new block-weak and delay-weak modes that keep the previous
behaviour unchanged.
2024-07-25 12:22:36 +01:00
Luca Boccassi
3bf483fc4f
Merge pull request #33727 from intelfx/work/analyze-capability-masks
analyze: capability: add support for decoding capability masks
2024-07-25 11:08:21 +01:00
Ivan Shapovalov
3e7a029c28 analyze: capability: add support for decoding capability masks
This adds support in `systemd-analyze capability` for decoding
capability masks (sets), e.g.:

```console
$ systemd-analyze capability --mask 0000000000003c00
NAME                 NUMBER
cap_net_bind_service     10
cap_net_broadcast        11
cap_net_admin            12
cap_net_raw              13
```

This is intended as a convenience tool for pretty-printing capability
values as found in e.g. `/proc/$PID/status`.
2024-07-24 17:25:47 +02:00
Zbigniew Jędrzejewski-Szmek
d202ea5754 man/systemd-repart: extend description and reword some sentences
The page was written when systemd-repart was primarily intended to be used on a
running system. But nowadays it's more often used to create images, so extend
that part of the description.

While at it, fix some whitespace issues and trim some overly complicated sentences.
2024-07-22 12:14:23 +01:00
Steve Traylen
8af38e5b04 Document that MemorySwapMax supports % configuration
Certainly on systemd 252 at least a configuration of
```
MemorySwapMax=40%
```
is supported but this was missing from the man page.
Only MemoryMax was documented as supporting a %.
2024-07-22 11:39:33 +01:00
Gregor Herburger
f379f36b11 network: bridge: add support for IFLA_BR_FDB_MAX_LEARNED
Since Linux commit ddd1ad68826d ("net: bridge: Add netlink knobs for number
/ max learned FDB entries") [1] it is possible to limit to number of
dynamically learned fdb entries per bridge.

Add support to the systemd netdev bridge for the new netlink attribute
IFLA_BR_FDB_MAX_LEARNED.

[1] https://lore.kernel.org/all/20231016-fdb_limit-v5-0-32cddff87758@avm.de/

Signed-off-by: Gregor Herburger <gregor.herburger@ew.tq-group.com>
2024-07-22 10:27:56 +02:00
Mike Yuan
757e469d26 core/service: imply Type=exec if credentials are used
When credentials are used with Type=simple + ExecStartPost=,
i.e. when multiple sd-executor instances are running in parallel
for a single service, the state of final credential dir
might be unexpected wrt path_is_mount_point() and other
steps. So, let's imply Type=exec if not explicitly specified,
and emit a warning otherwise.
2024-07-21 19:10:58 +01:00
Etienne Champetier
0a4ecc54cb udev-builtin-net_id: use firmware_node/sun for ID_NET_NAME_SLOT
pci_get_hotplug_slot() has the following limitations:
- if slots are not hotpluggable, they are not in /sys/bus/pci/slots.
- the address at /sys/bus/pci/slots/X/addr doesn't contains the function part,
  so on some system, 2 different slots with different _SUN end up with the same
  hotplug_slot, leading to naming conflicts.
- it tries all parent devices until it finds a slot number, which is incorrect,
  and what led to NAMING_BRIDGE_MULTIFUNCTION_SLOT being disabled.

The use of PCI hotplug to find the slot (ACPI _SUN) was introduced in
0035597a30
"udev: net_id - export PCI hotplug slot names" on 2012/11/26.
At the same time on the kernel side we got
bb74ac23b1
"ACPI: create _SUN sysfs file" on 2012/11/16.

Using PCI hotplug was the only way at the time, but now 12 years later we can use
firmware_node/sun sysfs file.
Looking at a small selection of server HW, for HPE (Gen10 DL325), the _SUN is attached
to the NIC device, whereas for Dell (R640/R6515/R6615) and Cisco (UCSC-C220-M5SX),
the _SUN is on the first parent pcieport.

We still fallback to pci_get_hotplug_slot() to handle the s390 case and
maybe some other coner cases (_SUN on grand parent device that is not a
bridge ?).
2024-07-21 18:36:37 +01:00
Lennart Poettering
c06b84d816 man: clarify what TTYReset= and TTYVTDisallocate= do and do not do regarding screen clearing 2024-07-19 11:44:04 +02:00
Lucas Werkmeister
8c4aa0f1c6 man: Mention Type=oneshot timeout directive
Make the warning for oneshot services (where RuntimeMaxSec= has no
effect) more actionable by pointing to the directive people can use
instead to effectively limit their runtime.
2024-07-19 09:39:51 +02:00
Luca Boccassi
09edabe96a id128: add 'var-partition-uuid' verb
As per DPS the UUID for /var/ should be keyed by the local machine-id,
which is non-trivial to do in a script. Enhance 'systemd-id128' to
take 'var-partition-uuid' as a verb, and if so perform the
calculation.
2024-07-17 18:05:40 +02:00
chayleaf
21aa180b4a fstab-generator: add x-systemd.wants
This is an analog of x-systemd.requires that adds a Wants dependency
instead. This is useful for filesystems that support mounting in
degraded states (such as multi-device filesystems).
2024-07-15 10:18:18 +02:00
Merlin Jehli
274a38c79a
machine-id: Add cmdline argument to use VM behaviour on bare metal (#32086)
Closes #30707
2024-07-13 18:00:16 +02:00
Adrian Vovk
db8849f2d4
sysupdate: Support changelogs & appstream metadata
Makes it possible to specify URLs to a changelog and an appstream
catalog XML in the sysupdate.d/*.conf files. This will be passed along
to the clients of systemd-sysupdated, which can then present this data.
2024-07-12 14:38:09 +01:00
Adrian Vovk
c0d6186227
sysupdate: Add --offline mode
This prevents sysupdate from going out to the network to enumerate
available instances. When combined with the list command, this lets us
query installed instances
2024-07-12 14:38:09 +01:00
Mike Yuan
8288417b74
Merge pull request #33559 from YHNdnzj/reenable-now
systemctl: support reenable --now plus some other cleanups
2024-07-10 19:14:25 +02:00
Lennart Poettering
035b98b607
Merge pull request #33660 from poettering/mount-tool-tweaks
minor tweaks to "systemd-mount"
2024-07-10 12:00:13 +02:00
Lennart Poettering
40d9c16d1e man: some fixes
Addons are called addons, say so. And some other fixes.
2024-07-10 10:08:59 +02:00
Lennart Poettering
66f4f49c8f mount-tool: add support for a --json= output mode
Let's add a JSON output mode, like we have it for so many of our tools.
2024-07-10 09:35:31 +02:00
Kuntal Majumder
f9572d2b89 man: fix typo in unit options section
Fixes #32918
2024-07-09 22:47:25 +02:00
Mike Yuan
98aedce914
systemctl-enable: support reenable --now
Also, instead of silently continuing when template units
are specified with enable --now, print a warning and skip them.

Closes #31541
2024-07-09 16:46:13 +02:00
ZHANG Yuntian
3f0e7fd4fd man: fix typo in the alias symlink name
Symlink created by Alias will use the value as the file name.
2024-07-09 10:44:40 +02:00
Mike Yuan
fbd2748f87
Merge pull request #33627 from YHNdnzj/systemctl-triggering-warning
systemctl: some fixes for active triggering unit warning
2024-07-08 14:01:17 +02:00
Tobias Fleig
fc31d929c7 stub: Add support for .ucode EFI addons
This extends #31872 to also load microcode from addon files.
2024-07-08 11:43:40 +02:00
Mike Yuan
399646faac
man/systemctl: --no-reload is honored by mask/unmask/preset too 2024-07-04 20:36:02 +02:00
Lennart Poettering
72a6296b16 man: fully adopt ~/.local/state/
The XDG base dir spec adopted ~/.local/state/ as a thing a while back,
and we updated our docs in b4d6bc63e6, but
forgot to to update the table at the bottom to fully reflect the update.
Fix that.
2024-07-04 15:26:17 +02:00
Lennart Poettering
39aafbd42a man: mention that distinction between /usr/lib/ and /usr/share/ is really about shared *ownership* 2024-07-04 15:26:17 +02:00
Lennart Poettering
26db8fe247 man: drop version info from file hiearchy man page
This file doesn't document features of systemd, but is more a of a
general description that generalizes/modernizes FHS. As such, the items
listed in it weren't "added" in systemd versions, they simply reflect
general concepts independent of any specific systemd version. hence
let's drop this misleading and confusing version info.

Or in other words, the man page currently claims under "/usr/": "Added
in version 215." – Which of course is rubbish, the directory existed
since time began.

This also rebreaks all paragaphs this touches.

No content changes.
2024-07-04 15:26:17 +02:00
Lennart Poettering
89ed34459e ukify: bring order of EFI sections in man + --help into same order as spec
Previously, the order was quite chaotic, even sometimes interleaved with
entirely unrelated switches. Let's clean this up and use the same order
as in the spec.

This doesn't change anything real, but I think it's a worthy clean-up in
particular as this order is documented as the PCR measurement order of
these sections, hence there's actually a bit of relevance to always
communicate the same order everywhere.
2024-07-03 16:21:34 +02:00
Lennart Poettering
c8bcf7ecf7 measure: drop incomplete support for PCRs != 11
At this point we have a clearer model:

* systemd-measure should be used for measuring UKIs on vendor build
  systems, i.e. only cover stuff predictable by the OS vendor, and
  identical on all systems. And that is pretty much only PCR 11.

* systemd-pcrlock should cover the other PCRs, which carry inherently
  local information, and can only be predicted locally and not already
  on vendor build systems.

Because of that, let's not bother with any PCRs except for 11 in
systemd-measure. This was added at a time where systemd-pcrlock didn't
exist yet, and hence it wasn't clear how this will play out in the end.
2024-07-03 16:15:04 +02:00
Lennart Poettering
a90682f981 storagetm: add --list-devices command 2024-07-01 16:39:40 +02:00
Lennart Poettering
3a37a13a02 repart: add --list-devices switch for listing candidate block devices 2024-07-01 16:39:40 +02:00
Lennart Poettering
e742c99999 cryptenroll: add --list-devices switch that shows candidate block devices 2024-07-01 16:39:40 +02:00
Antonio Alvarez Feijoo
b268a71069 man/varlinkctl: add list-methods command to synopsis and fix typo
Follow-up for 16cfe84c24
2024-06-28 15:14:59 +02:00
Giovanni Baratta
d108198f39 man/tmpfiles: remove outdated behavior regarding symlink ownership
Update the man page of tmpfiles.d to remove outdated comments regarding the behavior of ownership with symlinks.
The behavior has been changed in this commit 51207ca134
2024-06-27 18:24:07 +02:00
Kamil Szczęk
fd8ed7f26b cryptsetup: allow customizing cache behavior
The new "password-cache" option allows customizing behavior of the
ask-password module in regards to caching credentials in the kernel
keyring. There are 3 possible values for this option:
  * read-only - look for credentials in kernel keyring before asking
  * on - same as read-only, but also save credentials input by user
  * off - disable keyring credential cache

Currently the cache is forced upon the user and this can cause issues.
For example, if user wants to attach two volumes with two different
FIDO2 tokens in a quick succession, the attachment operation for the
second volume will use the PIN cached from the first FIDO2 token, which
of course will fail and since tokens are only attempted once, this will
cause fallback to a password prompt.
2024-06-27 13:00:49 +02:00
Kamil Szczęk
53b6c99018 cryptsetup: make key discovery more robust
Currently, if user doesn't specify a key file, /etc/cryptsetup-keys.d/
and /run/cryptsetup-keys.d/ will be searched for a key file with name
matching the volume name. But current implementation has an important
flaw. When the auto-discovered key is a socket file - it will read the
key only once, while the socket might provide different keys for
different types of tokens. The issue is fixed by trying to discover the
key on each unlock attempt, this way we can populate the socket bind
name with something the key provider might use to differentiate between
different keys it has to provide.
2024-06-27 12:58:45 +02:00
Lennart Poettering
e44e109baa varlink: add ability to invoke and talk to remote service binary via SSH 2024-06-27 10:56:51 +02:00
Luca Boccassi
8e6d95846b
Merge pull request #33491 from keszybz/allow-interactive-auth-in-inhibit
Allow interactive auth in inhibit
2024-06-26 23:01:22 +02:00
Luca Boccassi
d031b5876b
Merge pull request #33338 from ml-/specifiers
tmpfiles: add %q, %A, %M specifiers
2024-06-26 21:40:15 +02:00
Mike Yuan
6343d2ea50
man/capsule@.service: the capsule user is prefixed with "c-" rather than "p_" 2024-06-26 16:47:48 +02:00
Carlo Teubner
6733d691bb man/capsule@.service.xml: fix typo 2024-06-26 16:45:42 +02:00
Zbigniew Jędrzejewski-Szmek
a87b7aa1a1 inhibit: add --no-ask-password option and allow interactive polkit auth
It seems entirely reasonable to make a policy which e.g. allows block operations
for interactive users after authentication. The tool should support this, so that
more complicated local policies can be used.

Related to https://github.com/systemd/systemd/pull/30307.
2024-06-26 15:04:06 +02:00
Matthias Lisin
999a661d1e
man: Add %q specifier to repart.d, sysusers.d 2024-06-26 04:18:14 +02:00
Matthias Lisin
282bda46f1
tmpfiles: use common macro for a set of specifiers
This adds %q, %A and %M specifiers to tmpfiles:
- %A and %M were previously added to tmpfiles.d man page, but not to specifier_table
- %q is added via COMMON_SYSTEM_SPECIFIERS
2024-06-26 04:18:14 +02:00
Lennart Poettering
7f1c31829b
Merge pull request #33003 from poettering/repart-progress
repart: draw progress bar during CopyBlocks= operation and other tweaks
2024-06-25 14:08:04 +02:00
Lennart Poettering
468d09c319 repart: allow reading from char device for CopyBlocks=
Sometimes it is useful to allow initializing a partition with randomized
data, hence allow reading from a char device as source for CopyBlocks=
2024-06-25 10:05:07 +02:00
Lennart Poettering
5f87b035fa import: add generator that synthesizes download jobs from kernel cmdline 2024-06-25 09:57:42 +02:00
nerdopolis
952b26c75d login: Add a new SecureAttentionKey dbus signal when Ctrl+Alt+Shift+Esc is pressed 2024-06-24 22:29:38 +02:00
Mike Yuan
c53580bf2e
Merge pull request #33401 from yuwata/journal-revert-source-boottime-timestamp
journal: partially revert recent changes
2024-06-24 15:34:16 +02:00
Diego Viola
a78394a49a man: fix double is typo in systemd-tmpfiles
Signed-off-by: Diego Viola <diego.viola@gmail.com>
2024-06-22 17:06:26 +09:00
Mike Yuan
9d50d053f3
core: expose PrivateTmp=disconnected
As discussed in https://github.com/systemd/systemd/pull/32724#discussion_r1638963071

I don't find the opposite reasoning particularly convincing.
We have ProtectHome=tmpfs and friends, and those can be
pretty much trivially implemented through TemporaryFileSystem=
too. The new logic brings many benefits, and is completely generic,
hence I see no reason not to expose it. We can even get more tests
for the code path if we make it public.
2024-06-21 17:31:44 +02:00
Mike Yuan
c3662116b9
man/org.freedesktop.systemd1: Status{Bus,Varlink}Error belongs to Service, not Scope
Follow-up for 9c025022d9

Ugh, shouldn't have done this bit when I was sleepy...
2024-06-21 16:47:28 +02:00
Lennart Poettering
d42edbf1b8
Merge pull request #33430 from YHNdnzj/buserror-notify
core/service: store BUSERROR= & VARLINKERROR= received and show them through systemctl status
2024-06-20 23:05:32 +02:00
Mike Yuan
9c025022d9
core/service: store BUSERROR= & VARLINKERROR= received through notification
Closes #6073
2024-06-20 19:03:44 +02:00
Lennart Poettering
da213bb5c0 varlinkctl: add --graceful= option for optionally marking some errors as successes
This is generally useful, but in some cases particularly: when
implementing enumeration calls that use the "more" flag to return
multiple replies then for the first reply we need to return an error in
case the list of objects to enumerate is empty, usually so form of
"NoSuchXYZ" error. In many cases this shouldn't really be treated as
error, as an empty list probably more than not is as valid as a list
with one, two or more entries.
2024-06-20 18:20:09 +02:00
Ludwig Nussel
0e10c3d872 logind: implement maintenance time
Update frameworks that work automatically in the background
occasionally need to schedule reboots. Systemd-logind already
provides a nice mechanism to schedule shutdowns, send notfications
and block logins short before the time. Systemd has a framework for
calendar events, so we may conveniently use logind to define a
maintenance time for reboots.

The existing ScheduleShutdown DBus method in logind expects a usec_t
with an absolute time. Passing USEC_INFINITY as magic value now tells
logind to take the time from the configured maintenance time if set.

"shutdown -r" leverages that and uses the maintenance time
automatically if configured. The one minute default is still used if
nothing was specified.

Similarly the new 'auto' setting for the --when parameter of systemctl
uses the maintenance time if configured or a one minute timer like the
shutdown command.
2024-06-20 14:37:42 +02:00
Kamil Szczęk
e262205eb7 cryptenroll: support for enrolling FIDO2 tokens in manual mode
systemd-cryptsetup supports a FIDO2 mode with manual parameters, where
the user provides all the information necessary for recreating the
secret, such as: credential ID, relaying party ID and the salt. This
feature works great for implementing 2FA schemes, where the salt file
is for example a secret unsealed from the TPM or some other source.
While the unlocking part is quite straightforward to set up, enrolling
such a keyslot - not so easy. There is no clearly documented
way on how to set this up and online resources are scarce on this topic
too. By implementing a straightforward way to enroll such a keyslot
directly from systemd-cryptenroll we streamline the enrollment process
and reduce chances for user error when doing such things manually.
2024-06-20 14:26:24 +02:00
Ludwig Nussel
8ce171bf51 bootctl: add --random-seed=yes/no 2024-06-20 14:26:13 +09:00
Diego Viola
11b46dc117 man: fix typo in systemd-tmpfiles
Signed-off-by: Diego Viola <diego.viola@gmail.com>
2024-06-20 13:02:06 +09:00
Antonio Alvarez Feijoo
111f988992 kernel-install: correct the place where it works in man and help text 2024-06-20 03:01:22 +09:00
Maximilian Wilhelm
163bb43cea man/systemd.exec: list inaccessible files for ProtectKernelTunables 2024-06-20 03:00:59 +09:00
Yu Watanabe
3176c78e68
Merge pull request #32868 from keszybz/more-whomification
Fix confusion between killer and prey
2024-06-20 02:59:14 +09:00
Yu Watanabe
9545f643bb man: drop reference to _SOURCE_MONOTONIC_TIMESTAMP=
The timestamp is broken at least now. We should not advertise it.
2024-06-20 00:10:12 +09:00
Zbigniew Jędrzejewski-Szmek
cd2fb04960 Fix confusion between killer and prey
"who" is the entity doing the killing, "whom" is the target.
Follow-up for 4ccde410a3.
2024-06-19 16:22:23 +02:00
pyfisch
051d462b42 Use consistent spelling of systemd.condition_first_boot argument 2024-06-19 09:01:35 +02:00
Mike Yuan
fd41dfc135 man/systemd.journal-fields: document _SOURCE_{MONOTONIC,BOOTTIME}_TIMESTAMP
Follow-up for a9357c2ce2
2024-06-19 14:50:02 +09:00
Lennart Poettering
c142a8fbcb man: suffix tmpfiles.d with /, as per coding style 2024-06-18 14:46:00 +01:00
Lennart Poettering
41064a3c97 tmpfiles: insist on at least one configuration file being specified on --purge
Also, extend the man page explanation substantially, matching more
closely what --create says.

Fixes: #33349
2024-06-18 14:45:59 +01:00
Luca Boccassi
fcbe3e3b2e
Merge pull request #32724 from bluca/dynamic_user_no_private_tmp
core: do not imply PrivateTmp with DynamicUser, create a private tmpfs instead
2024-06-18 00:11:11 +01:00
Luca Boccassi
0e551b04ef core: do not imply PrivateTmp with DynamicUser, create a private tmpfs instead
DynamicUser= enables PrivateTmp= implicitly to avoid files owned by reusable uids
leaking into the host. Change it to instead create a fully private tmpfs instance
instead, which also ensures the same result, since it has less impactful semantics
with respect to PrivateTmp=yes, which links the mount namespace to the host's /tmp
instead. If a user specifies PrivateTmp manually, let the existing behaviour
unchanged to ensure backward compatibility is not broken.
2024-06-17 17:05:55 +01:00
Mike Yuan
d4d90ef900
Merge pull request #33214 from keszybz/system-clock-epoch
Rework the setting and description of system clock to the epoch
2024-06-16 17:42:47 +02:00
Mike Yuan
b5c8cc0a3b man,units: drop "temporary" from description of systemd-tmpfiles
Historically, systemd-tmpfiles was designed to manager temporary
files, but nowadays it has become a generic tool for managing
all kinds of files. To avoid user confusion, let's remove "temporary"
from the tool's description.

As discussed in #33349
2024-06-15 19:08:35 +02:00
Zbigniew Jędrzejewski-Szmek
863098fdc9 man: describe setting of the clock by systemd and systemd-timesyncd
The setting of systemd clock is important and deserves an accurate description,
see for example:
https://discussion.fedoraproject.org/t/f38-to-f39-40-dnf-system-upgrade-can-fail-on-raspberry-pi/92403
https://bugzilla.redhat.com/show_bug.cgi?id=2242759

The meat of the description was in systemd-timesyncd.service(8), but
actually it's systemd that sets the clock. In particular, systemd-timesyncd
doesn't know anything about /usr/lib/clock-epoch, and since systemd sets
the clock to the epoch when initializing, systemd-timesyncd would only
get to advance the clock to the epoch under special circumstances.
Also, systemd-timesyncd is an optional component, so we can't even rely
on its man page being installed in all circumstances. The description needs
to be moved to systemd(1).

The description is updated to describe the changes that were made in
previous commits.
2024-06-15 16:58:11 +02:00
Nick Rosbrook
9ebcac3b51 man: add a bit of a warning to systemd-tmpfiles --purge
Mention that by default, /home is managed by tmpfiles.d/home.conf, and
recommend that users run systemd-tmpfiles --dry-run --purge first to
see exactly what will be removed.
2024-06-15 00:00:53 +01:00
Luca Boccassi
a2979bb842
Merge pull request #33046 from poettering/varlinkctl-quiet
varlinkctl: add --quiet/-q switch for suppressing method call reply output
2024-06-13 16:17:17 +01:00
Kamil Szczęk
d5fa6e6ca7 cryptsetup: manual FIDO2 PIN, UP and UV configuration
When in FIDO2 mode with manual parameters, i.e. when not reading the
parameters off the LUKS2 header, the current behavior in regards to PIN,
UP and UV features is to default to v248 logic, where we use PIN + UP
when needed, and do not configure UV at all. Let's allow users to
configure those features in manual mode too.
2024-06-13 13:50:39 +02:00
Lennart Poettering
cd4e9166bb varlinkctl: add "-q" switch for suppressing varlinkctl output 2024-06-13 11:30:52 +02:00
Lennart Poettering
16cfe84c24 varlinkctl: add new list-methods verb
For putting together "varlinkctl call" command lines it's useful to
quickly enumerate all methods implemented by a service. Hence, let's add
a new "list-methods" which uses the introspection data of a service to
quickly list methods.

This is implemented as a special flavour of the "introspect" logic,
and just suppresses all output except for the method names.
2024-06-13 09:37:15 +02:00
Lennart Poettering
2475b0e81a varlinkctl: make interface argument to "introspect" optional, and allow more than one
let's make it easier to use the introspection functionality of
"varlinkctl": if no interface name is shown, display the introspection
data of all available interfaces. Moreover, allow that multiple
interfaces can be listed, in which case we enumerate them all.

This relieves the user from having to list interfaces first in order to
find the ones which to introspect.
2024-06-13 09:35:23 +02:00
Lennart Poettering
86d754050b man: add brief intro page to new sd-json APIs 2024-06-12 18:42:22 +02:00