1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 06:25:37 +03:00
Commit Graph

121 Commits

Author SHA1 Message Date
Yu Watanabe
b48ed70c79 Revert NFTSet feature
This reverts PR #22587 and its follow-up commit. More specifically,
2299b1cae3 (partially),
e176f85527,
ceb46a31a0, and
51bb9076ab.

The PR was merged without final approval, and has several issues:
- OSS fuzz reported issues in the conf parser,
- It calls synchrnous netlink call, it should not be especially in PID1,
- The importance of NFTSet for CGroup and DynamicUser may be
  questionable, at least, there was no justification PID1 should support
  it.
- For networkd, it should be implemented with Request object,
- There is no test for the feature.

Fixes #23711.
Fixes #23717.
Fixes #23719.
Fixes #23720.
Fixes #23721.
Fixes #23759.
2022-06-22 22:23:58 +09:00
Topi Miettinen
c0548df0a2 core: firewall integration with ControlGroupNFTSet=
New directive `ControlGroupNFTSet=` provides a method for integrating services
into firewall rules with NFT sets.

Example:

```
table inet filter {
...
        set timesyncd {
                type cgroupsv2
        }

        chain ntp_output {
                socket cgroupv2 != @timesyncd counter drop
                accept
        }
...
}
```

/etc/systemd/system/systemd-timesyncd.service.d/override.conf
```
[Service]
ControlGroupNFTSet=inet:filter:timesyncd
```

```
$ sudo nft list set inet filter timesyncd
table inet filter {
        set timesyncd {
                type cgroupsv2
                elements = { "system.slice/systemd-timesyncd.service" }
        }
}
```
2022-06-08 16:12:25 +00:00
Benjamin Franzke
a25d9395ad tree-wide: streamline wiki links
* Avoid traling slash as most links are defined without.
* Always use https:// protocol and www. subdomain

Allows for easier tree-wide linkvalidation
for our migration to systemd.io.
2022-05-21 14:28:03 +02:00
Zbigniew Jędrzejewski-Szmek
6f83ea60e9 man: beef up the description of systemd-oomd.service
The gist of the description is moved from systemd.resource-control
to systemd-oomd man page. Cross-references to OOMPolicy, memory.oom.group,
oomctl, ManagedOOMSwap and ManagedOOMMemoryPressure are added in all
places.

The descriptions are also more down-to-earth: instead of talking
about "taking action" let's just say "kill". We *might* add configuration
for different actions in the future, but we're not there yet, so let's
just describe what we do now.
2022-04-28 15:46:44 +02:00
Sho Iizuka
17cfd6f96f man: how to unset CPUQuota=
This description will help users who are trying to reset the already configured
CPUQuota= by trying incorrect ways such as CPUQuota=0 or CPUQUota=infinity.
2021-12-13 19:43:56 +00:00
Lennart Poettering
49e9218ae3
Merge pull request #20768 from pdmorrow/shutdown_cgroup_ctrl
cgroups: apply StartupAllowedCPUs= and StartupAllowedMemoryNodes= during shutdown
2021-09-27 13:44:54 +02:00
Zbigniew Jędrzejewski-Szmek
a14e028e86 man: cross-reference DeviceAllow= and PrivateDevices=
They are somewhat similar, but not easy to discover, esp. considering that
they are described in different pages.

For PrivateDevices=, split out the first paragraph that gives the high-level
overview. (The giant second paragraph could also use some heavy editing to break
it up into more digestible chunks, alas.)
2021-09-27 09:19:02 +02:00
Peter Morrow
058a2d8f13 man: Startup* updates for systemd.resource-control
All Startup*= directives now also apply to the shutdown phase as well as
boot phase.
2021-09-24 15:09:54 +01:00
Peter Morrow
c93a7d4ad3 docs: update docs with StartupAllowedCPUs and StartupAllowedMemoryNodes details
Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
2021-09-15 09:52:12 +01:00
Yu Watanabe
d4e30ad1fb tree-wide: fix typo 2021-08-22 09:46:22 +01:00
Mauricio Vásquez
795ccb03e0 man: add RestrictNetworkInterfaces= documentation
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
2021-08-18 15:55:54 -05:00
Julia Kartseva
120338ae33 man: document ip proto in SocketBind{Allow|Deny}= 2021-06-30 00:36:33 -07:00
Lennart Poettering
7dbc38db50 man: explicit say for priority/weight values whether more is more or less
Fixes: #17523
2021-05-26 12:42:13 +01:00
Lennart Poettering
f80a206aa4 socket-bind: use lowercase "ipv4"/"ipv6" spelling
In most of our codebase when we referenced "ipv4" and "ipv6" on the
right-hand-side of an assignment, we lowercases it (on the
left-hand-side we used CamelCase, and thus "IPv4" and "IPv6"). In
particular all across the networkd codebase the various "per-protocol
booleans" use the lower-case spelling. Hence, let's use lower-case for
SocketBindAllow=/SocketBindDeny= too, just make sure things feel like
they belong together better.

(This work is not included in any released version, hence let's fix this
now, before any fixes in this area would be API breakage)

Follow-up for #17655
2021-05-11 15:37:31 +02:00
Julia Kartseva
6359811021 man: add SocketBind{Allow|Deny}= documentation 2021-04-26 16:26:28 -07:00
Julia Kartseva
ee08909059 man: add BPFProgram= documentation 2021-04-09 20:28:47 -07:00
Zbigniew Jędrzejewski-Szmek
34507fa9e9 man: remove details of ManagedOOMPreference implementation 2021-02-25 21:14:04 +01:00
Zbigniew Jędrzejewski-Szmek
a8136f1bc0 man: advertise shared drop-ins more
systemd.unit(5) is a wall of text. And this particular feature can be very useful
in the context of resource control. Let's avertise this cool feature a bit more.

Fixes #17900.
2021-02-25 21:14:04 +01:00
Zbigniew Jędrzejewski-Szmek
326152af4d man: use markup more in description of ManagedOOMPreference=
Follow-up for d8a4d64bc3.
2021-02-25 21:14:04 +01:00
Anita Zhang
d8a4d64bc3 man: document ManagedOOMPreference= 2021-02-12 12:46:22 -08:00
Anita Zhang
0a9f93443b oom: rework *MemoryPressureLimit= properties to have 1/10000 precision
Requested in
https://github.com/systemd/systemd/pull/15206#discussion_r505506657,
preserve the full granularity for memory pressure limits (permyriad)
instead of capping out at percent.
2021-02-02 17:52:48 -08:00
Pavel Hrdina
16455ee2b1 man: fix small issue in AllowedMemoryNodes description
It should not mention "CPU" but "NUMA nodes".
2021-01-30 18:19:17 +01:00
Zbigniew Jędrzejewski-Szmek
75909cc7e4 man: various typos and other small issues
Fixes #18397.
2021-01-29 08:42:39 +01:00
Yu Watanabe
db9ecf0501 license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
Anita Zhang
cf3e57884e man: document systemd-oomd and related items 2020-10-09 02:40:19 -07:00
Lennart Poettering
037857507a man: fix xml tags 2020-08-20 13:19:01 +02:00
Benjamin Berg
29bb3d7fc4 man: Improve MemoryMin=/MemoryLow= description
The description didn't really explain how the distribution mechanism
works exactly and the relationship of leaf and slice units.

Update the documentation and also explicitly explain the expected
behaviour as it is created by the memory_recursiveprot cgroup2 mount
option.
2020-08-19 11:17:02 +02:00
Lennart Poettering
6b000af4f2 tree-wide: avoid some loaded terms
https://tools.ietf.org/html/draft-knodel-terminology-02
https://lwn.net/Articles/823224/

This gets rid of most but not occasions of these loaded terms:

1. scsi_id and friends are something that is supposed to be removed from
   our tree (see #7594)

2. The test suite defines an API used by the ubuntu CI. We can remove
   this too later, but this needs to be done in sync with the ubuntu CI.

3. In some cases the terms are part of APIs we call or where we expose
   concepts the kernel names the way it names them. (In particular all
   remaining uses of the word "slave" in our codebase are like this,
   it's used by the POSIX PTY layer, by the network subsystem, the mount
   API and the block device subsystem). Getting rid of the term in these
   contexts would mean doing some major fixes of the kernel ABI first.

Regarding the replacements: when whitelist/blacklist is used as noun we
replace with with allow list/deny list, and when used as verb with
allow-list/deny-list.
2020-06-25 09:00:19 +02:00
Lennart Poettering
92d64d1444 man: s/PROGRAMM/PROGRAM/ 2020-06-23 17:13:26 +02:00
Zbigniew Jędrzejewski-Szmek
e1a0423266 man: reword description of IPAddressDeny/Allow a bit 2020-05-26 11:13:06 +02:00
Anita Zhang
5403e15337 man: update list of supported controllers 2020-03-05 13:53:29 +09:00
Lennart Poettering
f27a21d48b man: document the limits of the block device discovery for IO cgroup options
Fixes: #14271
2020-01-17 10:08:13 +01:00
Zbigniew Jędrzejewski-Szmek
246be82bd4 man: link to specific sections of cgroups-v2 document
The document is rather huge, and a specific link is easier to consume. The form
is a bit strange because troff puts the symlink at the bottom, keyed by title,
so we need to use the same link target in all places.
2020-01-09 16:47:34 +01:00
Zbigniew Jędrzejewski-Szmek
bb6d563a50 doc: link to html versions of cgroup docs
Also stop linking to some (obsolete) v1 documentation.
2020-01-09 16:47:34 +01:00
Lennart Poettering
3a827125e7 man: stop recommending modprobe -abq in ExecStartPre= 2020-01-07 19:00:56 +01:00
Zbigniew Jędrzejewski-Szmek
f8b68539d0 man: fix a few bogus entries in directives index
When wrong element types are used, directives are sometimes placed in the wrong
section. Also, strip part of text starting with "'", which is used in a few
places and which is displayed improperly in the index.
2019-11-21 22:06:30 +01:00
Chris Down
ba79e19cb2 cgroup: docs: memory.high doc fixups
The docs just tautologically call this the "high limit". Just call it
throttling as we do in cgroup-v2.rst.
2019-09-30 14:30:14 +01:00
Chris Down
b62087d4d0 cgroup: docs: Mention unbounded protection for memory.{low,min}
I got asked why Memory{Low,Min} don't allow "infinity". They do, but the
docs don't say that like they already do for Memory{High,Max}.
2019-09-30 14:23:32 +01:00
Pavel Hrdina
047f5d63d7 cgroup: introduce support for cgroup v2 CPUSET controller
Introduce support for configuring cpus and mems for processes using
cgroup v2 CPUSET controller.  This allows users to limit which cpus
and memory NUMA nodes can be used by processes to better utilize
system resources.

The cgroup v2 interfaces to control it are cpuset.cpus and cpuset.mems
where the requested configuration is written.  However, it doesn't mean
that the requested configuration will be actually used as parent cgroup
may limit the cpus or mems as well.  In order to reflect the real
configuration cgroup v2 provides read-only files cpuset.cpus.effective
and cpuset.mems.effective which are exported to users as well.
2019-09-24 15:16:07 +02:00
Lennart Poettering
3ff668cb9a man: reword DeviceAllow= documentation
Don't claim we'd use cgroup.deny much. It's just a way to remove stuff
from device lists, which is nothing we allow users to explicitly
configure.

Also, extend documentation when wildcards may be used, and when not.
2019-07-31 16:06:15 +02:00
Lennart Poettering
00d85bbb60 man: document the modprobe hack for DeviceAllow= 2019-07-23 13:30:56 +02:00
Kai Lüke
fab347489f bpf-firewall: custom BPF programs through IP(Ingress|Egress)FilterPath=
Takes a single /sys/fs/bpf/pinned_prog string as argument, but may be
specified multiple times. An empty assignment resets all previous filters.

Closes https://github.com/systemd/systemd/issues/10227
2019-06-25 09:56:16 +02:00
Chris Down
acdb4b5236 cgroup: Polish hierarchically aware protection docs a bit
I missed adding a section in `systemd.resource-control` about
DefaultMemoryMin in #12332.

Also, add a NEWS entry going over the general concept.
2019-05-08 12:06:32 +01:00
Chris Down
c52db42b78 cgroup: Implement default propagation of MemoryLow with DefaultMemoryLow
In cgroup v2 we have protection tunables -- currently MemoryLow and
MemoryMin (there will be more in future for other resources, too). The
design of these protection tunables requires not only intermediate
cgroups to propagate protections, but also the units at the leaf of that
resource's operation to accept it (by setting MemoryLow or MemoryMin).

This makes sense from an low-level API design perspective, but it's a
good idea to also have a higher-level abstraction that can, by default,
propagate these resources to children recursively. In this patch, this
happens by having descendants set memory.low to N if their ancestor has
DefaultMemoryLow=N -- assuming they don't set a separate MemoryLow
value.

Any affected unit can opt out of this propagation by manually setting
`MemoryLow` to some value in its unit configuration. A unit can also
stop further propagation by setting `DefaultMemoryLow=` with no
argument. This removes further propagation in the subtree, but has no
effect on the unit itself (for that, use `MemoryLow=0`).

Our use case in production is simplifying the configuration of machines
which heavily rely on memory protection tunables, but currently require
tweaking a huge number of unit files to make that a reality. This
directive makes that significantly less fragile, and decreases the risk
of misconfiguration.

After this patch is merged, I will implement DefaultMemoryMin= using the
same principles.
2019-04-12 17:23:58 +02:00
Lennart Poettering
ef81ce6e80 man: clarify which addresses are affected by IPAddressAllow=/IPAddressDeny=
For ingress traffic it's the source address of IP packets we check, for
egress traffic it's the destination address. Mention that.
2019-03-29 16:17:55 +01:00
Zbigniew Jędrzejewski-Szmek
3a54a15760 man: use same header for all files
The "include" files had type "book" for some raeason. I don't think this
is meaningful. Let's just use the same everywhere.

$ perl -i -0pe 's^..DOCTYPE (book|refentry) PUBLIC "-//OASIS//DTD DocBook XML V4.[25]//EN"\s+"http^<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"\n  "http^gms' man/*.xml
2019-03-14 14:42:05 +01:00
Zbigniew Jędrzejewski-Szmek
0307f79171 man: standarize on one-line license header
No need to waste space, and uniformity is good.

$ perl -i -0pe 's|\n+<!--\s*SPDX-License-Identifier: LGPL-2.1..\s*-->|\n<!-- SPDX-License-Identifier: LGPL-2.1+ -->|gms' man/*.xml
2019-03-14 14:29:37 +01:00
Filipe Brandenburger
10f2864111 core: add CPUQuotaPeriodSec=
This new setting allows configuration of CFS period on the CPU cgroup, instead
of using a hardcoded default of 100ms.

Tested:
- Legacy cgroup + Unified cgroup
- systemctl set-property
- systemctl show
- Confirmed that the cgroup settings (such as cpu.cfs_period_ns) were set
  appropriately, including updating the CPU quota (cpu.cfs_quota_ns) when
  CPUQuotaPeriodSec= is updated.
- Checked that clamping works properly when either period or (quota * period)
  are below the resolution of 1ms, or if period is above the max of 1s.
2019-02-14 11:04:42 -08:00
Yu Watanabe
d1698b82e6 man: add referecne to systemd-system.conf 2019-02-01 12:31:51 +01:00
Chris Down
c72703e26d cgroup: Add DisableControllers= directive to disable controller in subtree
Some controllers (like the CPU controller) have a performance cost that
is non-trivial on certain workloads. While this can be mitigated and
improved to an extent, there will for some controllers always be some
overheads associated with the benefits gained from the controller.
Inside Facebook, the fix applied has been to disable the CPU controller
forcibly with `cgroup_disable=cpu` on the kernel command line.

This presents a problem: to disable or reenable the controller, a reboot
is required, but this is quite cumbersome and slow to do for many
thousands of machines, especially machines where disabling/enabling a
stateful service on a machine is a matter of several minutes.

Currently systemd provides some configuration knobs for these in the
form of `[Default]CPUAccounting`, `[Default]MemoryAccounting`, and the
like. The limitation of these is that Default*Accounting is overrideable
by individual services, of which any one could decide to reenable a
controller within the hierarchy at any point just by using a controller
feature implicitly (eg. `CPUWeight`), even if the use of that CPU
feature could just be opportunistic. Since many services are provided by
the distribution, or by upstream teams at a particular organisation,
it's not a sustainable solution to simply try to find and remove
offending directives from these units.

This commit presents a more direct solution -- a DisableControllers=
directive that forcibly disallows a controller from being enabled within
a subtree.
2018-12-03 15:40:31 +00:00