1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

8773 Commits

Author SHA1 Message Date
Luca Boccassi
8e6d95846b
Merge pull request #33491 from keszybz/allow-interactive-auth-in-inhibit
Allow interactive auth in inhibit
2024-06-26 23:01:22 +02:00
Luca Boccassi
d031b5876b
Merge pull request #33338 from ml-/specifiers
tmpfiles: add %q, %A, %M specifiers
2024-06-26 21:40:15 +02:00
Mike Yuan
6343d2ea50
man/capsule@.service: the capsule user is prefixed with "c-" rather than "p_" 2024-06-26 16:47:48 +02:00
Carlo Teubner
6733d691bb man/capsule@.service.xml: fix typo 2024-06-26 16:45:42 +02:00
Zbigniew Jędrzejewski-Szmek
a87b7aa1a1 inhibit: add --no-ask-password option and allow interactive polkit auth
It seems entirely reasonable to make a policy which e.g. allows block operations
for interactive users after authentication. The tool should support this, so that
more complicated local policies can be used.

Related to https://github.com/systemd/systemd/pull/30307.
2024-06-26 15:04:06 +02:00
Matthias Lisin
999a661d1e
man: Add %q specifier to repart.d, sysusers.d 2024-06-26 04:18:14 +02:00
Matthias Lisin
282bda46f1
tmpfiles: use common macro for a set of specifiers
This adds %q, %A and %M specifiers to tmpfiles:
- %A and %M were previously added to tmpfiles.d man page, but not to specifier_table
- %q is added via COMMON_SYSTEM_SPECIFIERS
2024-06-26 04:18:14 +02:00
Lennart Poettering
7f1c31829b
Merge pull request #33003 from poettering/repart-progress
repart: draw progress bar during CopyBlocks= operation and other tweaks
2024-06-25 14:08:04 +02:00
Lennart Poettering
468d09c319 repart: allow reading from char device for CopyBlocks=
Sometimes it is useful to allow initializing a partition with randomized
data, hence allow reading from a char device as source for CopyBlocks=
2024-06-25 10:05:07 +02:00
Lennart Poettering
5f87b035fa import: add generator that synthesizes download jobs from kernel cmdline 2024-06-25 09:57:42 +02:00
nerdopolis
952b26c75d login: Add a new SecureAttentionKey dbus signal when Ctrl+Alt+Shift+Esc is pressed 2024-06-24 22:29:38 +02:00
Mike Yuan
c53580bf2e
Merge pull request #33401 from yuwata/journal-revert-source-boottime-timestamp
journal: partially revert recent changes
2024-06-24 15:34:16 +02:00
Diego Viola
a78394a49a man: fix double is typo in systemd-tmpfiles
Signed-off-by: Diego Viola <diego.viola@gmail.com>
2024-06-22 17:06:26 +09:00
Mike Yuan
9d50d053f3
core: expose PrivateTmp=disconnected
As discussed in https://github.com/systemd/systemd/pull/32724#discussion_r1638963071

I don't find the opposite reasoning particularly convincing.
We have ProtectHome=tmpfs and friends, and those can be
pretty much trivially implemented through TemporaryFileSystem=
too. The new logic brings many benefits, and is completely generic,
hence I see no reason not to expose it. We can even get more tests
for the code path if we make it public.
2024-06-21 17:31:44 +02:00
Mike Yuan
c3662116b9
man/org.freedesktop.systemd1: Status{Bus,Varlink}Error belongs to Service, not Scope
Follow-up for 9c025022d9

Ugh, shouldn't have done this bit when I was sleepy...
2024-06-21 16:47:28 +02:00
Lennart Poettering
d42edbf1b8
Merge pull request #33430 from YHNdnzj/buserror-notify
core/service: store BUSERROR= & VARLINKERROR= received and show them through systemctl status
2024-06-20 23:05:32 +02:00
Mike Yuan
9c025022d9
core/service: store BUSERROR= & VARLINKERROR= received through notification
Closes #6073
2024-06-20 19:03:44 +02:00
Lennart Poettering
da213bb5c0 varlinkctl: add --graceful= option for optionally marking some errors as successes
This is generally useful, but in some cases particularly: when
implementing enumeration calls that use the "more" flag to return
multiple replies then for the first reply we need to return an error in
case the list of objects to enumerate is empty, usually so form of
"NoSuchXYZ" error. In many cases this shouldn't really be treated as
error, as an empty list probably more than not is as valid as a list
with one, two or more entries.
2024-06-20 18:20:09 +02:00
Ludwig Nussel
0e10c3d872 logind: implement maintenance time
Update frameworks that work automatically in the background
occasionally need to schedule reboots. Systemd-logind already
provides a nice mechanism to schedule shutdowns, send notfications
and block logins short before the time. Systemd has a framework for
calendar events, so we may conveniently use logind to define a
maintenance time for reboots.

The existing ScheduleShutdown DBus method in logind expects a usec_t
with an absolute time. Passing USEC_INFINITY as magic value now tells
logind to take the time from the configured maintenance time if set.

"shutdown -r" leverages that and uses the maintenance time
automatically if configured. The one minute default is still used if
nothing was specified.

Similarly the new 'auto' setting for the --when parameter of systemctl
uses the maintenance time if configured or a one minute timer like the
shutdown command.
2024-06-20 14:37:42 +02:00
Kamil Szczęk
e262205eb7 cryptenroll: support for enrolling FIDO2 tokens in manual mode
systemd-cryptsetup supports a FIDO2 mode with manual parameters, where
the user provides all the information necessary for recreating the
secret, such as: credential ID, relaying party ID and the salt. This
feature works great for implementing 2FA schemes, where the salt file
is for example a secret unsealed from the TPM or some other source.
While the unlocking part is quite straightforward to set up, enrolling
such a keyslot - not so easy. There is no clearly documented
way on how to set this up and online resources are scarce on this topic
too. By implementing a straightforward way to enroll such a keyslot
directly from systemd-cryptenroll we streamline the enrollment process
and reduce chances for user error when doing such things manually.
2024-06-20 14:26:24 +02:00
Ludwig Nussel
8ce171bf51 bootctl: add --random-seed=yes/no 2024-06-20 14:26:13 +09:00
Diego Viola
11b46dc117 man: fix typo in systemd-tmpfiles
Signed-off-by: Diego Viola <diego.viola@gmail.com>
2024-06-20 13:02:06 +09:00
Antonio Alvarez Feijoo
111f988992 kernel-install: correct the place where it works in man and help text 2024-06-20 03:01:22 +09:00
Maximilian Wilhelm
163bb43cea man/systemd.exec: list inaccessible files for ProtectKernelTunables 2024-06-20 03:00:59 +09:00
Yu Watanabe
3176c78e68
Merge pull request #32868 from keszybz/more-whomification
Fix confusion between killer and prey
2024-06-20 02:59:14 +09:00
Yu Watanabe
9545f643bb man: drop reference to _SOURCE_MONOTONIC_TIMESTAMP=
The timestamp is broken at least now. We should not advertise it.
2024-06-20 00:10:12 +09:00
Zbigniew Jędrzejewski-Szmek
cd2fb04960 Fix confusion between killer and prey
"who" is the entity doing the killing, "whom" is the target.
Follow-up for 4ccde410a3.
2024-06-19 16:22:23 +02:00
pyfisch
051d462b42 Use consistent spelling of systemd.condition_first_boot argument 2024-06-19 09:01:35 +02:00
Mike Yuan
fd41dfc135 man/systemd.journal-fields: document _SOURCE_{MONOTONIC,BOOTTIME}_TIMESTAMP
Follow-up for a9357c2ce2
2024-06-19 14:50:02 +09:00
Lennart Poettering
c142a8fbcb man: suffix tmpfiles.d with /, as per coding style 2024-06-18 14:46:00 +01:00
Lennart Poettering
41064a3c97 tmpfiles: insist on at least one configuration file being specified on --purge
Also, extend the man page explanation substantially, matching more
closely what --create says.

Fixes: #33349
2024-06-18 14:45:59 +01:00
Luca Boccassi
fcbe3e3b2e
Merge pull request #32724 from bluca/dynamic_user_no_private_tmp
core: do not imply PrivateTmp with DynamicUser, create a private tmpfs instead
2024-06-18 00:11:11 +01:00
Luca Boccassi
0e551b04ef core: do not imply PrivateTmp with DynamicUser, create a private tmpfs instead
DynamicUser= enables PrivateTmp= implicitly to avoid files owned by reusable uids
leaking into the host. Change it to instead create a fully private tmpfs instance
instead, which also ensures the same result, since it has less impactful semantics
with respect to PrivateTmp=yes, which links the mount namespace to the host's /tmp
instead. If a user specifies PrivateTmp manually, let the existing behaviour
unchanged to ensure backward compatibility is not broken.
2024-06-17 17:05:55 +01:00
Mike Yuan
d4d90ef900
Merge pull request #33214 from keszybz/system-clock-epoch
Rework the setting and description of system clock to the epoch
2024-06-16 17:42:47 +02:00
Mike Yuan
b5c8cc0a3b man,units: drop "temporary" from description of systemd-tmpfiles
Historically, systemd-tmpfiles was designed to manager temporary
files, but nowadays it has become a generic tool for managing
all kinds of files. To avoid user confusion, let's remove "temporary"
from the tool's description.

As discussed in #33349
2024-06-15 19:08:35 +02:00
Zbigniew Jędrzejewski-Szmek
863098fdc9 man: describe setting of the clock by systemd and systemd-timesyncd
The setting of systemd clock is important and deserves an accurate description,
see for example:
https://discussion.fedoraproject.org/t/f38-to-f39-40-dnf-system-upgrade-can-fail-on-raspberry-pi/92403
https://bugzilla.redhat.com/show_bug.cgi?id=2242759

The meat of the description was in systemd-timesyncd.service(8), but
actually it's systemd that sets the clock. In particular, systemd-timesyncd
doesn't know anything about /usr/lib/clock-epoch, and since systemd sets
the clock to the epoch when initializing, systemd-timesyncd would only
get to advance the clock to the epoch under special circumstances.
Also, systemd-timesyncd is an optional component, so we can't even rely
on its man page being installed in all circumstances. The description needs
to be moved to systemd(1).

The description is updated to describe the changes that were made in
previous commits.
2024-06-15 16:58:11 +02:00
Nick Rosbrook
9ebcac3b51 man: add a bit of a warning to systemd-tmpfiles --purge
Mention that by default, /home is managed by tmpfiles.d/home.conf, and
recommend that users run systemd-tmpfiles --dry-run --purge first to
see exactly what will be removed.
2024-06-15 00:00:53 +01:00
Luca Boccassi
a2979bb842
Merge pull request #33046 from poettering/varlinkctl-quiet
varlinkctl: add --quiet/-q switch for suppressing method call reply output
2024-06-13 16:17:17 +01:00
Kamil Szczęk
d5fa6e6ca7 cryptsetup: manual FIDO2 PIN, UP and UV configuration
When in FIDO2 mode with manual parameters, i.e. when not reading the
parameters off the LUKS2 header, the current behavior in regards to PIN,
UP and UV features is to default to v248 logic, where we use PIN + UP
when needed, and do not configure UV at all. Let's allow users to
configure those features in manual mode too.
2024-06-13 13:50:39 +02:00
Lennart Poettering
cd4e9166bb varlinkctl: add "-q" switch for suppressing varlinkctl output 2024-06-13 11:30:52 +02:00
Lennart Poettering
16cfe84c24 varlinkctl: add new list-methods verb
For putting together "varlinkctl call" command lines it's useful to
quickly enumerate all methods implemented by a service. Hence, let's add
a new "list-methods" which uses the introspection data of a service to
quickly list methods.

This is implemented as a special flavour of the "introspect" logic,
and just suppresses all output except for the method names.
2024-06-13 09:37:15 +02:00
Lennart Poettering
2475b0e81a varlinkctl: make interface argument to "introspect" optional, and allow more than one
let's make it easier to use the introspection functionality of
"varlinkctl": if no interface name is shown, display the introspection
data of all available interfaces. Moreover, allow that multiple
interfaces can be listed, in which case we enumerate them all.

This relieves the user from having to list interfaces first in order to
find the ones which to introspect.
2024-06-13 09:35:23 +02:00
Lennart Poettering
86d754050b man: add brief intro page to new sd-json APIs 2024-06-12 18:42:22 +02:00
Lennart Poettering
8c5045f9b2 analyze: add verb for dumping SMBIOS Type #11 data
I find myself wanting to check this data with a quick command, and
browsing through /sys/ manually getting binary data sucks. Hence let's
do add a nice little analysis tool.
2024-06-12 12:48:28 +02:00
Дамјан Георгиевски
d357f129b2 vsock-mux ssh proxy
allow the ssh-proxy to connect to cloud-hypervisor/Firecracker guests,
via their unix-domain socket to AF_VSOCK multiplexer:

https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/vsock.md
https://github.com/firecracker-microvm/firecracker/blob/main/docs/vsock.md
2024-06-12 18:36:21 +09:00
Yu Watanabe
f7da67db58
Merge pull request #32720 from poettering/hostnamed-no-varlink-exit-on-idle
hostnamed: exit-on-idle tweaks
2024-06-12 18:25:24 +09:00
Matthieu Baerts (NGI0)
3f69070598 core/socket: allow MPTCP protocol
Multipath TCP (MPTCP), standardized in RFC8684 [1], is a TCP extension
that enables a TCP connection to use different paths. It allows a device
to make use of multiple interfaces at once to send and receive TCP
packets over a single MPTCP connection. MPTCP can aggregate the
bandwidth of multiple interfaces or prefer the one with the lowest
latency, it also allows a fail-over if one path is down, and the traffic
is seamlessly re-injected on other paths.

To benefit from MPTCP, both the client and the server have to support
it. Multipath TCP is a backward-compatible TCP extension that is enabled
by default on recent Linux distributions (Debian, Ubuntu, Redhat, ...).
Multipath TCP is included in the Linux kernel since version 5.6 [2]. To
use it on Linux, an application must explicitly enable it when creating
the socket:

  int sd = socket(AF_INET(6), SOCK_STREAM, IPPROTO_MPTCP);

No need to change anything else in the application.

This patch allows MPTCP protocol in the Socket unit configuration. So
now, a <unit>.socket can contain this to use MPTCP instead of TCP:

  [Socket]
  SocketProtocol=mptcp

MPTCP support has been allowed similarly to what has been already done
to allow SCTP: just one line in core/socket.c, a very simple addition
thanks to the flexible architecture already in place.

On top of that, IPPROTO_MPTCP has also been added in the list of allowed
protocols in two other places, and in the doc. It has also been added to
the missing_network.h file, for systems with an old libc -- note that it
was also required to include <netinet/in.h> in this file to avoid
redefinition errors.

Link: https://www.rfc-editor.org/rfc/rfc8684.html [1]
Link: https://www.mptcp.dev [2]
2024-06-12 00:14:08 +01:00
Kamil Szczęk
608bfe76c1 core: populate $REMOTE_ADDR for AF_UNIX sockets
Set the $REMOTE_ADDR environment variable for AF_UNIX socket connections
when using per-connection socket activation (Accept=yes). $REMOTE_ADDR
will now contain the remote socket's file system path (starting with a
slash "/") or its address in the abstract namespace (starting with an
at symbol "@").

This information is essential for identifying the remote peer in AF_UNIX
socket connections, but it's not easy to obtain in a shell script for
example without pulling in a ton of additional tools. By setting
$REMOTE_ADDR, we make this information readily available to the
activated service.
2024-06-12 00:11:10 +01:00
Lennart Poettering
48ce0824dc sd-bus: add new sd_bus_pending_method_calls() call 2024-06-11 23:17:38 +01:00
Zbigniew Jędrzejewski-Szmek
7b529bfc47 man: document that separate /usr/local/ must not be used for config
Since we document /usr/local/lib/systemd/ and other paths for various things,
add notes that this is not supported if /usr/local is a separate partition. In
systemd.unit, I tried to add the footnote in the table where
/usr/local/lib/systemd/ is listed, but that get's rendered as '[sup]a[/sup]'
with a mangled footnote at the bottom of the table :( .

Also, split paragraphs in one place where the subject changes without any
transition.

Follow-up for 02f35b1c90.
Replaces https://github.com/systemd/systemd/pull/33231.
2024-06-11 18:02:31 +01:00