1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-01 09:21:26 +03:00
Commit Graph

37895 Commits

Author SHA1 Message Date
Lennart Poettering
59f13dd6f8 remount-fs: optionally remount / writable, if we are told through an env var 2018-12-18 14:47:44 +01:00
Lennart Poettering
58b86fdf1d remount-fs: split code for tracking PIDs in hashmap
Just some refactoring, no change in behaviour.
2018-12-18 14:47:06 +01:00
Lennart Poettering
e0fe3a03ab remount-fs: use PATH_IN_SET() at one more place 2018-12-18 14:38:30 +01:00
Lennart Poettering
8a9c44edf9 gpt-auto: compare kernel cmdline args with proc_cmdline_key_streq() 2018-12-18 14:38:30 +01:00
Lennart Poettering
e4abfc77c4
Merge pull request #11197 from keszybz/various-fixups
Various fixups
2018-12-18 14:35:00 +01:00
Lennart Poettering
6b256626c5
Merge pull request #11191 from poettering/hashmap-clear
rework hashmap_clear()
2018-12-18 14:34:39 +01:00
Lennart Poettering
64d7f7b4a1 units: set NoNewPrivileges= for all long-running services
Previously, setting this option by default was problematic due to
SELinux (as this would also prohibit the transition from PID1's label to
the service's label). However, this restriction has since been lifted,
hence let's start making use of this universally in our services.

On SELinux system this change should be synchronized with a policy
update that ensures that NNP-ful transitions from init_t to service
labels is permitted.

Fixes: #1219
2018-12-18 14:21:35 +01:00
Lennart Poettering
52ef7bbbe6 units: sort [Service] sections alphabetically 2018-12-18 14:21:35 +01:00
Zbigniew Jędrzejewski-Szmek
04c65645fa Revert "units: set NoNewPrivileges= for all long-running services"
This reverts commit 3ca9940cb9.

Let's split the commit in two: the sorting and the changes.
Because there's a requirement to update selinux policy, this change is
incompatible, strictly speaking. I expect that distributions might want to
revert this particular change. Let's make it easy.
2018-12-18 14:20:32 +01:00
Zbigniew Jędrzejewski-Szmek
459aec5c88
Merge pull request #11200 from poettering/mailmap-updates-240
updates for .mailmap and NEWS
2018-12-18 14:00:59 +01:00
Lennart Poettering
b99b316497
Merge pull request #11194 from poettering/resolved-soa-parent
be more conservative with set of RRs to authenticate
2018-12-18 13:07:24 +01:00
Lennart Poettering
144d7f1dc6 NEWS: add one more item 2018-12-18 13:04:43 +01:00
Lennart Poettering
c37e2358c9 NEWS: update contributors list, taking new .mailmap into account 2018-12-18 12:56:56 +01:00
Lennart Poettering
40f714d8f8 sort .mailmap alphabetically 2018-12-18 12:55:00 +01:00
Lennart Poettering
a0795d48f2 update .mailmap a bit from v240 contributions 2018-12-18 12:53:58 +01:00
Zbigniew Jędrzejewski-Szmek
568ef98723 test-mountpoint-util: more debug info 2018-12-18 12:20:01 +01:00
Zbigniew Jędrzejewski-Szmek
c512dfb9ac meson: print EFI CC configuration nicely
In 595343fb4c it was converted to an array.
This doesn't look good in the output. Let's convert it back to a string.
2018-12-18 12:20:01 +01:00
Zbigniew Jędrzejewski-Szmek
3fa3dc9e44 meson: rename two more variables from _c to _sources
_c is misleading because .h files should be included in those lists too
(this tells meson that the build outputs should be rebuilt if the header
files change).

Follow-up for 1437822638.
2018-12-18 12:19:52 +01:00
Zbigniew Jędrzejewski-Szmek
2811184a09 systemctl: add comment why whitespace in message is needed 2018-12-18 12:18:49 +01:00
Zbigniew Jędrzejewski-Szmek
8872c3a391 test-hashmap: add test to compare hashmap_free performance
The point here is to compare speed of hashmap_destroy with free and a different
freeing function, to the implementation details of hashmap_clear can be
evaluated.

Results:
current code:

/* test_hashmap_free (slow, 1048576 entries) */
string_hash_ops test took 2.494499s
custom_free_hash_ops test took 2.640449s

string_hash_ops test took 2.287734s
custom_free_hash_ops test took 2.557632s

string_hash_ops test took 2.299791s
custom_free_hash_ops test took 2.586975s

string_hash_ops test took 2.314099s
custom_free_hash_ops test took 2.589327s

string_hash_ops test took 2.319137s
custom_free_hash_ops test took 2.584038s

code with a patch which restores the "fast path" using:
    for (idx = skip_free_buckets(h, 0); idx != IDX_NIL; idx = skip_free_buckets(h, idx + 1))
in the case where both free_key and free_value are either free or NULL:

/* test_hashmap_free (slow, 1048576 entries) */
string_hash_ops test took 2.347013s
custom_free_hash_ops test took 2.585104s

string_hash_ops test took 2.311583s
custom_free_hash_ops test took 2.578388s

string_hash_ops test took 2.283658s
custom_free_hash_ops test took 2.621675s

string_hash_ops test took 2.334675s
custom_free_hash_ops test took 2.601568s

So the test is noisy, but there clearly is no significant difference with the
"fast path" restored. I'm surprised by this, but it shows that the current
"safe" implementation does not cause a performance loss.

When the code is compiled with optimization, those times are significantly
lower (e.g. 1.1s and 1.4s), but again, there is no difference with the "fast
path" restored.

The difference between string_hash_ops and custom_free_hash_ops is the
additional cost of global modification and the extra function call.
2018-12-18 12:04:08 +01:00
Zbigniew Jędrzejewski-Szmek
32ca29115e test-hashmap: use the usual function headers and print timing stats
This makes it slightly easier to watch for performance changes.
2018-12-18 12:04:04 +01:00
Zbigniew Jędrzejewski-Szmek
70b400d9c2 hashmap: use ternary op to shorten code 2018-12-18 12:04:00 +01:00
Filipe Brandenburger
7f09920585 lldp: add test coverage for sd_lldp_get_neighbors() with multiple neighbors
In particular, check that the order of the results is consistent.

This test coverage will be useful in order to refactor the compare_func
used while sorting the results.

When introduced, this test also uncovered a memory leak in sd_lldp_stop(),
which was then fixed by a separate commit using a specialized function
as destructor of the LLDP Hashmap.

Tested:
  $ ninja -C build/ test
  $ valgrind --leak-check=full build/test-lldp
2018-12-18 11:28:10 +01:00
Lennart Poettering
8ae1a821b3 sd-lldp: accept if a neighbor is already removed from the hashtable 2018-12-18 11:28:10 +01:00
Lennart Poettering
c380b84d8b hashmap: rework hashmap_clear() to be more defensive
Let's first remove an item from the hashmap and only then destroy it.
This makes sure that destructor functions can mdoify the hashtables in
their own codee and we won't be confused by that.
2018-12-18 11:28:10 +01:00
Lennart Poettering
6d72da2f3e resolved: mention which RRs we query when requesting them to authenticate some other RR 2018-12-18 11:25:21 +01:00
Lennart Poettering
d5acaa51db resolved: only attempt non-answer SOA RRs if they are parents of our query
There's no value in authenticating SOA RRs that are neither answer to
our question nor parent of our question (the latter being relevant so
that we have a TTL from the SOA field for negative caching of the actual
query).

By being to eager here, and trying to authenticate too much we run the
risk of creating cyclic deps between our transactions which then causes
the over-all authentication to fail.

Fixes: #9771
2018-12-18 11:25:21 +01:00
Lennart Poettering
1a126325eb timesync: fix serialization of IP address
Fixes: #11169
2018-12-18 00:59:14 +01:00
Lennart Poettering
98a7b55a53 NEWS: document the usern/mknod borkage in 4.18 a bit 2018-12-17 21:36:30 +01:00
Lennart Poettering
46b028f250 NEWS: add missing 'not' 2018-12-17 20:51:11 +01:00
Lennart Poettering
7db43ec32f docs: add missing section to ENVIRONMENT.md
No, this is not an env var understood by logind. Let's fix the
confusoin.
2018-12-17 20:48:22 +01:00
Lennart Poettering
4f9cf94c4a
Merge pull request #11144 from keszybz/dissect-image-fix
Fix for dissect-image use in nspawn
2018-12-17 19:36:36 +01:00
Michal Sekletar
4c70a4a748 core: do cgroup migration first and only then connect to journald
Fixes #11162
2018-12-17 19:22:30 +01:00
Lennart Poettering
500c65ad69
Merge pull request #11167 from yuwata/sd-resolve-typesafe
sd-resolve: introduce typesafe macros
2018-12-17 19:22:07 +01:00
Alexey Bogdanenko
8f9f3cb724 core: fix KeyringMode for user services
KeyringMode option is useful for user services. Also, documentation for the
option suggests that the option applies to user services. However, setting the
option to any of its allowed values has no effect.

This commit fixes that and removes EXEC_NEW_KEYRING flag. The flag is no longer
necessary: instead of checking if the flag is set we can check if keyring_mode
is not equal to EXEC_KEYRING_INHERIT.
2018-12-17 16:56:36 +01:00
Lennart Poettering
95cde1ed24
Merge pull request #11159 from keszybz/udev-typedef
Udev typedef and normal error reporting
2018-12-17 16:19:10 +01:00
Michal Sekletar
672773b63a journald: correctly attribute log messages also with cgroupsv1
With cgroupsv1 a zombie process is migrated to root cgroup in all
hierarchies. This was changed for unified hierarchy and /proc/PID/cgroup
reports cgroup to which process belonged before it exited.

Be more suspicious about cgroup path reported by the kernel and use
unit_id provided by the log client if the kernel reports that process is
running in the root cgroup.

Users tend to care the most about 'log->unit_id' mapping so systemctl
status can correctly report last log lines. Also we wouldn't be able to
infer anything useful from "/" path anyway.

See: 2e91fa7f6d
2018-12-17 15:16:11 +01:00
Lennart Poettering
a9238f6a33
Merge pull request #11184 from poettering/resolved-search-domains-max
resolve: bump max of dns servers/search domains
2018-12-17 15:15:45 +01:00
Tore Anderson
93158c77bc resolve: enable EDNS0 towards the 127.0.0.53 stub resolver
This appears to be necessary for client software to ensure the reponse data
is validated with DNSSEC. For example, `ssh -v -o VerifyHostKeyDNS=yes -o
StrictHostKeyChecking=yes redpilllinpro01.ring.nlnog.net` fails if EDNS0 is
not enabled. The debugging output reveals that the `SSHFP` records were
found in DNS, but were considered insecure.

Note that the patch intentionally does *not* enable EDNS0 in the
`/run/systemd/resolve/resolv.conf` file (the one that contains `nameserver`
entries for the upstream DNS servers), as it is impossible to know for
certain that all the upstream DNS servers handles EDNS0 correctly.
2018-12-17 15:15:18 +01:00
Zbigniew Jędrzejewski-Szmek
a8040b6d0a dissect-image: wait for the main device and all partitions to be known by udev
Fixes #10526.

Even if we waited for the root device to appear, the mount could still fail if
we didn't wait for udev to initalize the device. In particular, the
/dev/block/n:m path used to mount the device is created by udev, and nspawn
would sometimes win the race and the mount would fail with -ENOENT.

The same wait is done for partitions, since if we try to mount them, the same
considerations apply.

Note: I first implemented a version which just does a loop (with a short wait).
In that approach, udev takes on average ~800 µs to initialize the loopback
device. The approach where we set up a monitor and avoid the loop is a bit
nicer. There doesn't seem to be a significant difference in speed.
With 1000 invocations of 'systemd-nspawn -i image.squashfs echo':

loop (previous approach):
real	4m52.625s
user	0m37.094s
sys	2m14.705s

monitor (this patch):
real	4m50.791s
user	0m36.619s
sys	2m14.039s
2018-12-17 13:50:57 +01:00
Zbigniew Jędrzejewski-Szmek
b887c8b8a8 dissect-image: wait for the root to appear
dissect-image would wait for the root device and paritions to appear. But if we
had an image with no partitions, we'd not wait at all. If the kernel or udev
were slow in creating device nodes or symlinks, subsequent mount attempt might
fail if nspawn won the race.

Calling wait_for_partitions_to_appear() in case of no partitions means that we
verify that the kernel agrees that there are no partitions. We verify that the
kernel sees the same number of partitions as blkid, so let's that also in this
case.

This makes the failure in #10526 much less likely, but doesn't eliminate it
completely. Stay tuned.
2018-12-17 13:50:57 +01:00
Zbigniew Jędrzejewski-Szmek
ea887be00b dissect-image: split out a chunk of dissect_image() out
No functional change, just moving code around.
2018-12-17 13:50:57 +01:00
Zbigniew Jędrzejewski-Szmek
ed435031a5 rfkill: move wait_for_initialized() to shared/
The function interface is the same, except that the output pointer may be NULL.

The implementation is slightly simplified by taking advantage of changes in
ancestor commit 'sd-device: attempt to read db again if it wasn't found', by
not creating a new sd_device object before re-checking the is_initialized
status.

v2:
- In v1, the old object was always used and the device received back from the
  sd_device_monitor_start callback was ignored. I *think* the result will be
  equivalent in both cases, because by the time we the callback gets called,
  the db entry in the filesystem will also exist, and any subsequent access to
  properties of the object would trigger a read of the database from disk. But
  I'm not certain, and anyway, using the device object received in the callback
  seems cleaner.
2018-12-17 13:50:51 +01:00
Lennart Poettering
b950ee06e6 resolve: bump max of dns servers/search domains
Apparently people want more of these (as #11175 shows). Since this is
merely a safety limit for us, let's just bump all values substantially.

Fixes: #11175
2018-12-17 13:34:50 +01:00
Zbigniew Jędrzejewski-Szmek
11c49e6df5 sd-device: remove holes in struct sd_device
Normally, we don't care too much about what pahole reports. But this structure
could potentially be allocated for every device on the system, i.e. in a large
number of copies. 5 vs 7 cache lines is nice.

/* size: 400, cachelines: 7, members: 53 */
/* sum members: 330, holes: 12, sum holes: 70 */
/* last cacheline: 16 bytes */

/* size: 320, cachelines: 5, members: 53 */
/* bit holes: 1, sum bit holes: 6 bits */
/* bit_padding: 5 bits */
2018-12-17 12:29:28 +01:00
Zbigniew Jędrzejewski-Szmek
bce48452b8
Merge pull request #11077 from yuwata/udev-issue-better-fix
sd-device: do not change buffer size if the socket is already bound
2018-12-17 12:13:35 +01:00
Zbigniew Jędrzejewski-Szmek
c9cd236f92
Merge pull request #11180 from yuwata/update-bash-completion
several updates of bash completion for udevadm, resolvectl, and nspawn
2018-12-17 12:11:00 +01:00
Zbigniew Jędrzejewski-Szmek
582de70f2f
Merge pull request #11086 from poettering/nscd-cache-flush
flush nscd's caches when we register user/groups/hostnames
2018-12-17 11:29:58 +01:00
lbernstone
cb84bb25d5 hwdb: add accelerometer orientation quirk for the Teclast F5 (#11005) 2018-12-17 09:33:35 +01:00
Zbigniew Jędrzejewski-Szmek
2e08871534 udev: use typedef for struct udev_event 2018-12-17 09:27:24 +01:00