1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

70836 Commits

Author SHA1 Message Date
Lennart Poettering
3557f1a62a resolvectl: add JSON output support for "resolvectl query"
It's easy to add. Let's do so.

This only covers record lookups, i.e. with the --type= switch.

The higher level lookups are not covered, I opted instead to print a
message there to use --type= instead.

I am a bit reluctant to defining a new JSON format for the high-level
lookups, hence I figured for now a helpful error is good enough, that
points people to the right use.

Fixes: #29755
2024-01-31 16:13:16 +01:00
Lennart Poettering
bcb004d5ae
Merge pull request #31144 from poettering/less-loopback
don't try to setup a loopback network device unless CLONE_NEWNET is selected (i.e. not in CLONE_NEWIPC case)
2024-01-31 16:05:37 +01:00
Frantisek Sumsal
1d556e9e2a test: use a dropin for the journald snippet
The original way of appending to /etc/systemd/journald.conf doesn't work
anymore, since we no longer ship the default configs in /etc/.
2024-01-31 13:00:01 +00:00
Lennart Poettering
4f6d671dd1 test-namespace: SOCK_CLOEXEC'ify all the things 2024-01-31 13:22:33 +01:00
Lennart Poettering
a5387637c2 namespace: don't invoke loopback_setup() unless we allocate a CLONE_NEWNET namespace
It doesn't really make sense to initialize the loopback device if we are
not called for a network namespace.

Follow-up for 54c2459d56
2024-01-31 13:22:07 +01:00
Franck Bui
887b2529eb man: always install bootctl
Since dedb925eaf /usr/bin/bootctl is always built
so does its man page.
2024-01-31 10:32:46 +00:00
Lennart Poettering
4fec9fed61
Merge pull request #30847 from keszybz/some-docs-updates
Some docs updates
2024-01-31 11:09:56 +01:00
Lennart Poettering
f277d99c30 update TODO 2024-01-31 10:11:00 +01:00
Daan De Meyer
dce5d31c75 mkosi: Stop using file provides with CentOS/Fedora
dnf5 does not download filelists metadata by default anymore as this
consists of a pretty big chunk of the repository metadata. Let's make
sure the filelists metadata doesn't have to be downloaded by dnf5 by
removing any usage of file provides from our package lists.
2024-01-31 09:50:54 +01:00
Adrian Vovk
691b99160d homed: Add InhibitSuspend() method
This returns an FD that can be used to temporarily inhibit the automatic
locking on system suspend behavior of homed. As long as the FD is open,
LockAllHomes() won't lock that home directory on suspend. This allows
desktop environments to implement custom more complicated behavior
2024-01-31 09:48:23 +01:00
Lennart Poettering
116ce3f391
Merge pull request #31039 from AdrianVovk/slice-freeze-thaw
Rework slice recursive freeze/thaw
2024-01-31 09:48:05 +01:00
Lennart Poettering
b45f47aaad
Merge pull request #30968 from poettering/per-user-creds
per-user encrypted credentials
2024-01-31 09:47:12 +01:00
Franck Bui
d537bf72ae meson: fix installation of html doc aliases
Apparently since 9289e093ae, "ln_s" takes
*absolute* paths only.
2024-01-30 17:56:48 +00:00
Frantisek Sumsal
62670a7752 meson: don't install broken tmpfiles config with sshd?confdir == 'no'
20-systemd-ssh-generator.conf expands SSHCONFDIR, which is bogus when we
build with -Dsshconfdir=no. Similarly, avoid expanding SSHDCONFDIR in
20-systemd-userdb.conf when building with -Dsshconfdir=no.

Follow-up 6c7fc5d5f2.
2024-01-30 17:56:21 +00:00
Frantisek Sumsal
cb3244c0dc test: explicitly set nsec3-iterations to 0
knot v3.2 and later does this by default. knot v3.1 still has the default set to
10, but it also introduced a warning that the default will be changed to 0 in
later versions, so it effectively complains about its own default, which then
fails the config check. Let's just set the value explicitly to zero to avoid
that.

~# knotc --version
knotc (Knot DNS), version 3.1.6
~# grep nsec3-iterations test/knot-data/knot.conf || echo nope
nope
~# knotc -c /build/test/knot-data/knot.conf conf-check
warning: config, policy[auto_rollover_nsec3].nsec3-iterations defaults to 10, since version 3.2 the default becomes 0
Configuration is valid

Follow-up to 0652cf8e7b.
2024-01-30 17:53:10 +00:00
Adrian Vovk
4cb2e6af8d
core: Fail to start/stop/reload unit if frozen
Previously, unit_{start,stop,reload} would call the low-level cgroup
unfreeze function whenever a unit was started, stopped, or reloaded. It
did so with no error checking. This call would ultimately recurse up the
cgroup tree, and unfreeze all the parent cgroups of the unit, unless an
error occurred (in which case I have no idea what would happen...)

After the freeze/thaw rework in a previous commit, this can no longer
work. If we recursively thaw the parent cgroups of the unit, there may
be sibling units marked as PARENT_FROZEN which will no longer actually
have frozen parents. Fixing this is a lot more complicated than simply
disallowing start/stop/reload on a frozen unit

Fixes https://github.com/systemd/systemd/issues/15849
2024-01-30 11:18:16 -05:00
Adrian Vovk
16b6af6ade
core: Rework recursive freeze/thaw
This commit overhauls the way freeze/thaw works recursively:

First, it introduces new FreezerActions that are like the existing
FREEZE and THAW but indicate that the action was initiated by a parent
unit. We also refactored the code to pass these FreezerActions through
the whole call stack so that we can make use of them. FreezerState was
extended similarly, to be able to differentiate between a unit that's
frozen manually and a unit that's frozen because a parent is frozen.

Next, slices were changed to check recursively that all their child
units can be frozen before it attempts to freeze them. This is different
from the previous behavior, that would just check if the unit's type
supported freezing at all. This cleans up the code, and also ensures
that the behavior of slices corresponds to the unit's actual ability
to be frozen

Next, we make it so that if you FREEZE a slice, it'll PARENT_FREEZE
all of its children. Similarly, if you THAW a slice it will PARENT_THAW
its children.

Finally, we use the new states available to us to refactor the code
that actually does the cgroup freezing. The code now looks at the unit's
existing freezer state and the action being requested, and decides what
next state is most appropriate. Then it puts the unit in that state.
For instance, a RUNNING unit with a request to PARENT_FREEZE will
put the unit into the PARENT_FREEZING state. As another example, a
FROZEN unit who's parent is also FROZEN will transition to
PARENT_FROZEN in response to a request to THAW.

Fixes https://github.com/systemd/systemd/issues/30640
Fixes https://github.com/systemd/systemd/issues/15850
2024-01-30 11:18:15 -05:00
Lennart Poettering
4d8f4e02ba
Merge pull request #31109 from yuwata/nspawn-resolve-network-interface-before-move
nspawn: resolve network interface names before move to container namespace
2024-01-30 17:09:11 +01:00
Lennart Poettering
f669b6e7bb
Merge pull request #31120 from YHNdnzj/strv-env-non-pure
env-util: drop _pure_ for strv_env_get_n
2024-01-30 17:08:49 +01:00
Lennart Poettering
f65d44d1f6
Merge pull request #31124 from keszybz/various-small-tweaks
Various small tweaks
2024-01-30 17:08:21 +01:00
Lennart Poettering
fd40e7da6e update TODO 2024-01-30 17:07:47 +01:00
Lennart Poettering
7704c3474d man: document new user-scoped credentials 2024-01-30 17:07:47 +01:00
Lennart Poettering
6ab41e38e9 test: add integration test for per-user creds 2024-01-30 17:07:47 +01:00
Lennart Poettering
19f16c9935 creds: go via IPC service when unprivileged and trying to access services
Fixes: #30191
2024-01-30 17:07:47 +01:00
Lennart Poettering
2c3cbc5c01 creds-util: add IPC client wrapper for new varlink apis 2024-01-30 17:07:47 +01:00
Lennart Poettering
8464f7cbd6 creds: allow Varlink clients to encrypt/decrypt their own credentials without polkit authentication
Now that we have the concept of scoped credentials, we can allow
unprivileged clients to encrypt/decrypt them as longed as they are
scoped to them.
2024-01-30 17:07:47 +01:00
Lennart Poettering
c85b68f630 creds-tool: add --user/--uid= to operate with scoped credentials 2024-01-30 17:07:47 +01:00
Lennart Poettering
48d67957d5 creds-util: add a concept of "user-scoped" credentials
So far credentials are a concept for system services only: to encrypt or
decrypt credential you must be privileged, as only then you can access
the TPM and the host key.

Let's break this up a bit: let's add a "user-scoped" credential, that
are specific to users. Internally this works by adding another step to
the acquisition of the symmetric encryption key for the credential: if a
"user-scoped" credential is used we'll generate an symmetric encryption
key K as usual, but then we'll use it to calculate

    K' = HMAC(K, flags || uid || machine-id || username)

and then use the resulting K' as encryption key instead. This basically
includes the (public) user's identity in the encryption key, ensuring
that only if the right user credentials are specified the correct key
can be acquired.
2024-01-30 17:07:47 +01:00
Lennart Poettering
740b7870c9
Merge pull request #31121 from YHNdnzj/notify-man
notify: a few cleanups
2024-01-30 17:04:31 +01:00
Lennart Poettering
ee5252f854
Merge pull request #31126 from poettering/sleep-error-msg
sleep: change log level of some log messages
2024-01-30 17:04:15 +01:00
Yu Watanabe
613d953988 varlink: add short comment that the log message is checked in test
Follow-up for 038e455462.
2024-01-30 15:41:52 +00:00
Luca Boccassi
9c41e4eb2f socket-util: check for sysconf() error before using value
Otherwise -1 will be casted to uint32_t. Found by coverity.

CID#1533989

Follow-up for 7e8aa5c2ee
2024-01-30 15:19:16 +00:00
Antonio Alvarez Feijoo
0fa25bd5f4 conf-parser: fix OOM check 2024-01-30 12:46:24 +00:00
Yu Watanabe
a342d9e087 nspawn: resolve network interface names before moving to container network namespace
To escape a kernel issue fixed by
8e15aee621,
let's resolve provided interface names earlier, and adjust the interface
name pairs with the result.

Fixes #31104.
2024-01-30 20:37:13 +09:00
Yu Watanabe
3652891c39 sd-device: use new interface name resolvers 2024-01-30 20:37:13 +09:00
Yu Watanabe
4e235561d6 sd-netlink: unify network interface name getter and resolvers
This makes rtnl_resolve_interface() always check the existence of the
resolved interface, which previously did not when a decimal formatted
ifindex is provided, e.g. "1" or "42".
2024-01-30 20:37:04 +09:00
Lennart Poettering
e7be86519d sleep: upgrade fatal log message to LOG_ERR 2024-01-30 11:32:56 +01:00
Lennart Poettering
75d2752814 sleep: upgrade some unexpected errors to LOG_WARNING log messages 2024-01-30 11:32:41 +01:00
Lennart Poettering
b782080b7a sleep: remove redundant debug log message 2024-01-30 11:31:56 +01:00
Lennart Poettering
032bf2da46 sleep: add mising error message 2024-01-30 11:31:36 +01:00
Zbigniew Jędrzejewski-Szmek
8835a6ff0c man/networkd.conf: remove strange comment
Does anyone even read those pages‽
2024-01-30 11:27:31 +01:00
Zbigniew Jędrzejewski-Szmek
9af1281ed7 pstore: align table 2024-01-30 10:11:30 +01:00
Zbigniew Jędrzejewski-Szmek
e9dc98c56b journald: inline one variable declaration 2024-01-30 10:11:30 +01:00
Zbigniew Jędrzejewski-Szmek
2673d6fae0 shared/pretty-print: inline one more variable declaration 2024-01-30 10:11:30 +01:00
Zbigniew Jędrzejewski-Szmek
f3663c0ec9 shared/pretty-print: use normal else-if cascade
This is not a hot path, but it seems silly to evalute subsequent branches,
which can never match once one has matched. Also, it makes the code harder to
read, because the reader has to first figure out that only one branch can
match.
2024-01-30 10:11:30 +01:00
Zbigniew Jędrzejewski-Szmek
e1054a8bcd bsod: do not use STRLEN
The compiler optimizes strlen away, so we can use the simplest form that is
type safe and more natural. STRLEN is only for array initialization.
2024-01-30 10:11:07 +01:00
Zbigniew Jędrzejewski-Szmek
534fc25ad9 basic/alloc-util: drop unnecessary parens
By definition, a parameter cannot contain a comma because commas
are used to delimit parameters. So we also don't need to use parens
when the use site is delimited by commas.
2024-01-30 10:06:44 +01:00
Mike Yuan
70e80269aa
env-util: drop _pure_ for strv_env_get_n
This function calls getenv() internally, making it
non-pure, as envvars can change between two calls
even if passed arguments are the same.
2024-01-30 03:30:02 +08:00
Mike Yuan
17ca151733
env-util: don't use strlen_ptr if known non-NULL 2024-01-30 03:29:53 +08:00
Mike Yuan
ed5f10973b
notify: warn if notify msg specified along with --booted 2024-01-30 03:28:57 +08:00