IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This reverts commit 43c6d5abac
(and a small part of 4046d8361c)
It turns out we don't actually need to set the global ip_forward setting.
The only relevant setting is the one on each interface.
What the global toggle actually does is switch forwarding on/off for all
currently present interfaces and change the default for new ones.
That means that by setting the global ip_forward we
- Introduce a race condition, because if the interface with IPForward=yes
is brought up after one with IPForward=no, both will have forwarding
enabled, because the global switch turns it on for all interfaces.
If the other interface comes up first networkd correctly sets forward=0
and it doesn't get overridden.
- Change the forwarding setting for interfaces that networkd is not
configured to touch, even if the user disabled forwarding via sysctl,
either globally or per-interface
As forwarding works fine without this, as long as all relevant interfacest
individually set IPForward=yes: just drop it
This means that non-networkd interfaces use the global default while
networkd interfaces default to off if IPForward isn't given.
Previously all bind mount mounts were applied in the order specified,
followed by all tmpfs mounts in the order specified. This is
problematic, if bind mounts shall be placed within tmpfs mounts.
This patch hence reworks the custom mount point logic, and alwas applies
them in strict prefix-first order. This means the order of mounts
specified on the command line becomes irrelevant, the right operation
will always be executed.
While we are at it this commit also adds native support for overlayfs
mounts, as supported by recent kernels.
Previously, the man page suggested to only use nspawn for testing,
building, and debugging things. However, it is nowadays used in
production and used as building block for rocket, hence let's just admit
that it's pretty much production ready.
Some distributions (such as Fedora) are using the VARIANT field to
indicate to select packages which of several default configurations
they should be using. For example, VARIANT=Server provides a
different default firewall configuration (blocking basically
everything but SSH and the management console) whereas
VARIANT=Workstation opens many other ports for application
compatibility.
By adding this patch to the manual pages, we can standardize on a
cross-distribution mechanism for accomplishing this.
Fedora implementation details are available at
https://fedoraproject.org/wiki/Packaging:Per-Product_Configuration
(David: drop double paranthesis)
For a longer discussion see this:
http://lists.freedesktop.org/archives/systemd-devel/2015-April/030175.html
This introduces /run/systemd/fsck.progress as a simply
AF_UNIX/SOCK_STREAM socket. If it exists and is connectable we'll
connect fsck's -c switch with it. If external programs want to get
progress data they should hence listen on this socket and will get
all they need via that socket. To get information about the connecting
fsck client they should use SO_PEERCRED.
Unless /run/systemd/fsck.progress is around and connectable this change
reverts back to v219 behaviour where we'd forward fsck output to
/dev/console on our own.
Not that all functionality has been ported over to logind, the old
implementation can be removed. There goes one of the oldest parts of
the systemd code base.
The original idea of systemd.pc was to contain arch-independent system
and systemd information. By exposing libdir as part of the fields (added
in eb39a6239c), it started to carry
arch-dependent data, thus breaking multilib systems. It was then moved
to pkgconfiglibdir to deal with this (in
aec432c613), but actually the right
approach is to simply not include libdir in the .pc file at all.
THis patch hence more or less reverts both commits again, and moves the
.pc file back into pkgconfigdatadir.
As alternative for querying the systems primary libdir there's now
"systemd-path system-library-arch", hence a more correct alternative
exists for querying this variable from the .pc file.
Add UDPCheckSum option to enable transmitting UDP checksums when doing
VXLAN/IPv4. Add UDP6ZeroChecksumRx, and UDP6ZeroChecksumTx
options to enable sending zero checksums and receiving zero
checksums in VXLAN/IPv6
[tomegun: rebase manpage due to whitespace changes]
Generally, we will not follow symlinks, except for "w".
Avoid documentation for now for fifo, device node, directory lines,
which currently follow symlinks but better shouldn't.
"the name it is" is clumsy english, and since the most recently referred
to thing was a name anyway we can just leave the "it is".
This matches later uses in the same document.
systemd-timesyncd not only does NTP, but also manages clock monotonicity
using a flags file. In future, it might learn PTP support. Hence don't
expose its enablement state as "NTP" but use the more generic term
"network time synchronization". After all, for similar reasons
systemd-timesyncd is not called systemd-ntpd.
This introduces 'HoldoffTimeoutSec' to logind.conf to make
IGNORE_LID_SWITCH_{SUSPEND,STARTUP}_USEC configurable.
Background: If an external monitor is connected, or if the system is
docked, we want to ignore LID events. This is required to support setups
where a laptop is used with external peripherals while the LID is closed.
However, this requires us to probe all hot-plugged devices before reacting
to LID events. But with modern buses like USB, the standards do not impose
any timeout on the slots, so we have no chance to know whether a given
slot is used or not. Hence, after resume and startup, we have to wait a
fixed timeout to give the kernel a chance to probe devices. Our timeout
has always been generous enough to support even the slowest devices.
However, a lot of people didn't use these features and wanted to disable
the hold-off timer. Now we provide a knob to do that.
For daemons which have a main configuration file, there's
little reason for the administrator to use configuration snippets.
They are useful for packagers which need to override settings, but
we shouldn't advertise that as the main way of configuring those
services.
https://bugs.freedesktop.org/show_bug.cgi?id=89397
Introduce BindCarrier= to indicate the set of links that determine if
the current link should be brought UP or DOWN.
[tomegun: add a bit to commit message]
What used to be gummiboot, was renamed sd-boot when it was merged into
systemd. Let's try to be a bit more consistent with the rest of systemd
and rename it again as follows:
The EFI bootloader is now called 'systemd-bootx64.efi', and its sources are in
'src/boot/efi/'. The drop-in directory where bootctl will find EFI loaders
is now /usr/lib/systemd/boot/efi/.
We would require a match against all three: patterns specified
with --to, with --from, and as positional arguments to show an
edge. This does not seem useful. Let instead the positional args
behave like they were specified in both --to and --from, which is
fairly intuitive and should be more useful.
include-what-you-use automatically does this and it makes finding
unnecessary harder to spot. The only content of poll.h is a include
of sys/poll.h so should be harmless.
For now we only support the hardcoded values RT_SCOPE_{UNIVERSE,LOCAL,HOST},
and not numerical values or values from /etc/iproute2/rt_scopes.
This addresses https://bugs.freedesktop.org/show_bug.cgi?id=88508.
This allows both IPv4 and IPv6 link-local addresses to be enabled or disabled. By default
we still enable IPv6LL and disable IPv4LL. The old config option is kept for backwards
compatibility, but removed from the documentation.
When booting with systemd-bootchart, default to call the systemd binary
rather than the init binary on disk, which might be another init system.
Collecting data only works with booting systemd.
On my computer, the minimum brightness enforced by clamping in
backlight is too bright.
Let udev property ID_BACKLIGHT_CLAMP control whether the brightness
is clamped or not.
Both plain opendir() and glob() will bump access time. Privileged
option O_NOATIME can be used to prevent the access time from being
updated. We already used it for subdirectories of the directories
which we were cleaning up. But for the directories specified directly
in the config files, we wouldn't do that. This means that,
paradoxically, our own temporary directories for PrivateTmp would stay
around forever, as long as one let systemd-tmpfiles-clean.service run
regularly, because they had their own glob patterns specified.
https://bugzilla.redhat.com/show_bug.cgi?id=1183684
This patch introduces ipv6 gre and gretap.
test:
ip6gre.netdev:
[NetDev]
Name=ip6gretap
Kind=ip6gretap
[Tunnel]
Local=2a00:ffde:4567:edde::4987
Remote=2001:473:fece:cafe::5179
ip6gre.network:
[Match]
Name=eno16777736
[Network]
Tunnel=ip6gretap
ip link
6: ip6gre@eno16777736: <POINTOPOINT,NOARP> mtu 1448 qdisc noop state
DOWN mode DEFAULT group default
link/gre6 2a:00:ff🇩🇪45:67:ed🇩🇪00:00:00:00:00:00:49:87 peer
20:01:04:73:fe:ce:ca:fe:00:00:00:00:00:00:51:79
For ACLs to be valid, a set of entries for user, group, and other
must be always present. Always add those entries.
While at it, only add the mask ACL if it is actually required, i.e.
when at least on ACL for non-owner group or user exists.
For types which adapt existing files it is generally more useful to accept
globs.
In analogy to z and Z, add recursive versions using uppercase letters.
Technically, making a accept globs is backwards incompatible, but in
practice it probably isn't yet widely used and we can assume that most
people don't create files with wildcards in names.
Functions which are used as callbacks, but not directly on items, are
renamed not to have "item_" prefix.
The data structure used by tmpfiles is changed: instead of hashmaps
mapping {path → Item*} we now have hashmaps containing
{path -> ItemArray}, where ItemArray contains a pointer
to an array of Items.
For current code it doesn't matter much, but when we add new types it
is easier to simply add a new Item for a given path, then to coalesce
multiple lines into one Item.
In the future, this change will also make it possible to remember the
file and line where each Item originates, and use that in reporting
errors. Currently this is not possible, since each Item can be created
from multiple lines.
Given that this is also the place to store raw disk images which are
very much bootable with qemu/kvm it sounds like a misnomer to call the
directory "container". Hence, let's change this sooner rather than
later, and use the generic name, in particular since we otherwise try to
use the generic "machine" preferably over the more specific "container"
or "vm".
This introduces am AddressFamilyBoolean type that works more or less
like a booleaan, but can optionally turn on/off things for ipv4 and ipv6
independently. THis also ports the DHCP field over to it.
Now that networkd's IP masquerading support means that running
containers with "--network-veth" will provide network access out of the
box for the container, let's add a shortcut "-n" for it, to make it
easily accessible.
This adds two new settings to networkd's .network files:
IPForwarding=yes and IPMasquerade=yes. The former controls the
"forwarding" sysctl setting of the interface, thus controlling whether
IP forwarding shall be enabled on the specific interface. The latter
controls whether a firewall rule shall be installed that exposes traffic
coming from the interface as coming from the local host to all other
interfaces.
This also enables both options by default for container network
interfaces, thus making "systemd-nspawn --network-veth" have network
connectivity out of the box.
This turns "lock-session", "activate", "unlock-session",
"enable-linger", "disable-linger" into commands that take no argument,
optionally in which case the callers session/user is implied.
This patch adds more detail to the description of how path escaping
operates and provides a pointer to the systemd-escape program. Either
would serve to answer the question raised in the bug report, so
hopefully this will allow it to be closed.
https://bugs.freedesktop.org/show_bug.cgi?id=87688
With this change it is possible to send file descriptors to PID 1, via
sd_pid_notify_with_fds() which PID 1 will store individually for each
service, and pass via the usual fd passing logic on next invocation.
This is useful for enable daemon reload schemes where daemons serialize
their state to /run, push their fds into PID 1 and terminate, restoring
their state on next start from the data in /run and passed in from PID
1.
The fds are kept by PID 1 as long as no POLLHUP or POLLERR is seen on
them, and the service they belong to are either not dead or failed, or
have a job queued.
See bug 87859 (https://bugs.freedesktop.org/show_bug.cgi?id=87859). Bug
reporter found the language describing the effect of specifying both a
day and date unclear; hopefully the attached patch will clarify and
allow the bug to be closed.
The handling of the command name and other arguments is unified. This
simplifies things and should make them more predictable for users.
Incidentally, this makes ExecStart handling match the .desktop file
specification, apart for the requirment for an absolute path.
https://bugs.freedesktop.org/show_bug.cgi?id=86171
This pulls out the hwdb managment from udevadm into an independent tool.
The old code is left in place for backwards compatibility, and easy of
testing, but all documentation is dropped to encourage use of the new
tool instead.
Also, when booting up an ephemeral container of / use the system
hostname as default machine name.
This way specifiyng -M is unnecessary when booting up an ephemeral
container, while allowing any number of ephemeral containers to run from
the same tree.
This adds --template= to duplicate an OS tree as btrfs snpashot and run
it
This also adds --ephemeral or -x to create a snapshot of an OS tree and
boot that, removing it after exit.
Let's stick to generic sections that describe the general technology,
instead of specific per-object sections, unless we really have a reason
to do that otherwise.
Support timer options --on-active=, --on-boot=, --on-startup=,
--on-unit-active=, --on-unit-inactive=, --on-calendar=. Each options
corresponding with OnActiveSec=, OnBootSec=, OnStartupSec=,
OnUnitActiveSec=, OnUnitInactiveSec=, OnCalendar= of timer
respectively. And OnCalendar= and WakeSystem= supported by
--timer-property= option like --property= of systemd-run.
And if --unit= option and timer options are specified the command can
be omitted. In this case, systemd-run assumes the target service is
already loaded. And just try to generate transient timer unit only.
This patch makes it possible to set extended attributes on files created
by tmpfiles. This can be especially used to set SMACK security labels on
volatile files and directories.
It is done by adding new line of type "t". Such line should contain
attributes in Argument field, using following format:
name=value
All other fields are ignored.
If value contains spaces, then it must be surrounded by quotation marks.
User can also put quotation mark in value by escaping it with backslash.
Example:
D /var/run/cups - - - -
t /var/run/cups - - - - security.SMACK64=printing
This has been requested repeatedly, so let's give it a go. We explicitly do not allow matching
on names that have already been changed (from a previous udev run, or otherwise), and matching
on unpredictable names (ethX) is discouraged (but not currently disallowed).
We also currently allow:
[Match]
Name=veth0
[Link]
Name=my-name0
SomeOtherSetting=true
Which means that the link file will be applied the first time it is invoked, but
not on subsequent invocations, which may be surprising.
This patch add support to specify path cost of the
bridge port to be configured via conf file.
Exampe: conf
file: br.netdev
[NetDev]
Name=br-test
Kind=bridge
file: br.network
[Match]
Name=em1
[Network]
Bridge=br-test
[BridgePort]
Cost=332
bridge link
2: em1 state UP : <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master
br-test state disabled priority 32 cost 332
In man journald.conf, removes reference to XZ as sole form of
compression. See commit d89c8fdf48.
In man coredump.conf, clarifies that "Compression=" controls existence,
not type, of compression.
Several manpages contain duplicate text describing a standard set of .d
configuration directories, with the usual sorting, precedence,
overrides, and so on. Factor this common text out using XInclude before
proliferating it even further.
It helps editing units by either creating a drop-in file, like
/etc/systemd/system/my.service.d/override.conf, or by copying the
original unit from /usr/lib/systemd/ to /etc/systemd/ if the --full
option is specified.
It invokes an editor on temporary files related to the unit files and
if the editor exited successfully, then it renames the temporary files
to their original names (e.g. my.service or override.conf) and
daemon-reload is invoked.
If the temporary file is empty the modification is canceled.
See https://bugzilla.redhat.com/show_bug.cgi?id=906824
In principle SysV stuff is only for compatibility, but we are stuck
with it for the forseeable future, so documentation might as well
be provided.
https://bugs.debian.org/771172
This makes it possible to drop in logind configuration snippets from a
package or other configuration management mechanism.
Add documentation to the header of /etc/logind.conf pointing the user at
/etc/logind.conf.d/*.conf.
Introduce a new helper, conf_parse_many, to parse configuration files in
a search path.
systemd stops adding automatic dependencies on swap.target to swap
units. If a dependency is required, it has to be added by unit
configuration. fstab-generator did that already, except that now it is
modified to create a Requires or Wants type dependency, depending on
whether nofail is specified in /etc/fstab. This makes .swap units
obey the nofail/noauto options more or less the same as .mount units.
Documentation is extended to clarify that, and to make
systemd.mount(5) and system.swap(5) more similar. The gist is not
changed, because current behaviour actually matches existing
documentation.
https://bugs.freedesktop.org/show_bug.cgi?id=86488
This makes udevadm trigger mirror udevadm info, except that multiple
device names can be specified. Instructions in 60-keyboard.hwdb should
now actually work.
udevadm(8) is updated, but it could use a bit more polishing.
https://bugs.freedesktop.org/show_bug.cgi?id=82311
In service file, if the file has some of special SMACK label in
ExecStart= and systemd has no permission for the special SMACK label
then permission error will occurred. To resolve this, systemd should
be able to set its SMACK label to something accessible of ExecStart=.
So introduce new SmackProcessLabel. If label is specified with
SmackProcessLabel= then the child systemd will set its label to
that. To successfully execute the ExecStart=, accessible label should
be specified with SmackProcessLabel=.
Additionally, by SMACK policy, if the file in ExecStart= has no
SMACK64EXEC then the executed process will have given label by
SmackProcessLabel=. But if the file has SMACK64EXEC then the
SMACK64EXEC label will be overridden.
[zj: reword man page]
The previous version was a bit too vague. It is better
to simply list all dependency types that are followed.
Previous version also made an emphasis on dependencies introduced by
configuration. But this command (or systemd) don't care about this
distinction between configured and automatically added dependencies at
all. This distinctionis removed from the main description, and an
explanatory paragraph is added to remind the user that all
dependencies are shown, no matter where they come from.
In the long run we really should figure out if we want to stick with 8ch
or 2ch indenting, and not continue with half-and-half. For now, just
make emacs aware of the files that use 2ch indenting.
--link-journal={host,guest} fail if the host does not have persistent
journalling enabled and /var/log/journal/ does not exist. Even worse, as there
is no stdout/err any more, there is no error message to point that out.
Introduce two new modes "try-host" and "try-guest" which don't fail in this
case, and instead just silently skip the guest journal setup.
Change -j to mean "try-guest" instead of "guest", and fix the wrong --help
output for it (it said "host" before).
Change systemd-nspawn@.service.in to use "try-guest" so that this unit works
with both persistent and non-persistent journals on the host without failing.
https://bugs.debian.org/770275